Virtual Administrator’s November 2015 Patch Recommendations

12 Security Bulletins were released – 4 Critical, 8 Important, and 0 Moderate

This Month In Brief

12 Security Bulletins were released – 4 Critical, 8 Important

We are releasing KB3097877 (MS15-115). As you recall Microsoft rereleased it last Thursday claiming the updated patch corrected all of the problems.  Since then we have only seen a few isolated complaints about it. Likely those we caused by cached versions of the original patch. Because we never approved the original patch you should not have cached versions on your endpoints.

If you do have issues please run the uninstall script we provided. The Microsoft link below also gives guidance.

We also have a “KB3097877 uninstall” script posted on ClubMSP.

MS15-115: Description of the security update for Windows: November 10, 2015

https://support.microsoft.com/en-us/kb/3097877

 

KB3097877 has been denied but will likely be release sometime next week – see below. All other patches have been approved.

MS15-112, MS15-113 and MS15-114 are rated Critical. After your next patch cycle completes you should follow up and make sure this is installed.

No out-of-band security updates were released during the last month.

Denied KB3097877 – Microsoft reissued an update patch early Thursday morning however it is too soon to tell if it is safe to deploy. Early reports are promising but because the original patch cause such huge problems we want to be sure it is safe before releasing it. We will update this blog when we have made a final decision.
The problems initially reported with KB3097877 were “Crashing that occurred in all supported versions of Microsoft Outlook when users were reading certain emails” as well as “Problems that occurred while users were logging on to the system. For example, after a user restarted the computer and then pressed Ctrl+Alt+Delete at the logon screen, the screen flashed and then went black. The user was then unable to continue. There may be other, similar logon issues that are related to this issue.”

If you have machines that did get the original KB3097877 installed here are instructions to remove it. We also have a “KB3097877 uninstall” script posted on ClubMSP.
MS15-115: Description of the security update for Windows: November 10, 2015
https://support.microsoft.com/en-us/kb/3097877

IMPORTANT: Make sure Windows Automatic Updates is disabled and Kaseya is managing your patch deployment.

Some of our partners found themselves scurrying to uninstall KB3097877/MS15-115 on Wednesday. Windows Automatic Updates was still enabled on some machines and automatically pushed out all patches overnight. Your Kaseya Patch Management configuration can be perfect but if WUA is still enabled it won’t’ matter. All patches will be pushed out. Another problem is Patch Policy Membership. If an agent is not a member of a patch policy all missing patches will be installed!

The basic Kaseya patch management settings should be applied to your agent during the initial installation. They are included in the template associated with your installation package. HOWEVER the WUA cannot be set to disable on the template. That setting is not available until after the first patch scan runs. You will always need to disable it manually on the Patch Management> Configure> Windows Auto Update screen in the Kaseya console.

We have a number of Patch Management training videos posted here: http://youtube.com/msponramp/

You can create a View in Kaseya to find these machines. On the first line of under Patch Management category check “Show members of patch policy ”. On last line under the Patch Management category check “Windows Automatic Update is not disabled”. Please see “Kaseya Views” (https://virtualadministrator.com/blog/kaseya-views-workstations-but-no-laptops/) for instruction creating Views with Kaseya.

Exploitability

Requires Restart

  • Servers:True
  • Workstations:True

New Security Bulletins

(MS#/Affected Software/Type)

CRITICAL

MS15-112 Cumulative Security Update for Internet Explorer (3104517) (Internet Explorer) The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.
Details
Affected Software: Internet Explorer 7-11
Known Issues per MS:
MS15-113 Cumulative Security Update for Microsoft Edge (3104519) (Microsoft Edge) The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge.
Details
Affected Software: Microsoft Edge
Known Issues per MS:
MS15-114 Security Update for Windows Journal to Address Remote Code Execution (3100213) (Microsoft Windows) The vulnerability could allow remote code execution if a user opens a specially crafted Journal file.
Details
Affected Software: Vista, Windows 7, Server 2008/2008R2
Known Issues per MS:
MS15-115 Security Update for Microsoft Windows to Address Remote Code Execution (3105864) (Microsoft Windows) The most severe of the vulnerabilities could allow remote code execution if an attacker convinces a user to open a specially crafted document or to visit an untrusted webpage that contains embedded fonts.
Details
Affected Software: Vista, Windows 7/8/8.1/10, Server 2008/2008R2/2012/2012R2, Windows RT
Known Issues per MS: https://support.microsoft.com/en-us/kb/3097877 and https://support.microsoft.com/en-us/kb/3101746

IMPORTANT

MS15-116 Security Update for Microsoft Office to Address Remote Code Execution (3104540) (Microsoft Office, Lync, Skype for Business) The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file.
Details
Affected Software: Office 2007/2010/2013/2016, SharePoint Server 2007/2010/2013, Office 2011/2016 for MAC, Office 2010/2013 Web Apps
Known Issues per MS:
MS15-117 Security Update for NDIS to Address Elevation of Privilege (3101722) (Microsoft Windows) The vulnerability could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application.
Details
Affected Software: Vista, Windows 7, Server 2008/2008R2
Known Issues per MS:
MS15-118 Security Update for .NET Framework to Address Elevation of Privilege (3104507) (.Net Framework) The most severe of the vulnerabilities could allow elevation of privilege if an attacker convinces a user to navigate to a compromised website or open a link in a specially crafted email that is designed to inject client-side code into the user’s browser.
Details
Affected Software: Vista, Windows 7/8/8.1/10, Server 2008/2008R2/2012/2012R2, Windows RT
Known Issues per MS:
MS15-119 Security Update for Winsock to Address Elevation of Privilege (3104521) (Microsoft Windows) The vulnerability could allow elevation of privilege if an attacker logs on to a target system and runs specially crafted code that is designed to exploit the vulnerability.
Details
Affected Software: Vista, Windows 7/8/8.1/10, Server 2008/2008R2/2012/2012R2, Windows RT
Known Issues per MS:
MS15-120 Security Update for IPSec to Address Denial of Service (3102939) (Microsoft Windows) An attacker who successfully exploited the vulnerability could cause the server to become nonresponsive.
Details
Affected Software: Windows 8/8.1, Server 2012/2012R2, Windows RT, .NET Framework 3.5
Known Issues per MS:
MS15-121 Security Update for Schannel to Address Spoofing (3081320) (Microsoft Windows) The vulnerability could allow spoofing if an attacker performs a man-in-the-middle (MiTM) attack between a client and a legitimate server.
Details
Affected Software: Windows 7/8/8.1, Server 2008/2008R2/2012/2012R2, Windows RT
Known Issues per MS: https://support.microsoft.com/en-us/kb/3081320
MS15-122 Security Update for Kerberos to Address Security Feature Bypass (3105256) (Microsoft Windows) An attacker could bypass Kerberos authentication on a target machine and decrypt drives protected by BitLocker.
Details
Affected Software: Vista, Windows 7/8/8.1/10, Server 2008/2008R2/2012/2012R2
Known Issues per MS: https://support.microsoft.com/en-us/kb/3101246
MS15-123 Security Update for Skype for Business and Microsoft Lync to Address Information Disclosure (3105872) (Microsoft Office, Lync, Skype for Business) The vulnerability could allow information disclosure if an attacker invites a target user to an instant message session and then sends that user a message containing specially crafted JavaScript content.
Details
Affected Software: Lync 2010/2013, Skype for Business 2016
Known Issues per MS: https://support.microsoft.com/en-us/kb/3108096