с новым годом! Microsoft rings in the New Year with a new set of ten security bulletins MS16-001 through MS16-010, patching 24 CVE detailed vulnerabilities. These bulletins effect Microsoft web browsers and plugins, Office software, Windows system software, and Exchange mail servers. Six of them maintain a critical rating. The Critical bulletins effect the following software:
- Silverlight Runtime
- Internet Explorer
- Microsoft Edge
- VBScript and JScript scripting engine
- Microsoft Office, Visio, and SharePoint
- Windows Win32k Kernel Components
Somewhat surprisingly with over twenty vulnerabilities, Microsoft claims to be unaware of public exploitation of any of them at the time of reporting, however they acknowledge at least three were publicly disclosed. Nonetheless, the urgency to patch remains, so please update your software.
Of these, the Silverlight vulnerability CVE-2016-0034 (note that Mitre records the CVE as assigned on 2015.12.04) appears to be the most interesting and most risky, as it enabled remote code execution across multiple platforms for this widespread software, including Apple. But more of the IE, Edge and add-on related vulnerabilities also provide opportunity for mass exploitation. Don’t forget to return to Securelist soon for concrete perspective and upcoming posts detailing past and ongoing exploitation of these issues.
It’s also assuring to see Microsoft security operations pushing the edges of improving TLS algorithms to encrypt web sessions and provide greater privacy. Even their Technet page for a summary of these Bulletins provides TLS 1.2, implementing 3DES_EDE_CBC with HMAC-SHA1 and a RSA key exchange. But, it looks like their research group hasn’t pushed forward their work on post-quantum resistant TLS key exchange (Full RWLE Paper [pdf]), as “R-LWE in TLS” into production. Tomorrow’s privacy will have to wait.