This is the final Patch Tuesday for the year and also the last one using the "per-patch" detailed format. Starting in January, we will match the latest Microsoft patch deployment grouping or "roll-ups" and provide patch-related insights and deployment guidance based on the Windows Security, Quality, Office, and .NET cumulative updates.
For December, Microsoft has released 12 updates, six of which are rated as critical, with the remaining six rated as important. This month also includes a fix for those Windows 10 users who had trouble connecting to the internet after the last wave of patches from Microsoft. For this month, Microsoft did not provide any mitigating factors or workarounds for any of the updates bar one. MS16-154 is the Microsoft wrapper for the Adobe Flash patch that comes with some advice, "Disable Flash."
MS16-144 -- Critical
MS16-144 resolves seven privately and one publicly reported vulnerabilities in Microsoft Internet Explorer (IE) relating to memory corruption (both browser and scripting engine) and security bypass issues that left un-patched could lead to a remote code execution scenario. This update will be included in the December monthly security update for Windows. Though there are no zero-day issues related to IE for this month, this patch is rated as a "Patch Now" due to a publicly disclosed memory vulnerability. As this update applies to all currently supported versions of IE, add this patch to your "Patch Now" update deployment effort.
MS16-145 -- Critical
Unusually, Microsoft's newer evergreen browser Edge has more reported issues than IE with 11 issues, three of which have been publicly disclosed. Like IE, these reported vulnerabilities relate to the usual memory corruption and security bypass issues we have seen in the past with both browsers. MS16-145 attempts to resolve these reported vulnerabilities, the worst of which could lead to a remote code execution scenario. Add this update to your "Patch Now" list.
MS16-146 -- Critical
MS16-146 is the second update for the Windows Security Only cumulative or "roll-up" update for this month. This patch addresses three privately reported vulnerabilities in the Microsoft graphic component and replaces last month's graphic component update for all Windows 10 and Server 2016 systems. As this update will be deployed with the security roll-up for Windows 7 and Server 2012 systems like Windows 10 and Server 2016, deploying this patch is a priority.
MS16-147 -- Critical
MS16-147 addresses a single reported vulnerability in the Microsoft Uniscribe handler that could lead to a remote code execution scenario. The Uniscribe component is a collection of API's that relate to how fonts and typography are handled within Windows systems across different languages. This update will be included in this month's security roll-up.
MS16-148 -- Critical
MS16-148 addresses 16 privately reported vulnerabilities in Microsoft Office that if left unpatched could lead to a remote code execution scenario on the target system. This update applies to all currently supported versions of Microsoft Office including Mac versions, going all the way back to Office 2007. This patch is separate from the two-other security and quality roll-ups for this month and must be deployed independently.
MS16-154 -- Critical
MS16-154 is the Microsoft wrapper for the Adobe Flash update that then attempts to resolve 17 vulnerabilities. There have been reports of a zero-day vulnerability that has successfully compromised 32-bit IE systems and so this is an urgent "Patch Now" update. This month, Microsoft has not offered any work-arounds or mitigating factors for any of the other Microsoft patches or updates. However, for this update Microsoft offered the simple advice, "Disable Flash." I agree.
MS16-149 -- Important
MS16-149 addresses two privately reported issues in how Windows cryptography components handles objects in memory. These vulnerabilities are relatively easy to exploit and could lead to an elevation of privilege scenario. This patch will be added to this month's security roll-up.
MS16-150 -- Important
MS16-150 attempts to resolve a single, privately reported vulnerability in the Windows kernel that could lead to an elevation of privilege scenario. This vulnerability requires a user to execute a specially crafted application and so the risk for most organizations is quite low due to virus and firewall protections.
MS16-151 -- Important
MS16-151 addresses two privately reported, lower risk vulnerabilities in the Windows kernel mode drivers. This update will be included in the Windows security roll-up. In addition, this patch is linked to MS16-152, and will affect all currently supported Windows systems (both desktop and server platforms).
MS16-152 -- Important
MS16-152 resolves a single, privately reported vulnerability in the Windows kernel that only affects Windows 10 and Server 2016 systems. This is a difficult to exploit vulnerability and at worst it may lead to an information disclosure scenario. This update will be included in the Windows monthly roll-up.
MS16-153 -- Important
MS16-153 resolves a single, privately reported the driver sub-system for the Windows Common Log File System (CLFS) that could lead to an information disclosure scenario. This is another difficult to exploit vulnerability but it does affect all currently supported Windows systems.
MS16-155 -- Important
MS16-155 addresses a hard to exploit, lower risk vulnerability in the Microsoft .NET framework. This update has its own update package and is not included in the Windows quality and security roll-ups. Therefore, it can be tested and deployed separately if required.
This article is published as part of the IDG Contributor Network. Want to Join?