Microsoft has release, December 8th 2015, during his December 2015 Patch Tuesday, two updated security advisory, one new security advisory and twelve security bulletins. On the twelve security bulletins eight of them have a Critical security rating.
Microsoft Security Advisory 2755801
MSA-2755801,released during September 2012, has been updated. The security advisory is concerning updates for vulnerabilities in Adobe Flash Player in Internet Explorer 10, Internet Explorer 11 and Microsoft Edge. KB3119147 has been released for supported editions of for:
- Internet Explorer 10 on Windows 8, Windows Server 2012, and Windows RT;
- Internet Explorer 11 on Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, and Windows 10;
- Microsoft Edge on Windows 10.
The update addresses the vulnerabilities described in Adobe Security bulletin APSB15-32.
Microsoft Security Advisory 3057154
MSA-3057154, release during July 2015, has been updated. The security advisory is concerning harden scenarios in which Data Encryption Standard (DES) encryption keys are used with accounts to ensure that domain users, services, and computers that support other encryption types are not vulnerable to credential theft or elevation of privilege attacks. KB3057154 has been released for:
- Windows Server 2003 Service Pack 2
- Windows Server 2003 R2 Service Pack 2
- Windows Server 2003 x64 Edition Service Pack 2
- Windows Server 2003 R2 x64 Edition Service Pack 2
- Windows Server 2003 with SP2 for Itanium-based Systems
- Windows Vista Service Pack 2
- Windows Vista x64 Edition Service Pack 2
- Windows Server 2008 for 32-bit Systems Service Pack 2
- Windows Server 2008 for x64-based Systems Service Pack 2
- Windows Server 2008 for Itanium-based Systems Service Pack 2
- Windows 7 for 32-bit Systems Service Pack 1
- Windows 7 for x64-based Systems Service Pack 1
- Windows Server 2008 R2 for x64-based Systems Service Pack 1
- Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
- Windows 8 for 32-bit Systems
- Windows 8 for x64-based Systems
- Windows 8.1 for 32-bit Systems
- Windows 8.1 for x64-based Systems
- Windows Server 2012
- Windows Server 2012 R2
- Windows RT
- Windows RT 8.1
- Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
- Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
- Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
- Windows Server 2012 (Server Core installation)
- Windows Server 2012 R2 (Server Core installation)
Microsoft Security Advisory 3123040
MSA-3123040 concerns an SSL/TLS digital certificate for *.xboxlive.com for which the private keys were inadvertently disclosed. The certificate could be used in attempts to perform man-in-the-middle attacks. It cannot be used to issue other certificates, impersonate other domains, or sign code. This issue affects all supported releases of Microsoft Windows. KB2677070 has been release for:
- Windows Vista Service Pack 2
- Windows Vista x64 Edition Service Pack 2
- Windows Server 2008 for 32-bit Systems Service Pack 2
- Windows Server 2008 for x64-based Systems Service Pack 2
- Windows Server 2008 for Itanium-based Systems Service Pack 2
- Windows 7 for 32-bit Systems Service Pack 1
- Windows 7 for x64-based Systems Service Pack 1
- Windows Server 2008 R2 for x64-based Systems Service Pack 1
- Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
- Windows 8 for 32-bit Systems
- Windows 8 for x64-based Systems
- Windows 8.1 for 32-bit Systems
- Windows 8.1 for x64-based Systems
- Windows RT
- Windows RT 8.1
- Windows Server 2012
- Windows Server 2012 R2
- Windows 10
- Windows 10 Version 1511
- Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
- Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
- Windows Server 2008 R2 for x64-based Systems (Server Core installation)
- Windows Server 2012 (Server Core installation)
- Windows Server 2012 R2 (Server Core installation)
- Windows Phone 8
- Windows Phone 8.1
- Windows 10 Mobile
MS15-124 Cumulative Security Update for Internet Explorer
MS15-124 security update, classified as Critical, allowing remote code execution, is the fix for 30 privately reported vulnerabilities in Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11. KB3116180 has been release for fixing the bellow vulnerabilities:
| CVE | CVSS score | Disclosed | Exploited | Credit |
|---|---|---|---|---|
| CVE-2015-6083 | 9.3 | No | No | Hui Gao of Palo Alto Networks |
| CVE-2015-6134 | 9.3 | No | No | SkyLined, working with HP’s Zero Day Initiative |
| CVE-2015-6135 | 5.0 | No | No | Simon Zuckerbraun, working with HP’s Zero Day Initiative |
| CVE-2015-6136 | 9.3 | No | No | - Simon Zuckerbraun, working with HP’s Zero Day Initiative - An anonymous researcher, working with HP’s Zero Day Initiative - Yuki Chen of Qihoo 360Vulcan Team |
| CVE-2015-6138 | 4.3 | No | No | None |
| CVE-2015-6139 | 9.3 | No | No | Michal Bentkowski |
| CVE-2015-6140 | 9.3 | No | No | Bo Qu of Palo Alto Networks |
| CVE-2015-6141 | 9.3 | No | No | B6BEB4D5E828CF0CCB47BB24AAC22515, working with HP’s Zero Day Initiative |
| CVE-2015-6142 | 9.3 | No | No | Simon Zuckerbraun, working with HP’s Zero Day Initiative |
| CVE-2015-6143 | 9.3 | No | No | None |
| CVE-2015-6144 | 4.3 | No | No | Masato Kinugawa |
| CVE-2015-6145 | 9.3 | No | No | Cong Zhang and Yi Jiang, working with Beijing VRV Software Co., LTD. |
| CVE-2015-6146 | 9.3 | No | No | Bo Qu of Palo Alto Networks |
| CVE-2015-6147 | 9.3 | No | No | B6BEB4D5E828CF0CCB47BB24AAC22515, working with HP’s Zero Day Initiative |
| CVE-2015-6148 | 9.3 | No | No | A3F2160DCA1BDE70DA1D99ED267D5DC1EC336192, working with HP’s Zero Day Initiative |
| CVE-2015-6149 | 9.3 | No | No | B6BEB4D5E828CF0CCB47BB24AAC22515, working with HP’s Zero Day Initiative |
| CVE-2015-6150 | 9.3 | No | No | B6BEB4D5E828CF0CCB47BB24AAC22515, working with HP’s Zero Day Initiative |
| CVE-2015-6151 | 9.3 | No | No | Li Kemeng of Baidu Security Team(x-Team) , working with HP’s Zero Day Initiative |
| CVE-2015-6152 | 9.3 | No | No | Moritz Jodeit of Blue Frost Security |
| CVE-2015-6153 | 9.3 | No | No | Shi Ji (@Puzzor) |
| CVE-2015-6154 | 9.3 | No | No | ChenDong Li and YunZe Ni of Tencent |
| CVE-2015-6155 | 9.3 | No | No | Zheng Huang of the Baidu Scloud XTeam, working with VeriSign iDefense Labs |
| CVE-2015-6156 | 9.3 | No | No | Anonymous contributor, working with VeriSign iDefense Labs |
| CVE-2015-6157 | 4.3 | No | No | Zheng Huang of the Baidu Scloud XTeam, working with VeriSign iDefense Labs |
| CVE-2015-6158 | 9.3 | No | No | Zheng Huang of the Baidu Scloud XTeam, working with VeriSign iDefense Labs |
| CVE-2015-6159 | 9.3 | No | No | Zheng Huang of the Baidu Scloud XTeam |
| CVE-2015-6160 | 9.3 | No | No | Garage4Hackers, working with HP’s Zero Day Initiative |
| CVE-2015-6161 | 4.3 | No | No | Rh0 |
| CVE-2015-6162 | 9.3 | No | No | Wenxiang Qian of TencentQQBrowser |
| CVE-2015-6164 | 6.8 | No | No | None |
MS15-125 Cumulative Security Update for Microsoft Edge
MS15-125 security update, classified as Critical, allowing remote code execution, is the fix for 15 privately reported vulnerabilities in Microsoft Edge on Windows 10. KB3116184 has been released for fixing the bellow vulnerabilities:
| CVE | CVSS score | Disclosed | Exploited | Credit |
|---|---|---|---|---|
