November Patch Tuesday 2016
It’s Election Day! I hope you all voted or will be hitting the polls soon, as this election round has been one for the history books. November 8 also happens to be Patch Tuesday. While this is notably of far less concern than hitting the polls today, Patch Tuesday will be delivering updates from Microsoft, Adobe and Google this month and will, unfortunately, still require your attention tomorrow and in the weeks to come.
Microsoft has released 14 bulletins, six of which are rated as critical, resolving 68 unique vulnerabilities. Two of the vulnerabilities have been exploited in the wild (Zero Days), and three of the bulletins contain public disclosures.
First off, we will get a little closure on the Adobe Flash/Microsoft Zero Day that was identified in October and to which Flash released an update on October 26 which resolved CVE-2016-7855. Microsoft has resolved CVE-2016-7255 as part of MS16-135.
Adobe has released another Flash Player update (which is rated as a priority one and resolves nine CVEs. If you haven’t already pushed the Flash update from October 26, ( ) this will be a high priority along with MS16-135.
Microsoft has a second Zero Day vulnerability this month (CVE-2016-7256). MS16-132 resolves an open type font vulnerability that can allow an attacker to remotely execute code. An attacker can target a user to exploit this vulnerability by crafting a document designed to exploit the vulnerability or by hosting a specially crafted website designed to exploit the vulnerability. The attacker would need to convince a user to click on or open the specially crafted content, but that’s really not a significant challenge. This bulletin should also be a high priority this month.
There are a number of public disclosures this month across several bulletins, which means enough information has been leaked to the public to give an attacker a head start on developing exploit code. This increases the risk of exploit occurring for these vulnerabilities so we raise the risk level and priority of bulletins that contain public disclosures. See our Patch Tuesday infographics for more detail.
- MS16-129 for the Edge browser resolves CVE-2016-7199 and CVE-2016-7209
- MS16-135 for Windows resolves CVE-2016-7255 (which has already been exploited)
- MS16-142 for Internet Explorer resolves CVE-2016-7199
Google Chrome went to beta last Wednesday. That along with another Flash Player update means we should expect a Chrome update in the foreseeable future. There is a chance it will come tonight, but it’s more likely to come in the next week. As always you will want to be sure that you have updated Chrome to support the latest Flash Player Plug-In.
If you have not already done so, you will want to make sure to include the Oracle updates from their Q4 CPU that released in October. This included a Critical Java JRE update as well as many other Oracle products.
November also marks the second month of the new servicing model. Here is what you should expect for actual packages to be deployed this month.
The Security Only Bundle (SB16-002) will include the following bulletins: MS16-130, MS16-131, MS16-132, MS16-134, MS16-135, MS16-137, MS16-138, MS16-139, MS16-140 and MS16-142.
The monthly rollup (CR16-002) will include the following bulletins in addition to quality fixes and previous months’ updates: MS16-130, MS16-131, MS16-132, MS16-134, MS16-135, MS16-137, MS16-138, MS16-139, MS16-140 and MS16-142.
As always, we will be running our monthly Patch Tuesday webinar where we will go deeper into the bulletins released and recommendations to prioritize what updates need to be put in place sooner than others. Make sure to sign up for the November Patch Tuesday webinar to catch playbacks of previous months and get access to our infographics and presentations to give you the information you need going into your monthly maintenance.