Today is the release date of December 2016 Microsoft Patch Tuesday and they have released twelve security updates. Of these twelve updates, six of them are rated as Critical as they allow remote code execution on the affected computer.
Remote Code Execution vulnerabilities are the type that allow an attacker to remotely execute commands on a computer. These commands could download software, add user accounts, or perform almost any action on the vulnerable computer.
All Windows users should immediately run Windows update and install all of the available updates as soon as possible. For a full list of the security updates, vulnerabilities, and links to their respective bulletins, please see the table below.
December Microsoft Patch Tuesday Security Updates:
MS16-144 Cumulative Security Update for Internet Explorer 3204059 – Critical
This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
This security update is rated Critical for Internet Explorer 9 (IE 9), and Internet Explorer 11 (IE 11) on affected Windows clients, and Moderate for Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows servers. For more information, see the Affected Software section.
The update addresses the vulnerabilities by correcting how:
- Microsoft browser and affected components handle objects in memory
- Microsoft browser checks Same Origin Policy for scripts running inside Web Workers
- Scripting engines handle objects in memory
For more information about this update, see Microsoft Knowledge Base Article 3204059.
MS16-145 Cumulative Security Update for Microsoft Edge 3204062 – Critical
This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights.
This security update is rated Critical for Microsoft Edge on Windows 10 and Windows Server 2016. For more information, see the Affected Software section.
The update addresses the vulnerabilities by:
- Microsoft browser and affected components handle objects in memory
- Microsoft browser checks Same Origin Policy for scripts running inside Web Workers
- Scripting engines handle objects in memory
For more information about the vulnerabilities, see the Vulnerability Information section.
For more information about this update, see Microsoft Knowledge Base Article 3204062.
MS16-146 Security Update for Microsoft Graphics Component 3204066 – Critical
This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
This security update is rated Critical for all supported releases of Microsoft Windows. For more information, see the Affected Software and Vulnerability Severity Ratings section.
This security update addresses the vulnerabilities by correcting how the Windows GDI component handles objects in memory.
For more information about this update, see Microsoft Knowledge Base Article 3204066.
MS16-147 Security Update for Microsoft Uniscribe 3204063 – Critical
This security update resolves a vulnerability in Windows Uniscribe. The vulnerability could allow remote code execution if a user visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
This security update is rated Critical for all supported releases of Microsoft Windows. For more information about the vulnerability, see the Vulnerability Information section.
This security update addresses the vulnerability by correcting how Windows Uniscribe handles objects in memory.
For more information about this update, see Microsoft Knowledge Base Article 3204063.
MS16-148 Security Update for Microsoft Office 3204068 – Critical
This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
For more information, see the Affected Software and Vulnerability Severity Ratings section.
The security update addresses the vulnerabilities by correcting how:
- Microsoft Office initializes variables.
- Microsoft Office validates input
- Microsoft Office rechecks registry values
- Microsoft Office parses file formats
- Affected versions of Office and Office components handle objects in memory
- Microsoft Office for Mac Autoupdate Validates Packages.
For more information about this update, see Microsoft Knowledge Base Article 3204068.
MS16-149 Security Update for Windows 3205655 – Important
This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow elevation of privilege if a locally authenticated attacker runs a specially crafted application.
This security update is rated Important for all supported releases of Microsoft Windows.
The security update addresses the vulnerabilities by:
- Correcting how a Windows crypto driver handle objects in memory.
- Correcting the input sanitization error to preclude unintended elevation.
For more information about this update, see Microsoft Knowledge Base Article 3205655.
MS16-150 Security Update for Windows Secure Kernel Mode 3205642 – Important
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if a locally-authenticated attacker runs a specially crafted application on a targeted system. An attacker who successfully exploited the vulnerability could violate virtual trust levels (VTL).
This security update is rated Important for all supported editions of Windows 10 and Windows Server 2016.
The update addresses the vulnerability by correcting how Windows Secure Kernel Mode handles objects in memory properly enforce VLTs.
For more information about this update, see Microsoft Knowledge Base Article 3205642.
MS16-151 Security Update for Kernel-Mode Driver 3205651 – Important
This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system.
The update addresses the vulnerabilities by correcting how the Windows kernel-mode driver handles objects in memory.
This security update is rated Important for all supported releases of Windows.
For more information about this update, see Microsoft Knowledge Base Article 3205651
MS16-152 Security Update for Windows Kernel 3199709 – Important
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow information disclosure when the Windows kernel improperly handles objects in memory.
This security update is rated Important for all supported versions of Windows 10 and Window Server 2016.
The security update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.
For more information about this update, see Microsoft Knowledge Base Article 3199709.
MS16-153 Security Update for Common Log File System Driver 3207328 – Important
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow Information Disclosure when the Windows Common Log File System (CLFS) driver improperly handles objects in memory. In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to bypass security measures on the affected system allowing further exploitation.
This security update is rated Important for all supported releases of Microsoft Windows.
The update addresses the vulnerability by correcting how CLFS handles objects in memory. For more information about this update, see Microsoft Knowledge Base Article 3207328.
MS16-154 Security Update for Adobe Flash Player 3209498 – Critical
This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016.
This security update is rated Critical. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge
For more information about this update, see Microsoft Knowledge Base Article 3209498.
MS16-155 Security Update for .NET Framework 3205640 – Important
This security update resolves a vulnerability in Microsoft .NET 4.6.2 Framework’s Data Provider for SQL Server. A security vulnerability exists in Microsoft .NET Framework 4.6.2 that could allow an attacker to access information that is defended by the Always Encrypted feature.
This security update is rated Important for Microsoft .NET Framework 4.6.2. For more information, see the Affected Software and Vulnerability Severity Ratings section.
The security update addresses the vulnerability by correcting the way .NET Framework handles the developer-supplied key, and thus properly defends the data.
For more information, see the Affected Software and Vulnerability Severity Ratings section.
For more information about this update, see Microsoft Knowledge Base Article 3205640.