Microsoft’s security patches for December fix 34 vulnerabilities across the company’s products, including in Internet Explorer, Edge, Office and Windows.
The largest number of vulnerabilities were fixed in the scripting engine used in the company’s Internet Explorer and Edge browsers. Most of them are memory corruption issues that can result in remote code execution and are rated as critical.
“From a prioritization standpoint, again we turn our focus to the browsers and the Scripting Engine Memory Corruption Vulnerabilities,” said Gill Langston, director of product management at Qualys. “We recommend prioritizing patching user-facing workstations to address the 19 critical Internet Explorer and Edge updates released today by Microsoft, as they are listed as ‘Exploitation More Likely.’ There are no known exploits as of yet, but this is an opportunity to remain ahead of any future exploits that may be released.”
In Windows, Microsoft fixed a remote code execution flaw that can be exploited through an RPC server that has Routing and Remote Access enabled. Fortunately, this feature is not enabled in a default configuration.
Another vulnerability fixed in Windows 10 and Windows Server 2016 can allow bypassing the Device Guard security feature by making an unsigned malicious file appear to be signed. A third flaw was fixed in the Windows its:// protocol handler that could result in information being disclosed to a remote server.
Microsoft Exchange Server 2016 received an update to address a vulnerability in the way Outlook Web Access (OWA) validates web requests. The flaw could be exploited through malicious links sent via email to spoof or inject content with the goal of tricking users into exposing sensitive information.
Microsoft Office received fixes for four vulnerabilities, including a remote code execution issue in Excel, an information disclosure flaw in PowerPoint and an elevation of privilege weakness in SharePoint.
The company also released an optional defense-in-depth update for Office that disables the Dynamic Update Exchange protocol (DDE) in all supported editions of Microsoft Word. This feature, which allows documents to be updated with information from external files, has recently been abused in attacks to infect computers with malware, including by the Russian cyberespionage group known as Fancy Bear or APT28.
While this new defense-in-depth update applies only to Microsoft Word, the company has previously released DDE attack mitigation instructions for other Office products, including Excel and Outlook.
This Patch Tuesday also includes fixes for two remote code execution issues in the Microsoft Malware Protection Engine, a core component used by many Microsoft security products, including Windows Defender, Microsoft Endpoint Protection, Microsoft Security Essentials, Microsoft Forefront Endpoint Protection, Windows Intune Endpoint Protection and Microsoft Exchange Server. Microsoft actually released definition updates for most of the affected products last week that fixed these issues, if the products were configured to auto-update themselves.
“As a precautionary measure, if you are using Microsoft’s Malware Protection engine in Defender, Security Essentials, Forefront Endpoint Protection, or the engines in Exchange 2013 or 2016, ensure that your updates are being applied automatically, and that you are on at least Version 1.1.14405.2 of the Malware Protection Engine,” Langston said.
Both of the Malware Protection Engine (MPE) vulnerabilities can be exploited by delivering a specially crafted file to users via websites, email, online messaging or other methods that would result in that file being automatically scanned by an affected Microsoft anti-malware product. Successful exploitation results in the execution of arbitrary code with LocalSystem privileges, making these flaws critical and highlighting the risks of vulnerabilities in antivirus products in general.
The two MPE vulnerabilities were reported to Microsoft by the U.K. National Cyber Security Centre (NCSC), an arm of the British signals intelligence agency Government Communications Headquarters (GCHQ).
Computers running Windows 10 or 8.1 with Microsoft Edge or Internet Explorer 11 will also receive a security patch for the bundled Flash Player plug-in that Adobe released Tuesday. The update fixes a single business logic vulnerability that can result in the unintended reset of Flash Player’s global settings preference file. The issue is rated as moderate severity by Adobe.