November 2015 Security Updates Summary

Earlier today Microsoft issued 12 security bulletins to address 53 CVEs (defined). As always further details are available within their Security Bulletin Summary.

At the time of writing there were a number of bulletins that have Known Issues associated with them (as mentioned in the Security Bulletin Summary), they are:

MS15-121: Security update for Schannel to address spoofing: This knowledge base article mentions that any custom providers for SChannel will no longer work after this update is installed. Microsoft advises working with the vendor of such custom providers to update them.

MS15-123: Skype for Business November 2015 cumulative update (kb3108096): Issues with instant messages not being received and loss of video when joining a meeting are mentioned. There is a workaround for the latter issue.

MS15-115: Description of the security update for Windows: While this update is listed as having Known Issues none are currently present within the above linked to knowledge base article.

MS15-122: Description of the security update for Windows Kerberos: While this update is listed as having Known Issues none are currently present within the above linked to knowledge base article.

Update: 13th November 2015:
An additional workaround for the remaining Known Issue that occurs after installing MS15-123: Skype for Business November 2015 cumulative update (mentioned above) is not available from this link.

Moreover, MS15-115: Security update for Windows was re-published on the 11th of November due to issues causing Microsoft Outlook to crash or being unable to log into Windows after installing this update. According to the aforementioned link, these issues should now be resolved.

Microsoft also issued a security advisory for Windows Hyper-V to address 2 CVEs with Important severity that could lead to a denial of service issue (defined). Please add this update to your Patch To-Do List if you make use of this software.

At this time, the IT Pro Patch Tuesday blog does not mention any known issues, it may be updated at a later stage.

Adobe issued updates to Flash Player and Adobe AIR, its application runtime to resolve 17 critical CVEs. Flash Player updates for Linux, Apple Mac OS X and Windows are available from this link (which can be used if you don’t have automatic updating enabled or simply wish to install the update as soon as possible). Users of Google Chrome have received (I have confirmed this); this Flash update within this Chrome update. Microsoft has announced the availability of their Flash update by updating this security advisory for users of Internet Explorer 10, 11 and Microsoft Edge installed on Windows 8.0, 8.1 and Windows 10 (respectively).

You can monitor the availability of security updates for the majority of your software from the following website (among others) or use Secunia PSI:

US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the Protecting Your PC page):

If you use any of the above software, please install the appropriate updates as soon as possible.
Steps for installing updates for Windows are provided on the “Protecting Your PC” page.

I would recommend installing the update to Adobe Flash Player first if you make use of this web browser plugin. Their update addresses 17 critical security issues which may be exploited by exploit kits (defined) within a short timeframe.

If you wish to prioritize the deployment of the Microsoft security updates, I would recommend an installation order of Security Update for Windows; Internet Explorer, Windows Journal, Microsoft Office and Microsoft Edge due to their severity (successful exploitation results in remote code execution; namely allowing a remote attacker to carry out any action of their choice). After installing these updates, install any remaining applicable Microsoft security updates.

Update: 17th November 2015:
If your organization uses Windows BitLocker you may wish to prioritize the installation of the Security Update for Kerberos (MS15-122) since it addresses a potentially severe authentication bypass vulnerability that could lead to the data on your BitLocker encrypted devices being much more easily obtained by an attacker. Further details are available in a more recent blog post.

One other security pre-caution that you may wish to take if you have Microsoft EMET installed is to use it to protect you from Adobe Flash being used to exploit vulnerabilities when you open a Microsoft Office document or Adobe PDF file. I provide recommendations of how to do this at the end of July’s Update Summary.

As always as a routine precaution I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.