Say good-bye to Microsoft security bulletins
19 December 2016 | 0
This is the last month that will see security bulletins from Microsoft — a much anticipated eventuality. Patch numbers are currently interlocked, with security bulletins referencing KB numbers that are not available in the Windows 10 cumulative updates or in the Windows 7/8.1 security-only or monthly roll-up patches.
But hope is at hand, as it will get less complicated next month.
This month there were 12 security bulletins from Microsoft, six rated critical, six important, the obligatory Flash Player patch, updates for the Excel Viewer and the Office Compatibility Pack, and a bewildering array of previews, which most are unlikely to want unless testing software. There was also a welcome revamp in the way Win7/8.1 security-only and monthly rollup patches overlap/supersede each other.
The Win10 1607 cumulative update KB 3206632 fixed a major internet connection bug. There is the usual massive list of Office 2003, 2007, 2010, 2013, and 2016 patches in KB 3208595, which combines the 6 December non-security updates with the 13 December security updates. Almost 100 patches appear on the list. There has not been much feedback reporting problems, as yet.
The SANS Internet Storm Centre says there are known exploits for four of this month’s patches — that is the zero-day count. Two of the exploited patches are for Internet Explorer and Edge. One of them is for the .Net Framework patch KB 3205640 (more on that anon). That leaves one ‘real’ zero-day that most need to be concerned about: MS16-146 / KB 3204066, the security update for Microsoft Graphics Component.
Tyler Reguly at Tripwire describes the issue this way:
“Two code execution vulnerabilities in the Windows Graphic component and an information disclosure in GDI. In addition to the vulnerability fixes, this update provides defence-in-depth changes that are not fully documented in the bulletin.”
It looks like the already exploited hole is CVE-2016-7272, a remote code-execution vulnerability that we have very little published information about.
All of which brings us to the morass known as .Net Framework updates. In October we had separate patches for .Net 3.5.1 security-only, and for .Net 4.x security-only. This month, we have a security-only update for .Net 4.6.2, and a monthly roll-up for all versions of .Net (including 4.6.2). For anyone running Win7, the security-only patch for .Net 4.6.2, KB 3205394, can be found in the Microsoft Update Catalog, Or via the monthly roll-up in Windows Update.
There is a raging debate on AskWoody.com about the intrusive nature of .Net Framework Monthly Roll-ups. The general consensus is that most Windows users are OK installing the whole monthly rollup, instead of trying to pluck out the security-only portions.
Finally, for those of anyone still running Vista, there is this advice from AskWoody contributor ER about speeding up your Windows Update scans:
“It looks like the KB3204723 security updates from MS security bulletin MS16-151 are the new Windows Update win32k.sys “speed-up” fixes for Windows Vista & Server 2008. Once again, KB3204723 is a new temporary “speedup” patch that will work from 13 December, 2016 to 9 January, 2017.”
As usual, it is recommend to hold off on applying any of these patches until the initial carnage has run its course. When it is safe to patch, full details will be posted, including download links for those who wish to stay in the Group B security-only camp.
IDG News Service