| CVE-2015-6139 | 9.3 | No | No | Michal Bentkowski |
| CVE-2015-6140 | 9.3 | No | No | Bo Qu of Palo Alto Networks |
| CVE-2015-6142 | 9.3 | No | No | Simon Zuckerbraun, working with HP’s Zero Day Initiative |
| CVE-2015-6148 | 9.3 | No | No | A3F2160DCA1BDE70DA1D99ED267D5DC1EC336192, working with HP’s Zero Day Initiative |
| CVE-2015-6151 | 9.3 | No | No | Li Kemeng of Baidu Security Team(x-Team) , working with HP’s Zero Day Initiative |
| CVE-2015-6153 | 9.3 | No | No | Shi Ji (@Puzzor) |
| CVE-2015-6154 | 9.3 | No | No | ChenDong Li and YunZe Ni of Tencent |
| CVE-2015-6155 | 9.3 | No | No | Zheng Huang of the Baidu Scloud XTeam, working with VeriSign iDefense Labs |
| CVE-2015-6158 | 9.3 | No | No | Zheng Huang of the Baidu Scloud XTeam, working with VeriSign iDefense Labs |
| CVE-2015-6159 | 9.3 | No | No | Zheng Huang of the Baidu Scloud XTeam |
| CVE-2015-6161 | 4.3 | No | No | Rh0 |
| CVE-2015-6168 | 9.3 | No | No | SkyLined, working with HP’s Zero Day Initiative |
| CVE-2015-6169 | 4.3 | No | No | None |
| CVE-2015-6170 | 6.8 | No | No | Mario Heiderich of Cure53 |
| CVE-2015-6176 | 4.3 | No | No | Masato Kinugawa |
MS15-126 Cumulative Security Update for JScript and VBScript
MS15-126 security update, classified as Critical, allowing remote code execution, is the fix for 2 privately reported vulnerabilities in VBScript scripting engine in Microsoft Windows. KB3116178 has been released for fixing the bellow vulnerabilities:
| CVE | CVSS score | Disclosed | Exploited | Credit |
|---|---|---|---|---|
| CVE-2015-6135 | 5.0 | No | No | Simon Zuckerbraun, working with HP’s Zero Day Initiative |
| CVE-2015-6136 | 9.3 | No | No | - Simon Zuckerbraun, working with HP’s Zero Day Initiative - An anonymous researcher, working with HP’s Zero Day Initiative - Yuki Chen of Qihoo 360Vulcan Team |
MS15-127 Security Update for Microsoft Windows DNS
MS15-127 security update, classified as Critical, allowing remote code execution, is the fix for 1 privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends specially crafted requests to a DNS server. KB3100465 has been released for fixing the bellow vulnerability:
| CVE | CVSS score | Disclosed | Exploited | Credit |
|---|---|---|---|---|
| CVE-2015-6125 | 9.3 | No | No | None |
MS15-128 Security Update for Microsoft Graphics Component
MS15-128 security update, classified as Critical, allowing remote code execution, is the fix for 3 privately reported vulnerabilities in Microsoft Windows, .NET Framework, Microsoft Office, Skype for Business, Microsoft Lync, and Silverlight. The vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a webpage that contains specially crafted embedded fonts. KB3104503 has been released for fixing the bellow vulnerabilities:
| CVE | CVSS score | Disclosed | Exploited | Credit |
|---|---|---|---|---|
| CVE-2015-6106 | 9.3 | No | No | Steven Vittitoe of Google Project Zero |
| CVE-2015-6107 | 9.3 | No | No | Steven Vittitoe of Google Project Zero |
| CVE-2015-6108 | 9.3 | No | No | None |
MS15-129 Security Update for Silverlight
MS15-129 security update, classified as Critical, allowing remote code execution, is the fix for 3 privately reported vulnerabilities in Microsoft Silverlight. KB3106614 has been released for fixing the bellow vulnerabilities:
| CVE | CVSS score | Disclosed | Exploited | Credit |
|---|---|---|---|---|
| CVE-2015-6114 | 4.3 | Yes | Yes | None |
| CVE-2015-6165 | 4.3 | No | No | Marcin 'Icewall' Noga of Cisco Talos |
| CVE-2015-6166 | 9.3 | No | No | None |
CVE-2015-6114 vulnerability details have been disclosed publicly by @_Icewall from Cisco Talos vulndev team.
