Skip to main content

Microsoft goes on security update rampage, releases 71 bulletins

Microsoft issued on Tuesday 8 December a package of 71 security updates, two of which addressed current attack vectors in Microsoft Office and the Windows kernel.

Microsoft released more than a dozen security update bulletins, eight of which they rated as critical. Two in particular were vulnerabilities already known to be subject to attacks. One of these critical security flaws is a known memory issue in Microsoft Office, which Microsoft has addressed in security patch CVE-2015-6124. This is one of six similar flaws patched in that bulletin.

The other critical bulletins are:

  • MS15-124, for IE, patches 30 vulnerabilities, including almost two dozen memory corruption vulnerabilities
  • MS15-125, patches 15 vulnerabilities in the Windows 10 browser, including critical remote code execution bugs resulting from memory corruption vulnerabilities.
  • MS15-127, a use-after-free vulnerability in Windows DNS that allows an attacker to remotely run code using just a crafted request to a DNS server.
  • MS15-128: a security update for Microsoft Graphics Component patching remote code execution flaws in Windows, .NET, Office and other Microsoft products.
  • MS15-129: a security update for Silverlight patching remote code execution vulnerabilities.
  • MS15-130: a security update for Microsoft Uniscribe, which patches one remote code execution flaw.

There are also three other bulletins rated Important:

  • MS15-132: a security update for Windows patching remote code execution vulnerabilities.
  • MS15 -133: a security update for Windows PGM that patches a elevation of privilege flaw.
  • MS15 -134 a security update for Windows Media Center that patches remote code execution vulnerabilities.

If that was not bad enough, Microsoft also released an advisory warning of a leaked Xbox live certificate and private encryption key pair – which it has now revoked.

The leaked certificate can no longer be used to generate new certificates sign code or be used to spoof domains. However, Microsoft warns, that it could still be used in a man in the middle attack.

Image Credit: alexskopje / Shutterstock