Patch Tuesday, December 2016

Last updated at Tue, 18 Jul 2017 19:18:10 GMT

December continues a long running trend with Microsoft's products where the majority of bulletins (6) are dominated by remote code execution (RCE) followed by an even distribution of elevation of privilege (3) and information disclosure (3). All of this month's critical bulletins are remote code execution vulnerabilities, affecting a variety of products and platforms including Edge, Internet Explorer, Exchange, Microsoft Office, Office Services and Web Apps, Sharepoint as well as Windows (client and server).

While Microsoft continues actively working on resolving these issues, as witnessed in the overwhelming number of critical RCE bulletins, there is an ongoing battle in which they are unable to permanently address these vulnerabilities, which predominantly affect the consumer applications listed above. Unfortunately, this leads to one of the single largest attack vectors, consumers.

This month Microsoft resolves 59 vulnerabilities across 12 bulletins. For consumers MS16-144, MS16-145, MS16-146, MS16-147 and MS16-154 are the bulletins to watch out for, addressing 36 vulnerabilities. For server users MS16-146 and MS16-147 are the bulletins to watch out for, addressing 4 vulnerabilities. Fortunately, at this time no vulnerabilities are known to have been be exploited in the wild. However, five vulnerabilities addressed by MS16-144 (CVE-2016-7202, CVE-2016-7281, CVE-2016-7282), MS16-145 (CVE-2016-7206, CVE-2016-7281, CVE-2016-7282) and MS16-155 (CVE-2016-7270) are known to have been publicly disclosed.

Users should be wary of untrusted sources as maliciously crafted content could allow an attacker to remotely execute code in-order to gain the same rights as their user account. The best protection against these threats is to patch systems as quickly as possible. Administrators, be sure to review this month's bulletins and in accordance with your specific configuration, prioritize your deployment of this months' updates. At a minimum, ensure to patch systems affected by critical bulletins (MS16-144, MS16-145, MS16-146, MS16-147, MS16-148, MS16-154).

• CVE-2016-7278 (MS16-144)
• CVE-2016-7202 (MS16-144)
• CVE-2016-7279 (MS16-144, MS16-145)
• CVE-2016-7281 (MS16-144, MS16-145)
• CVE-2016-7282 (MS16-144, MS16-145)
• CVE-2016-7283 (MS16-144)
• CVE-2016-7284 (MS16-144)
• CVE-2016-7287 (MS16-144, MS16-145)
• CVE-2016-7181 (MS16-145)
• CVE-2016-7206 (MS16-145)
• CVE-2016-7280 (MS16-145)
• CVE-2016-7286 (MS16-145)
• CVE-2016-7288 (MS16-145)
• CVE-2016-7296 (MS16-145)
• CVE-2016-7297 (MS16-145)
• CVE-2016-7257 (MS16-146, MS16-148)
• CVE-2016-7272 (MS16-146)
• CVE-2016-7273 (MS16-146)
• CVE-2016-7274 (MS16-147)
• CVE-2016-7262 (MS16-148)
• CVE-2016-7264 (MS16-148)
• CVE-2016-7265 (MS16-148)
• CVE-2016-7266 (MS16-148)
• CVE-2016-7267 (MS16-148)
• CVE-2016-7268 (MS16-148)
• CVE-2016-7275 (MS16-148)
• CVE-2016-7276 (MS16-148)
• CVE-2016-7277 (MS16-148)
• CVE-2016-7289 (MS16-148)
• CVE-2016-7290 (MS16-148)
• CVE-2016-7291 (MS16-148)
• CVE-2016-7298 (MS16-148)
• CVE-2016-7263 (MS16-148)
• CVE-2016-7300 (MS16-148)
• CVE-2016-7219 (MS16-149)
• CVE-2016-7292 (MS16-149)
• CVE-2016-7271 (MS16-150)
• CVE-2016-7259 (MS16-151)
• CVE-2016-7260 (MS16-151)
• CVE-2016-7258 (MS16-152)
• CVE-2016-7295 (MS16-153)
• CVE-2016-7867 (MS16-154)
• CVE-2016-7868 (MS16-154)
• CVE-2016-7869 (MS16-154)
• CVE-2016-7870 (MS16-154)
• CVE-2016-7871 (MS16-154)
• CVE-2016-7872 (MS16-154)
• CVE-2016-7873 (MS16-154)
• CVE-2016-7874 (MS16-154)
• CVE-2016-7875 (MS16-154)
• CVE-2016-7876 (MS16-154)
• CVE-2016-7877 (MS16-154)
• CVE-2016-7878 (MS16-154)
• CVE-2016-7879 (MS16-154)
• CVE-2016-7880 (MS16-154)
• CVE-2016-7881 (MS16-154)
• CVE-2016-7890 (MS16-154)
• CVE-2016-7892 (MS16-154)
• CVE-2016-7270 (MS16-155)