Security

It's nearly 2016, and Windows DNS servers can be pwned remotely

And Word documents can own PCs – 71 patches to apply ASAP, people

Patch Tuesday Microsoft is closing out the year with a fix for 71 security vulnerabilities in Windows Server, client-side Windows, Office, Internet Explorer, and Edge.

Among the patches are two vulnerabilities that are already being exploited in the wild for elevation of privilege and remote code execution.

The December Patch Tuesday load contains the following updates:

  • MS15-135 Addressing four flaws in the Windows kernel-mode drivers, one of which (CVE-2015-6175) is being targeted in the wild for an elevation of privilege exploit.
  • MS15-131 A fix for multiple flaws in Office, including the CVE-2015-6124 flaw currently being targeted in the wild for remote code execution. The update patches Microsoft Office 2007 and later, including Office 2011 for Mac.
  • MS15-128 A fix for three CVE-listed memory corruption flaws (CVE-2015-6106, CVE-2015-6107, CVE-2015-6108) in Windows that could be exploited by visiting a specially crafted webpage or document containing a corrupted font. All systems from Windows Vista through Windows 10 and Server 2008 through Server 2012 are vulnerable.
  • MS15-124 A cumulative Internet Explorer update addressing 30 security flaws including remote code execution, information disclosure, and elevation of privilege flaws in Internet Explorer versions 7 through 11 on Windows Vista through Windows 10.
  • MS15-125 A cumulative update for Microsoft Edge browsers on Windows 10 addressing a total of 16 CVE-listed flaws allowing for remote code execution, elevation of privilege, information disclosure, and security bypass.
  • MS15-126 Addresses an information disclosure flaw and a remote code execution vulnerability in Microsoft JScript and VBscript for Internet Explorer versions 7 through 11.
  • MS15-127 Addresses a use-after-free vulnerability in Windows DNS (CVE-2015-6125) that would allow remote code execution attacks on Windows Server 2008, Windows Server 2012, and Server Core installations.
  • MS15-129 An update for Silverlight to patch one CVE-listed flaw (CVE-2015-6166) allowing remote code execution and two (CVE-2015-6114, CVE-2015-6165) allowing for information disclosure in Silverlight for both Windows and OS X. No exploits reported.
  • MS15-130 Addresses one flaw (CVE-2015-6130) allowing remote code execution via a webpage with a corrupted font on Windows 7, Server 2008 R2, and Server Core.
  • MS15-132 Addressing three remote code execution vulnerabilities (CVE-2015-6128, CVE-2015-6132, CVE-2015-6133) that could be exploited by opening a malicious application in Windows. All versions from Vista through Windows 10 and Server through Server 2012 are vulnerable.
  • MS15-133 An elevation of privilege vulnerability (CVE-2015-6126) found in the Windows PGM protocol that could be exploited by running an application. All Windows builds Vista and later and Server 2008 and later are vulnerable.
  • MS15-134 One remote code execution (CVE-2015-6131) and one elevation of privilege flaw (CVE-2015-6127) in Windows Media Center for Windows Vista, Windows 7, and Windows 8/8.1.

The Microsoft update comes on the heels of a massive Flash update from Adobe. Together, the patches cover more than 150 CVE-listed security flaws. As such, users and administrators are being advised to update their systems as soon as possible. ®

Sponsored: 2016 Cyberthreat defense report