For December's Patch Tuesday, Microsoft closed out 2015 by releasing 12 security bulletins, with eight marked critical,...
including a graphics-system exploit that affects all supported versions of Windows, Skype for Business and several other Microsoft products.
Microsoft issued a critical patch for bulletin MS15-128 to plug a security hole in the Windows graphics system, specifically a vulnerability with font handling. This affects all versions of Windows, the .NET framework, Microsoft Office 2007 and 2010, Skype for Business, Microsoft Lync and Silverlight.
A hacker can run a remote code execution attack via these products if a user goes to a website or opens a document from an email that contains specially crafted embedded fonts.
"This is a familiar type of patch that involves fonts," said Amol Sarwate, director of engineering for security vendor Qualys Inc., in Redwood City, Calif. "If an attacker hosts a malicious site with these fonts, and if a user visits the page, their system could be compromised."
"These types of font vulnerabilities are rated critical and the patches for them should be applied quickly, because it's very difficult to control which websites users will visit."
Shutting down a zero-day exploit
While marked important, security analysts said bulletin MS15-135 should be one of the first patches applied by IT shops, because it concerns a zero-day vulnerability in the kernel of several Windows operating systems.
"These are very important to address quickly," said Wolfgang Kandek, CTO at Qualys. "Many times, these patches are coming out to address attacks that are being used in the wild."
Public DNS servers at risk
Another critical bulletin, numbered MS15-127, affects organizations that have a Microsoft domain name system (DNS) server running on Windows Server 2008 and 2008 R2, Windows Server 2012 and 2012 R2, and Server Core that can be accessed publicly. In this vulnerability, an attacker can send a malicious packet to the DNS server and gain control of the server.
"If an attacker takes over the DNS server, then they can direct users to a different server that contains malicious code," Sarwate said. "A lot of times, these DNS servers are internal and are not exposed to the Internet, so they could be patched at a later date if other patches have greater priority."
More Web-related vulnerabilities
Two critical security bulletins, MS15-124 and MS15-125, deal with vulnerabilities in the Internet Explorer and Microsoft Edge browsers, respectively. To date, the Edge browser has had just five bulletins issued since it became widely available following the July 29 release of Windows 10.
Silverlight and more font issues
Critical bulletin MS15-129 deals with the remote code execution vulnerabilities in Microsoft Silverlight, which affects users on Mac and Windows systems who browse sites with specially crafted content.
The final critical bulletin, MS15-130, refers to font vulnerabilities in Windows 7 and Windows Server 2008 R2, which could allow an attack if a user opened a particular document or went to a malicious website.
A fast, but measured approach
Microsoft had to reissue a patch from November to address problems reported by some users running Outlook 2010 and 2013. Certain emails would cause Outlook to crash on Windows 7 systems after the initial patch for MS15-115 was applied to the machines.
"While it is best for administrators to roll out patches as quickly as possible, it is best to do it in a well-structured manner," Kandek said.
He explained some IT shops roll out patches to 1% of an organization's users and to a diverse cross-section of machines running on different systems in different locations to see if there are any issues with a patch. If there are no problems reported, then administrators continue the patching process by updating 10% of the machines on the second day, while continuing to monitor the results.
"By the third or fourth day, the patch should be rolled out to everyone else," Kandek said. "You certainly shouldn't wait longer than a week to get these patches installed."
More detailed information on these and the remaining bulletins can be found on the Microsoft Security Advisories and Bulletins site.
Light month for Microsoft patches in October
The difference between Windows patch management tools
Understanding the evolution of Patch Tuesday