In December 2015, Microsoft closes a critical vulnerability in the Domain Name Service (DNS) of Windows Server. Meanwhile, Windows 10 Edge Browser and Internet Explorer are receiving cumulative updates. But these are just three of a dozen security bulletins Microsoft has released.
Eight of the twelve security bulletins with which Microsoft concludes the patch year 2015 were classified as critical. All of them allow an attacker under certain circumstances to remotely execute code on affected machines (RCE, Remote Code Execution).
Both the Internet Explorer version 7 to 11 (IE 7 to IE 11) and Microsoft Edge can serve as a gateway when calling specially designed websites. In the case of IE, the cumulative update MS15-124 and Edge's patch package MS15-125 are to be remedied . Client operating systems are considered particularly vulnerable; in the case of Windows servers, the risk of attack is moderate.
Both browsers have inadequacies when handling objects in memory, the IE update addresses this problem additionally with VBScript (Visual Basic Script). The cross-site scripting filters (XSS filters) of the two web page viewers are also freed from errors.The security bulletin MS15-126 is also a larger update package provided for JScript and VBScript. The most serious RCE vulnerabilities can be exploited through the browser, but as an attack medium, for example, can also be used in Office documents or applications embedded Active-X controls.
Parsing error in Microsoft DNS
For Windows Server 2008 and Server 2008 R2 (Release 2) and Windows Server 2012 and Server 2012 R2, security update MS15-127 is provided. Technical Previews 3 and 4 of Windows Server 2016 are also affected.
Apparently there are parsing errors in Microsoft's Domain Name Service (DNS), which can be exploited using specially designed DNS queries. If an attacker uses this attack vector, he could then execute malicious code in the context of a local user account on the server system. Until the patch was released, Microsoft was not aware of any successful attacks.
With the security bulletin MS15-128 Microsoft gets rid of several flaws in the graphic components of several software products. The vulnerabilities can be exploited using manipulated documents and website fonts. Apart from Windows, the .NET framework, MS Office, Skype for Business, Microsoft Lync and the Silverlight plug-in are also susceptible.
Further vulnerabilities in Silverlight 5 and the corresponding Developer Runtimes should be a thing of the past with the update MS15-129 . Faulty open and close requests can lead to a violation of the read / write permissions here. However, in order to take advantage of the vulnerability, an attacker first has to lure his victim onto a malicious or fake website. Important in this case is the information that the browser extension is also vulnerable in the case of Mac systems, not only under Windows.
A critical vulnerability was found in Microsoft Uniscribe. The MS15-130 update is targeted at all versions of Windows 7 and Windows Server 2008 R2 (including Server Core). With the last critical security bulletin MS15-131 Microsoft clears several flaws in Office 2007, 2010, 2013, 2013 RT and 2016 as well as Office 2011 and 2016 for Mac from the world. The respective Word and Excel components as well as compatibility packs are not spared either.
Still missing four security bulletins of priority level "Important". The MS15-132 patch addresses a vulnerability in all supported versions of Windows that an attacker can only exploit if he or she previously installs a specially crafted application locally.
Vulnerability in the Windows PGM protocol (Pragmatic General Multicast) allows local user rights to be raised and is addressed with patch MS15-133 . Such an "escelation of privilege" vulnerability is also found in the kernel-mode drivers of Windows and is fixed with the update MS15-135 . Several vulnerabilities in the Windows Media Center should close the MS15-134 update .
