Microsoft's November Patch Tuesday brings us four critical updates and eight important patches that attempt to resolve 54 reported vulnerabilities in Microsoft Windows and Microsoft Office. In addition to this release of 12 updates, we will shortly see Microsoft refresh the Windows 10 desktop platform with the Fall Refresh or Threshold 2 (build 1511). I expect to see this larger update of build 1511 released on Thursday.
MS15-112 -- Critical
The first Microsoft update for this November Patch Tuesday is MS15-112 which attempts to resolve 25 reported memory corruption errors in Microsoft Internet Explorer (IE). This update affects all versions of IE on both Microsoft's desktop and server platforms, with the potential for a remote code execution scenario. MS15-112 attempts to address numerous JScript, VBScript and improperly implemented ASLR security features. As is usually the case with these kinds of IE updates from Microsoft, the patch manifest includes a full refresh of all IE related DLL's and system files. In addition, the Microsoft exploitability ratings for each of these 25 issues range from lower severities to significant security issues. This is a patch now update from Microsoft.
MS15-113 -- Critical
The next update rated as critical by Microsoft is MS15-113 which attempts to resolve four reported issues in Microsoft's Window 10 browser Edge, the most severe of which could lead to a another remote code execution scenario. Like the other IE update for this month, the severity ratings are quite high for the reported vulnerabilities as all but one of the issues are again related to memory corruption problems. This update has also been included in the Microsoft Fall Refresh release (Threshold 2) though you will still need to apply this update even if you upgrade to the latest Windows 10 build 1511.
MS15-114 -- Critical
The next critical Microsoft update is less prominent than the IE and Edge browser updates, with MS15-114 attempting to resolve a single reported error in the Windows journaling system. We saw an issue like with this MS15-098 with this year's September Patch Tuesday release. Like the previous Journal update, Microsoft recommends not to open suspicious JNT files - and if you are really brave, you can "harden" your systems by removing the file type association for JNT files. We are likely to see a few more updates to the Windows Journal system, as it has been around for over 10 years and probably now requires some security-minded attention on how this application handles memory and its HEAP stack. Given that the September JNT update seemed to be OK, I would add this patch to your standard patch deployment program.
MS15-115 -- Critical
Moving on from one high profile update to another, MS15-115 is a general Windows update that attempts to address seven severe vulnerabilities in Windows, potentially resulting in a remote code execution scenario. For this general Windows update, we see several more memory corruption issues and another attempt at resolving some of the many and repeated vulnerabilities in the Adobe Type Library and Font manager system component. This is a core system update that updates two critical components (GDIPlus.dll and Win32k.sys). If it was just one of these files, I would be wary, and implement a rigorous testing program. With two critical systems files updated in a single patch, I would wait for a few days. We have seen many Blue Screen of Death (BSOD) scenarios in the past. If you have to deploy this patch, make sure you have an automated rebuild process and maybe start the patch deployment effort with the IT department on this one.
MS15-116 -- Important
The first update for November that is rated important by Microsoft is MS15-116 which attempts to resolve another seven remote code execution vulnerabilities that affect all currently supported versions (both 32-bit and 64-bit) versions of Microsoft Office. I feel that this update is rated as important by Microsoft as all of these vulnerabilities require a user to select and click on a specially crafted file, which would only have the same privileges as the logged on user. Microsoft has not detailed any workarounds or mitigating factors for these security issues. This is a major update to multiple versions of Microsoft Office, with changes to key program files (Winword.exe, Visio. EXE and Excel.exe) and changes to many supporting files. If your core business relies on Office document management (e.g. a Legal firm), you may want to stage this update and thoroughly test your core business applications.
MS15-117 -- Important
MS15-117 is rated as important by Microsoft and resolves a single reported vulnerability in the Windows NDIS network driver component. An attacker would have to successfully log in to a system with valid credentials and successfully run a specially crafted application to compromise a target system. I think that each system administrator is going to have to build their own deployment case with this Microsoft update, with its lower attack surface area coupled with a core update to system level network drivers and their supporting low-level system libraries. If you have a network analysis or security team, let them try this update first. Networking administration and analysis tools are likely to make greater use of these system components, and therefore may offer a first hint of potential trouble.
MS15-118 -- Important
The next important update from Microsoft relates to three vulnerabilities in the Microsoft .NET framework that may result in an elevation of privilege scenario. MS15--118 affects all supported versions of .NET and addresses several vulnerabilities in how Microsoft handles ASP.NET HTTP requests for XML files. Microsoft has not published any workarounds or mitigating factors for these security issues. However, comprehensive update and change logs for each version of .NET can be found here. We have seen a number of major .NET updates this year including: MS15-041, MS15-048 and MS15-101. This update affects even minimalist server core installations and really should be included as part of a carefully staged server update process.
MS15-119 -- Important
MS15-119 is rated as important by Microsoft and attempts to address a single reported vulnerability in the Windows networking Winsock component. The Windows Winsock (Windows Sockets API) is a key networking component that handles IP and TCP networking traffic and manages how other Windows components should access low-level network services. The Winsock API system component has been around since 1992 and this update affects all published versions of Windows desktop and server platforms. This update only changes a few system files (TDx.sys and Afd.sys). As with MS15-117, deploy this update to your IT and network analysis team prior to a full scale production deployment.
MS15-120 -- Important
MS15-120 is rated as important and attempts to resolve a single reported vulnerability in another Windows network component similar to the low-level Winsock components and IPSec updates included in MS15-119 and MS15-117. Again, these are core system updates to low-level networking operating system components. Given that this update has a reduced severity and minimal attack surface with a worst case scenario of a spoofing attack, I might wait a few day before a full deployment. Looks like the network team is going to be busy this week.
MS15-121 -- Important
MS15-121 is rated as important by Microsoft as it updates another core system element, the diskdrive related SChannel component, that was refreshed this July with MS15-076 and, ironically, last year in November with MS14-066. Unfortunately, this update includes a few changes to some core system libraries (Advapi32.DLL) that host a significant portion of the windows platform (like startup and shutdown functions). These updates have been successfully shipped "under the radar" a number of times by Microsoft without appearing to cause any problems. So, add this update to your standard patch deployment program.
MS15-122 -- Important
MS15-122 attempts to resolve a single, low risk vulnerability to the Microsoft Kerberos security module, which if compromised could lead to a security bypass scenario and potentially bypass Microsoft's BitLocker disk drive encryption mechanism. This important update from Microsoft changes a single file (Kerberos.dll) and should be included in your standard update deployment effort.
MS15-123 -- Important
MS15-123 is an important update from Microsoft that attempts to resolve a single privately reported vulnerability in Skype for Business and its predecessor Lync, that if left un-patched could lead to an information disclosure scenario. This update looks like a pretty standard application library update and should be included in your standard patch deployment effort.