November Patch Tuesday 2015

November Patch Tuesday comes with 12 Microsoft bulletins and an update for Adobe Flash Player. For Windows 10 users there is the question of the Fall Refresh. It did not release today, but it’s likely not too far off. We may even see it on Thursday.

Microsoft has released four critical updates and eight important updates. The updates are mostly OS related, but there is an Office update and two other updates that affect Skype for Business. Four of the bulletins are resolving a vulnerability that has been publicly disclosed. This means that these four bulletins are a higher risk of exploit. For these, expect that in as few as two to four weeks there could be working code exploits taking advantage of these vulnerabilities.

If you look closely at MS15-113, the update for the Edge browser on Windows 10, you will see that it has been released for the Fall Refresh (Threshold 2). Expect that you’ll need to apply this after you upgrade to Windows 10 build 1511, which we expect on Thursday of this week.

MS15-115 resolves seven vulnerabilities in Windows, which could allow remote code execution.  CVE-2015-6109 is resolved by this bulletin and has been publicly disclosed. This particular vulnerability resolves an issue where an attacker could gain information on the location of the Kernal driver in memory. 

MS15-116 resolves seven vulnerabilities in Office, Sharepoint, Lync and Skype for Business, which could allow remote code execution. CVE-2015-2503 is resolved by this bulletin and has been publicly disclosed. This vulnerability on its own is not too terrible, but if used in conjunction with other vulnerabilities it could be used to elevate privileges. 

MS15-120 resolves one vulnerability in Windows, which could allow an attacker to cause a denial of service to systems running IPSec. CVE-2015-6111 is resolved by this bulletin and has been publicly disclosed. 

MS15-121 resolves one vulnerability in Windows, which could allow an attacker to exploit Schannel using a man-in-the-middle attack. CVE-2015-6112 is resolved by this bulletin and has been publicly disclosed. 

On the third party front, Flash player has released an update that includes 17 security fixes. This is a Priority 1 update and should be considered a high priority. Keep in mind that with Flash Player comes additional updates. You should expect plug-in updates for Internet Explorer, FireFox and Chrome today as well. You must update the Player instance and all browser plug-ins to be fully protected from these 17 vulnerabilities.

Join us tomorrow for the November Patch Tuesday webinar where we will discuss the bulletins in more detail.