All Windows users should patch these new 'critical' flaws

[RV_]

Included in today's Windows updates are patches for several critical issues.

 

Excerpt from ThreatPost:

 

"November Patch Tuesday Brings 12 Bulletins, Four Critical

 

Microsoft today pushed out 12 bulletins as part of November’s Patch Tuesday, including four critical updates, all of which can lead to remote code execution.

 

The update is rounded out by fixes for Windows, Lync, .NET, and Skype for Business, but there are two critical fixes that affect browsers on practically every build of Windows, Internet Explorer and Edge.

 

The Internet Explorer bulletin is marked critical for any users running versions of IE 7 to IE 11 and fixes 25 different vulnerabilities, mostly memory corruption bugs that can lead to code execution, in the browser. Assuming an attacker could get a user to view a specially crafted website, they could exploit the vulnerabilities and gain the same rights as the user.

 

In addition to the memory corruption bugs, three other issues, including an information disclosure vulnerability, an ASLR bypass, and a different type of memory corruption bug–this one in the scripting engines JScript and VBScript–were also fixed.

 

The update for Microsoft’s Edge browser fixes far fewer vulnerabilities than the IE bulletin, just four overall, but is still marked critical for anyone running Windows 10. Like the IE updates, the Edge bulletin fixes memory corruption vulnerabilities and an ASLR bypass vulnerability that could have let an attacker gain the same user rights as the user.

 

It’s expected that Microsoft will push its “Fall Update” for Windows 10, bringing the operating system its first functionality upgrade on Thursday, meaning some users may have to wait two days to apply today’s Edge update.

 

According to Qualys’ Wolfgang Kandek, another critical bulletin, MS15-115, should be users’ number one fix, The update tweaks how Windows handles objects in memory, how a font subsystem, Adobe Type Manager Library in Windows, handles embedded fonts, and how Windows Kernel validates certain permissions. The bulletin fixes seven vulnerabilities that could let an attacker execute code remotely if they could trick a user into opening a document or visiting a page that contains embedded fonts.

 

“Two of the [seven] vulnerabilities are in the font subsystem, which makes them remotely exploitable through web browsing and e-mail and affect all version of Windows, including Windows 10 and RT,” Kandek said.

 

The last critical update addresses a heap overflow vulnerability in Windows Journal, a notetaking app on Vista and Windows 7. If an attacker got a user to open a malicious Journal file on an affected version of the app, they could theoretically execute arbitrary code.

 

While the rest of the bulletins may not be marked critical, experts say they still deserve users’ attention.

 

Jon Rudolph, a principal software engineer with Core Security stressed Tuesday that fixes associated with a trio of elevation of privilege vulnerabilities in NDIS, .NET, and Winsock are worthy of being marked “Important” and should be cause for concern.

 

Other fixes this month include an update for Schannel to prevent spoofing through man-in-the-middle attacks, an update to Kerberos to prevent a bypass, and updates to both Skype for Business and Lync that could’ve left users open to malicious JavaScript messages."

 

See more with related links and hotlinks at: https://threatpost.com/november-patch-tuesday-brings-12-bulletins-four-critical/115326/#sthash.IdkAXinD.dpuf

 

 

Excerpt from ZDNET:

 

"The software giant released the patches Tuesday as part of its monthly release of security updates.

 

All users running Windows Vista and later -- including Windows 10 -- are affected by two flaws, which could allow an attacker to install malware on an affected machine.

 

The patch, MS15-112 addresses a memory corruption flaw in Internet Explorer. If exploited, an attacker could gain access to an affected machine, gaining the same access rights as the logged-in user, such as installing programs, and deleting data.

 

Users must be tricked or convinced into clicking a link, such as from an email or instant message, which opens a website that contains code that can exploit the flaw.

The software giant's new Edge browser, which runs exclusively on Windows 10 machines, is also affected by the flaw, and has its own separate bulletin, MS15-113.

 

Windows server systems -- including users running the third-preview of Windows Server 2016 -- are also at risk, but its enhanced security mode helps to mitigate the vulnerability.

 

The other patch affecting all versions of Windows, MS15-115, fixes a series of flaws that could allow an attacker to remotely execute code on an affected machine by exploiting how the operating system handles and displays fonts. Some of the flaws can only be triggered if an attacker logs on to the affected machine, but some can be triggered by the user visiting a web page that contains exploit code.

 

Microsoft said the two flaws were not being publicly exploited by attackers.

 

The company said another critical flaw, MS15-114, is a flaw in Windows Journal that affects Windows Vista and Windows 7.

 

The vulnerability can allow an attacker to remotely execute code on an affected computer if a user opens an exploitable file.

 

Users running lower user privileges are less impacted.

 

Microsoft also released eight other other patches -- MS15-116 through to MS15-123 -- for "important" issues relating to Microsoft Office, .NET Framework, and Skype."

 

That whole article with related links is here: http://www.zdnet.com/article/november-2015-patch-tuesday/?tag=nl.e589&s_cid=e589&ttag=e589&ftag=TREc64629f