JPCERT-AT-2016-0046 JPCERT/CC 2016-11-09 <<< JPCERT/CC Alert 2016-11-09 >>> Microsoft Security Bulletin for November 2016 (including 6 critical patches) https://www.jpcert.or.jp/english/at/2016/at160046.html I. Overview Microsoft has released its security bulletin for November 2016. This bulletin contains six (6) updates that are rated as "critical". Remote attackers leveraging these vulnerabilities may be able to execute arbitrary code. Details on the vulnerabilities can be found at the following URL: Microsoft Security Bulletin Summary for November 2016 https://technet.microsoft.com/en-us/library/security/ms16-Nov [Security updates rated as "critical"] MS16-129 Cumulative Security Update for Microsoft Edge (3199057) https://technet.microsoft.com/en-us/library/security/MS16-129 MS16-130 Security Update for Microsoft Windows (3199172) https://technet.microsoft.com/en-us/library/security/MS16-130 MS16-131 Security Update for Microsoft Video Control (3199151) https://technet.microsoft.com/en-us/library/security/MS16-131 MS16-132 Security Update for Microsoft Graphics Component (3199120) https://technet.microsoft.com/en-us/library/security/MS16-132 MS16-141 Security Update for Adobe Flash Player (3202790) https://technet.microsoft.com/en-us/library/security/MS16-141 MS16-142 Cumulative Security Update for Internet Explorer (3198467) https://technet.microsoft.com/en-us/library/security/MS16-142 According to Microsoft, attacks leveraging the vulnerabilities which are addressed in MS16-132 (Critical), MS16-135 (Important) and MS16-142 (Critical) have been observed in the wild. The vulnerabilities in Adobe Flash and Windows Kernel disclosed by Goodle on October 31 2016 have been addressed in MS16-135 (Windows Kernel vulnerability) and MS16-128 (Adobe Flash vulnerability Adobe SecurityBulletin APSB16-36), respectively. Please apply the security update programs as soon as possible. II. Solution Please apply the security update programs through Microsoft Update, Windows Update, etc. as soon as possible. Microsoft Update http://www.update.microsoft.com/ Windows Update http://windowsupdate.microsoft.com/ Microsoft Update Catalog http://catalog.update.microsoft.com/ Microsoft has released the following note regarding MS16-137 (Important). - Users may experience an issue when you try to change domain account passwords in multi-computer setups if Kerberos is configured incorrectly. The Security Update for the Windows Vista and Windows Server 2008 will be affected. This issue may occur if there are configuration issues that resemble the known issue described in the "Known issue 1" section of KB 3167679. See the "Workaround" section for "Known issue 1" in KB 3167679 for more information about how to work around this issue. MS16-101: Description of the security update for Windows authentication methods: August 9, 2016 https://support.microsoft.com/en-us/kb/3167679 III. References Microsoft Microsoft Security Bulletin Summary for November 2016 https://technet.microsoft.com/en-us/library/security/ms16-Nov Microsoft Microsoft Security Information for November 2016 (Monthly) MS16-129 - MS16-142 (Japanese) https://blogs.technet.microsoft.com/jpsecurity/2016/11/09/201611-security-bulletin/ Microsoft MS16-137: Description of the security update for Windows authentication methods: November 8, 2016 https://support.microsoft.com/en-us/kb/3198510 Microsoft Our Commitment to Our Customers Security (Japanese) https://blogs.technet.microsoft.com/jpsecurity/2016/11/04/our-commitment-to-our-customers-security/ Google Disclosing vulnerabilities to protect users https://security.googleblog.com/2016/10/disclosing-vulnerabilities-to-protect.html Securityweek Microsoft Patches Windows Zero-Day Exploited by Russian Hackers http://www.securityweek.com/microsoft-patches-windows-zero-day-exploited-russian-hackers Adobe Systems Security updates available for Adobe Flash Player https://helpx.adobe.com/security/products/flash-player/apsb16-37.html If you have any information regarding this alert, please contact JPCERT/CC. ====================================================================== JPCERT Coordination Center (JPCERT/CC) MAIL: info@jpcert.or.jp TEL: +81-3-3518-4600 FAX: +81-3-3518-4602 https://www.jpcert.or.jp/english/