MS15-130 Security Update for Microsoft Uniscribe
MS15-130 security update, classified as Critical, allowing remote code execution, is the fix for 1 privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains specially crafted fonts. KB3108670 has been released for fixing the bellow vulnerability:
| CVE | CVSS score | Disclosed | Exploited | Credit |
|---|---|---|---|---|
| CVE-2015-6130 | 9.3 | No | No | Hossein Lotfi, Secunia Research (now part of Flexera Software) |
MS15-131 Security Update for Microsoft Office
MS15-131 security update, classified as Critical, allowing remote code execution, is the fix for 6 privately reported vulnerabilities in Microsoft Windows. Interesting to see that CVE-2015-6124 has been privately reported but seen as exploited in wild. KB3116111 has been released for fixing the bellow vulnerabilities:
| CVE | CVSS score | Disclosed | Exploited | Credit |
|---|---|---|---|---|
| CVE-2015-6040 | 9.3 | No | No | Steven Vittitoe of Google Project Zero |
| CVE-2015-6118 | 9.3 | No | No | Kai Lu of Fortinet's FortiGuard Labs |
| CVE-2015-6122 | 9.3 | No | No | Steven Vittitoe of Google Project Zero |
| CVE-2015-6124 | 9.3 | No | Yes | None |
| CVE-2015-6172 | 9.3 | No | No | Haifei Li of Intel Security IPS Research Team |
| CVE-2015-6177 | 9.3 | No | No | Kai Lu of Fortinet's FortiGuard Labs |
MS15-132 Security Update for Microsoft Windows
MS15-132 security update, classified as Important, allowing remote code execution, is the fix for 3 privately reported vulnerabilities in Microsoft Windows. KB3116162 has been released for fixing the bellow vulnerabilities:
| CVE | CVSS score | Disclosed | Exploited | Credit |
|---|---|---|---|---|
| CVE-2015-6128 | 7.2 | Yes | Yes | - Steven Vittitoe of Google Project Zero - Parvez Anwar |
| CVE-2015-6132 | 7.2 | No | No | None |
| CVE-2015-6133 | 7.2 | No | No | None |
CVE-2015-6128 vulnerability details have been disclosed publicly with a proof of concept.
MS15-133 Security Update for Windows PGM
MS15-133 security update, classified as Important, allowing elevation of privilege, is the fix for 1 privately reported vulnerability in Microsoft Windows. KB3116130 has been released for fixing the bellow vulnerability:
| CVE | CVSS score | Disclosed | Exploited | Credit |
|---|---|---|---|---|
| CVE-2015-6126 | 7.2 | No | No | None |
MS15-134 Security Update for Windows Media Center
MS15-134 security update, classified as Important, allowing remote code execution, is the fix for 2 privately reported vulnerabilities in Microsoft Windows. KB3108669 has been released for fixing the bellow vulnerabilities:
| CVE | CVSS score | Disclosed | Exploited | Credit |
|---|---|---|---|---|
| CVE-2015-6127 | 4.3 | Yes | Yes | Francisco Falcon of Core Security |
| CVE-2015-6131 | 9.3 | Yes | Yes | Zhang YunHai of NSFOCUS Security Team |
CVE-2015-6127 vulnerability details have been disclosed publicly with a proof of concept.
CVE-2015-6131 vulnerability details have been disclosed publicly with a proof of concept.
MS15-135 Security Update for Windows Kernel-Mode Drivers
MS15-135 security update, classified as Important, allowing elevation of privilege, is the fix for 4 privately reported vulnerabilities in Microsoft Windows. Interesting to see that CVE-2015-6175 has been publicly reported and also seen exploited in wild. KB3119075 has been released for fixing the bellow vulnerabilities:
| CVE | CVSS score | Disclosed | Exploited | Credit |
|---|---|---|---|---|
| CVE-2015-6171 | 7.2 | No | No | Nils Sommer of bytegeist, working with Google Project Zero |
| CVE-2015-6173 | 7.2 | No | No | Nils Sommer of bytegeist, working with Google Project Zero |
| CVE-2015-6174 | 7.2 | No | No | Nils Sommer of bytegeist, working with Google Project Zero |
| CVE-2015-6175 | 7.2 | Yes | Yes | None |