Microsoft has delivered a massive December Patch Tuesday with eight critical and four important updates. This month's patch release addresses a hefty 71 Windows vulnerabilities with two publicly reported exploits already "in the wild." The two Microsoft browser updates are good candidates for quick deployment but one Office update and a key Windows component may need some further testing.
MS15-124 -- Critical
The first update rated as critical for this December Patch Tuesday is MS15-124 which addresses a reported 30 vulnerabilities that could lead to a potential remote code execution scenario in Microsoft Internet Explorer (IE). MS15-124 affects all currently supported versions of IE and addresses a number of VBScript, memory handling, XSS and cross-domain security handling issues. This update refreshes all of the IE related binaries and therefore a full system restart will be required for all affected workstations and servers. The exploitation profile for this update is quite high, but does not include any zero-day vulnerabilities. This is a patch now update.
MS15-125 -- Critical
The next update rated as critical for this month, MS15-125, addresses 15 issues in Microsoft's (other) browser Edge, the most severe of which could lead to a remote code execution scenario. With a much reduced issue count and exploitation profile, MS15-125 still only requires a user to visit a specially crafted web page to allow an attacker to successfully gain the same security privileges as the logged on user. Make this update a priority.
MS15-126 -- Critical
MS15-126 attempts to address two system level scripting based memory corruption issues that affect the now aging Windows Vista and Server 2008 systems. Though sounding similar to the issues raised in MS15-124 and MS15-125, this update addresses different components of the VBScript system and if left un-patched, could lead to a remote code execution scenario. Add this to your standard patch deployment effort.
MS15-127 -- Critical
MS15-127 addresses a single critical vulnerability in the DNS server component in Windows Server 2008 (Rx) and Server 2012. This update has a reduced exploitation profile as the single reported issue was not publicly disclosed. However, a remote code execution scenario is possible with an attacker sending a specially crafted request to this DNS server component. Microsoft has not documented any mitigating strategies or work-arounds and so add this patch to your standard patch deployment program.
MS15-128 -- Critical
MS15-128 attempts to address three reported vulnerabilities in the core Windows Graphics GDI component. This update affects all supported versions of Windows, the Microsoft .NET framework and a number of core Office components including the new Skype for Business. The exploitation index for these vulnerabilities is pretty high, but no zero-day vulnerabilities. The worst case for each of these privately reported issues could lead to a remote code execution scenario. This is a top priority patch that requires some in-depth testing. Examining the patch manifest (the files that are changed) it appears that several core drivers, the primary graphics driver and the foundation of the user sub-system have all been updated. Wow! Test and test and test again before you deploy this update.
MS15-129 -- Critical
The next update from Microsoft is a little less severe, with MS15-129 attempting to address three privately reported vulnerabilities in Microsoft Silverlight that could lead to a remote code execution scenario. This update is rated critical for all supported versions of Microsoft desktop and server systems as well as all Mac environments. Microsoft has documented a number of workarounds for both PC and Mac environments but given the relatively low profile of the Silverlight changes, deploying this update is recommended. Add this update to your standard patch program.
MS15-130 -- Critical
MS15-130 is rated as a critical patch that attempts to resolve a single privately reported vulnerability in the Windows Uniscribe typography support component. This patch only affects currently supported versions of Windows 7 and Window Server 2008 R2 and attempts to prevent a remote code execution security scenario. I was initially thinking that this was another troublesome update to the font drivers (remember MS15-078) but after examining the contents of the update, it appears that the testing scope is pretty limited. If you use academic or mathematical notation in your line of business applications, you may want to test this update before adding to a standard deployment effort.
MS15-131 -- Critical
MS15-131 is a critical patch that updates Microsoft Office in an attempt to resolve six vulnerabilities that at worst could lead to a remote code execution scenario. Most importantly, this update addresses a vulnerability that has been successfully exploited "in the wild" and reported publicly, where an attacker was able to run arbitrary code with the same security privileges as the logged in user. MS15-131 does not update many files in the Microsoft Office file portfolio, although it does modify the Word Converter system and Excel. Given the risk profile for this update, make deploying this patch a priority.
MS15-132 -- Important
MS14-132 is the first update for December that has been rated as important by Microsoft and addresses three reported vulnerabilities that could lead to a remote code execution scenario. This is a core Windows update that affects all supported versions of Windows desktops, server and core operating systems. This patch attempts to address a vulnerability in the COM+ development environment (which goes back to Windows Server 2000) where windows library loading and handling in the past have led to memory corruption issues. Add this patch to your standard update deployment program.
MS15-133 -- Important
MS15-133 addresses a single, lower risk vulnerability in the Microsoft Message Queue (MMQ) system that could lead to an elevation of privilege security scenario. The exploit for this vulnerability is quite complex as it requires the Pragmatic General Multicast (PGM) protocol to be enabled as well as the MMQ sub-system. Add this patch to your standard patch deployment effort.
MS15-134 -- Important
MS15-134 addresses two lower risk exploits in Microsoft Media Center that if left unpatched, could allow a specially crafted Media Center link file (MCL) to create a remote code execution scenario. For most enterprises, there is a viable work-around where you can simply disable the MCL file extension. This update to a lesser used Microsoft component has a minimal update profile and therefore should present a reduced change management risk. Add this update to your standard patch deployment program.
MS15-135 -- Important
The final update for this December Patch Tuesday is MS15-135, which address four high-risk vulnerabilities with a zero-day publicly disclosed exploit. This patch updates a core system (kernel) level driver, a key graphics component and most of the user sub-systems (some of which were already updated by MS15-128). This update will require some comprehensive testing before deployment. Maybe wait a few days, and then start with the IT department before a general roll-out.