1.    09 Dec 2015 #1
    Join Date : Jul 2015
    Poole Dorset UK
    Posts : 2,561
    Windows 10 x64 Home Version(1709) Build16299.98

    Microsoft passes 130 security fixes for 2015 with final Patch Tuesday


    Microsoft passes 130 security fixes for 2015 with final Patch Tuesday update
    by Dan Worth

    09 Dec 2015

    Microsoft issues final 2015 Patch Tuesday update

    Microsoft has issued its final Patch Tuesday update of 2015, taking the total number of security fixes for the year to 135. This is well in excess of the 85 issued in 2014.

    The December update contained 12 fixes, eight of which are rated critical while the other four are rated as important.

    The critical fixes relate to key Microsoft products including Internet Explorer, its new Edge browser, the Silverlight video player and issues within Windows, as well as Skype for Business and Lync. The four important fixes all relate to Windows.

    The MS15-124 fix for Internet Explorer is a cumulative update for the browser, fixing several issues. Microsoft said the most severe of these could allow remote code execution if a user visits a specifically crafted web page in IE. The Edge update fixes the same problem.

    “An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user,” explains Microsoft in its notes.

    Meanwhile, the MS15-128 fix covers similar issues in Microsoft Windows, .NET Framework, Microsoft Office, Skype for Business, Microsoft Lync and Silverlight.

    “The vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a web page that contains specially crafted embedded fonts," Microsoft's notes explain.

    One other notable fix is MS15-135, which, while only rated as important, is the issue that Qualys CTO Wolfgang Kandek said businesses should focus on first, as it addresses a zero-day vulnerability within the Windows kernel.

    “There is no further information about how widely spread the vulnerability and its exploit are, but it is worth a top spot in our priority list," he said.

    Another fix Kandek said IT admins should focus on is MS15-131, which covers an issue within Microsoft Office and is rated as critical.

    "CVE-2015-6172 is a critical vulnerability in Outlook that is triggered by a maliciously formatted email message," he said.

    "There is no reasonable workaround: Microsoft suggests turning off the preview pane - the digital equivalent of 'Just don’t do it', so patch this vulnerability as soon as possible."

    Kandek also said that while part of the increase in vulnerabilities found and fixed in 2015 can be attributed to the release of new products, such as Windows 10 and its Edge browser, the focus on finding security issues is also growing.

    “The majority of the increase is due to new parts of the Windows ecosystem that are being investigated for the first time, a tendency that shows how much more important computer security has become over the years," he said.

    Patch Tuesday

    Microsoft passes 130 security fixes for 2015 with final Patch Tuesday update - IT News from V3.co.uk
      My ComputerSystem Spec
  2.    09 Dec 2015 #2
    Join Date : Apr 2015
    Posts : 169
    Windows 10

    Quote Originally Posted by hTconeM9user View Post
    Another fix Kandek said IT admins should focus on is MS15-131, which covers an issue within Microsoft Office and is rated as critical.

    "CVE-2015-6172 is a critical vulnerability in Outlook that is triggered by a maliciously formatted email message," he said.

    "There is no reasonable workaround: Microsoft suggests turning off the preview pane - the digital equivalent of 'Just don’t do it', so patch this vulnerability as soon as possible."
    Hm...is the above quote not ambiguous? Both 'fix' and 'workaround' have been used.

    Has the Outlook issue been fixed with yesterday's patch or not? I hope that the Outlook issue has been fixed as the suggested workaround is quite inconvenient

    How does a 'maliciously formatted email message' look like?

    See also the quote below from https://technet.microsoft.com/en-us/.../ms15-131.aspx

    Microsoft Office RCE Vulnerability – CVE-2015-6172

    A remote code execution vulnerability exists in the way that Microsoft Outlook parses specially crafted email messages. An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user and take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

    To exploit the vulnerability, the user must open or preview a specially crafted email message with an affected version of Microsoft Outlook. In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted email message to the user and then convincing the user to preview or open the email.

    Workstations and terminal servers on which Microsoft Outlook is install are at risk of this vulnerability. Servers could be more at risk if administrators allow users to log on to them to run programs. However, best practices strongly discourage allowing this. The update addresses the vulnerability by correcting how Microsoft Outlook parses specially crafted malicious email messages.

    Microsoft received information about this vulnerability through coordinated vulnerability disclosure. At the time this security bulletin was originally issued, Microsoft was unaware of any attack attempting to exploit this vulnerability.

    Mitigating Factors

    Microsoft has not identified any mitigating factors for this vulnerability.

    Workarounds

    The following workarounds may be helpful in your situation:

    • Disable previewing messages in Outlook
      • On the View menu, point to Message Preview, click Off and then confirm that all mailboxes are disabled.

      How to undo the workaround.

      • On the View menu, point to Message Preview, and then click On.

    • Disable reading Outlook email messages in HTML
      1. Click the File tab.
      2. Click Options.
      3. Click Trust Center, and then click Trust Center Settings.
      4. Click Email Security.
      5. Under Read as Plain Text, select the Read all standard mail in plain text checkbox.

      How to undo the workaround.

      1. Click the File tab.
      2. Click Options.
      3. Click Trust Center, and then click Trust Center Settings.
      4. Click Email Security.
      5. Under Read as Plain Text, select Read all standard mail in plain text.
      My ComputerSystem Spec

 


Similar Threads
Thread Forum
Patch Tuesday KB120677
New cumulative update KB120677 No issues here. Follow this link for further information. https://support.microsoft.com/pt-pt/kb/3120677
Windows Updates and Activation
Curious about patch tuesday and how it affects Windows 10
I know MS doesn't really follow the patch Tuesday routine with Windows 10 as it does earlier OS versions. However with next week being patch Tuesday on my Windows 7 machine I just wondered how it affects Windows 10. Does Windows 10 typically still...
Windows Updates and Activation
Patch Tuesday feeds win 10 pop-up to win7 users?
That was how it was described to me by a friend. Today, on that person's PC (win7), a giant "pop-up" ad was displayed upon restart. They had already removed KB2952664 months ago. This is exactly the behavior of PUP's and maleware. I would...
Windows Updates and Activation
All windows affected by Security Flaw
All versions of Windows affected by critical security flaw | ZDNet
Windows 10 News
Windows 10 Could Kill Patch Tuesday Once and for All
Source
Windows 10 News
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 08:38.
Find Us
Twitter Facebook Google+ Ten Forums iOS App Ten Forums Android App



Windows 10 Forums