November Patch Tuesday fixes controversial Windows 0-day hole

Microsoft’s latest Patch Tuesday is out, even if Redmond’s monthly updates haven’t officially been called “patches” for more than two years now.

There are 14 bulletins this time around, broken down in severity as follows:

  • Six tagged as Critical involving Remote Code Execution (RCE) bugs.
  • One tagged as Important involving a Remote Code Execution bug.
  • Six tagged as Important involving Elevation of Privilege (EoP) bugs.
  • One tagged as Important involving a Security Bypass hole.

The patch with the most controversial backstory is one of the six EoP vulnerabilities that is documented in bulletin MS16-135, or Security Update for Windows Kernel-Mode Drivers (3199135), to give its full title.

There were actually five separate bugs fixed in various parts of the kernel, but the one that grabbed the media spotlight recently is known as CVE-2016-7255, originally disclosed to Microsoft by Google researchers, who apparently encountered it in the wild.

An unpatched vulnerability that’s already being used by cybercriminals earns the moniker zero-day, or 0-day, meaning that even well-informed system administrators had zero days during which they could have patched proactively.

More simply put, the term zero-day generally refers to a situation where the bad guys beat the good guys to it.

The controversy in this case is that Google publicly disclosed the CVE-2016-7255 zero-day after just seven days, even though Microsoft had an official patch window coming up within two weeks.

Google’s claims about these automatic, algorithmically timed disclosures for what it considers “critical vulnerabilities under active exploitation” are:

  • Seven days is a fair target to build, test and ship countermeasures for a hole that the crooks are already exploiting.
  • The seven-day process follows documented company policy, so it can’t be considered a surprise.
  • A one-size-fits-all policy makes disclosure timings objective, so that no one can imply that some vendors get more liberal treatment than others.

In other words, if Microsoft wanted to avoid the world hearing about the hole before the patch was out, it shouldn’t have waited a further 10 days for Patch Tuesday to roll around.

Not everyone agrees that such an inflexible approach is appropriate, seeing it as a sort of technical religiosity that removes the human touch in fighting back against cybercrime, and arguing that rushing a fix out against an inevitable seven-day deadline may not always be possible or desirable.

Wherever you sit on the time-to-disclosure fence, Microsoft has now closed the hole that Google brought to the word’s attention, so if you need a reason to follow our usual advice to patch early, patch often, let this be it.

Actually, there’s an even more compelling reason to patch early, patch often this month: bulletin MS16-132 includes a patch for an RCE vulnerability in how Windows handles Open Type fonts.

In other words, a deliberately booby-trapped font could trick your computer into installing malware without any popup or warning dialog that might otherwise draw your attention to the attack.

Just like the abovementioned CVE-2016-7255 kernel bug, this one gets Microsoft’s most serious exploitability score of zero.

To explain: lower numbers are worse. 4 means “not affected”. When you get to 1, or “exploitation more likely”, you can assume that the crooks will probably figure it out soon. 0, however, means “exploitation detected”, which you can remember using the mnemonic that zero is short for zero-day.

What to do?

We’ve already used the words patch early, patch often, so that’s what to do.

Of course, if you’ve already told your version of Windows to go ahead with updates automatically, don’t forget to check that the updates actually happened.

And, by the way, bear in mind that the controversially disclosed kernel bug described above was used in the wild in conjunction with an Adobe Flash hole.

The Flash bug got the crooks in, but only with the power of a regular user, and the kernel bug got them up to administrator level.

So, we’ll take this opportunity to remind you once again, if you’re still using Flash, to try living without it for a while, given that fewer and fewer sites use it these days, and few of those still actually require it.