In November’s patch Tuesday, Microsoft released 12 security bulletins, four rated as critical and the remaining 8 rated as important.
MS15-112 is the cumulative fix for remote code execution flaws in Internet Explorer. Microsoft lists 25 CVEs, most of which are IE memory corruption vulnerabilities. 19 are called Internet Explorer memory corruption vulnerabilities, with three CVEs labeled slightly different as Microsoft browser memory corruption vulnerabilities. Of the remaining CVEs, one involves Microsoft browser ASLR bypass, one is for an IE information disclosure flaw, and one is a scripting engine memory corruption vulnerability. Here is what security experts from Tripwire have to say about the seriousness of the patch.
[su_note note_color=”#ffffcc” text_color=”#00000″]Craig Young, Security Researcher at Tripwire :
“With bulletin MS15-121, Microsoft is taking an important step towards hardening secure connections established through Microsoft’s SChannel library. With this update in place services can now utilize extended master secret computation needed to protect against the “Triple Handshake” attack documented by a team of researchers (including a Microsoft engineer) in March 2014. The “Extended Master Secret Extension” described in RFC7627 was previously implemented in BoringSSL, and is used by Google servers and the Google Chrome web browser, provides enhanced cryptographic binding between sessions spanning multiple connections.
While Microsoft has rated this patch as important, systems administrators using client based certificate authentication should treat this update as high priority for both clients and servers because the described attack can allow a malicious server to inject data into the beginning of a session and potentially interact with a site in defiance of the same-origin policy. Additionally, variations of this attack can enable attackers to impersonate clients on other protocols that use TLS-based authentication. This makes this patch a key priority for VPN servers utilizing PEAP and Active Directory deployments with SASL bindings are also likely to need attention.
Because this is a protocol vulnerability, it is also important to know that all unsupported releases of Windows are, and always will be, vulnerable to this attack; all services utilizing SChannel are also vulnerable. Although the documented attack this patch addresses is limited to systems where session resumption and renegotiation are used in conjunction with TLS-based authentication, the underlying enhancement may prove to thwart other currently unknown attacks as well.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Tyler Reguly, Manager of Software Development at Tripwire :
“As Microsoft’s record setting bulletin number continues to climb, we see all of the usual suspects once again. Microsoft’s browsers (Internet Explorer and Edge), along with Office, .NET, and the Windows Kernel all appear to have standing invites to Patch Tuesday every year but we’re definitely seeing new contenders for regular spots this year. Windows Journal and Lync/Skype for Business are definitely at the top of that list making numerous appearances this year.
One of the more interesting updates is likely the SChannel update (MS15-121) since this issue has been publicly discussed for a while on the IETF mailing lists as they worked through a draft to implement an RFC on the topic. Watching protocol discussions, while it may be boring, is an interesting way to gain insight into upcoming vendor updates. It was recently mentioned on one of the mailing lists that Microsoft would soon have support for this issue, making this one of the most expected patches in a while.”[/su_note]