December’s Patch Tuesday Addresses Windows and Office Flaws Exploited in the Wild
In this month's Patch Tuesday update, Microsoft has released a number of security bulletins to address over 60 vulnerabilities in different products including Windows and Office zero-day exploits.
Important Patch Tuesday updates:
As every other month, Microsoft has released a number of critical security patches for its different products and depending on your time zone, you might be receiving these updates for your Windows systems. This month's Patch Tuesday update carries important fixes for critical security exploits. Eight of these bulletins have been rated critical, fixing security exploits in Windows OS, Internet Explorer, Microsoft Edge browser, Skype for Business, Silverlight, and others.
There are several important bug fixes included in this month's security update; here are some of the important vulnerabilities that have been patched:
- MS15-124: affects Internet Explorer allowing remote code execution. This exploit allows attackers to gain control of a machine if they manage to trick a user into visiting a maliciously crafted website.
- MS15-127: Windows servers that are configured as DNS servers are at risk from this vulnerability, according to Microsoft. "Attackers that exploit MS15-127 in Microsoft’s DNS server would gain control over the server and execute code in the system context. The attack is remote and does not require authentication, and no workarounds are available. Bring your Microsoft DNS servers up to date as soon as possible, with the required testing and soak time for such a fundamental service,” explains Qualys.
- MS15-128: fixes the problem by correcting how the Windows font library handles embedded fonts. Allowing attackers to install programs, access data and get full user rights on an affected machine, these vulnerabilities were affecting Microsoft Windows, .NET Framework, Microsoft Office, Skype for Business, Microsoft Lync, and Silverlight. According to the security bulletin, "vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a webpage that contains specially crafted embedded fonts.".
- MS15-131: This vulnerability has been exploited in the wild. Affecting Office, attacker can use this exploit if the target user is successfully tricked into opening a specially crafted file.
- MS15-135: this includes several Windows kernel vulnerabilities that can be exploited for privilege escalation. One of these exploits has been publicly disclosed and also exploited in the wild.
There are several other vulnerabilities that have been resolved in Internet Explorer. Of these 11 also affect Microsoft's latest Edge browser. Unsafe Xbox Live certificate, Windows 7, Office 2007, Windows Server 2008, and other Microsoft products have also received several patches to some critical vulnerabilities. Considering this is a very important security update package, it is highly recommended that you install this Tuesday Patch update on your Windows machines at earliest.
More details can be found in the security bulletins.