Patch Tuesday November 2016: Microsoft Fixes Flaw Controversially Outed By Google

Microsoft’s Patch Tuesday fixes a zero-day flaw that is being exploited in the wild by a hacker group called Strontium, a group allegedly linked to senior Russian officials.

November’s security update is a fairly large one with 14 security bulletins, six of which are critical and eight rated as important.

Some may feel the top priority for IT managers is MS16-135, which fixes a vulnerability that was disclosed by Google in a controversial manner late last month. Microsoft was left fuming after Google gave Redmond just six days to patch it before it went public.

Google Controversy

Google justified its actions saying it normally gave software vendors extensions to its 60-day disclosure period if they say they’re working on a patch, but that doesn’t apply to bugs being actively exploited, which get only seven days.

That vulnerability was being exploited by Strontium hackers, the same group that US intelligence officials last month officially blamed for recent politically motivated hacking incidents, including the release of emails stolen from the Democratic National Committee (DNC).

“The November Patch Tuesday is here and it’s a big one with 14 bulletins covering 68 unique CVEs,” blogged Karl Sigler, Threat Intelligence Manager at Trustwave. “Despite the large volume of patches, this patch cycle still promises to be less painful than Election Day here in the USA.

“Over all we have six bulletins rated Critical and eight rated Important. The Critical bulletins affect the usual suspects like Internet Explorer and Edge, GDI and Adobe Flash, but several components we rarely see also make an appearance including remote code execution vulnerabilities in Microsoft Video Control and Microsoft Windows core OS.”

Patch Breakdown

“November Patch Tuesday is forced to share the spotlight this month,” said Todd Schell, Product Manager at Heat Software.

“It’s Election Day in the US and likely on the minds of most people. However, Microsoft also released 14 security updates today, 6 of which are rated critical. Thankfully, there is just one active exploit on an older version of Windows this month so once you’ve cast your vote, make sure to apply these updates.”

Schell thinks that browser updates should be the top priority for IT teams.

MS16-129 is a critical, cumulative update for Edge. It addresses 17 unique CVEs, the most troublesome being the possibility of a remote code execution if a user views a malicious webpage while using Edge,” said Schell. “Internet Explorer users also have a critical, cumulative update in MS16-142 which could also result in a remote code execution when successfully exploited.”

Meanwhile MS16-141 is a critical update for Adobe Flash Player when installed on latter versions of Windows.

MS16-130 is a critical update for almost all versions of Windows, both desktop and server applications.

What do you know about Internet security? Find out with our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

AT&T Admits Data Breach Impacted “Nearly All” Customers

American telecommunications giant AT&T admits that “nearly all” customer accounts were compromised in 2022 breach

12 hours ago

Elon Musk’s X Breached DSA Rules, EU Finds

X's Blue checks 'used to mean trustworthy sources of information. Now our preliminary view is…

16 hours ago

Japan’s SoftBank Acquires AI Chip Start-up Graphcore

SoftBank Group has purchased another British chip firm, with the acquisition of Bristol-based Graphcore Ltd…

17 hours ago

Samsung AI-Upgraded Bixby Voice Assistant Coming This Year

Samsung reportedly confirms it will launch the upgraded voice assistant Bixby this year, that will…

1 day ago

Next Neuralink Brain Implant Coming Soon, Says Musk

Despite an issue with first Neuralink implant in a patient, Elon Musk says second brain…

1 day ago

EU Accepts Apple’s Legal Commitments To Open NFC Access

Legal commitment over Apple's NFC-based mobile payments system, which is to be opened to rival…

2 days ago