Security patches for Windows, macOS, iOS and other Apple firmware, and a host of Adobe products, were emitted this week.
The final scheduled patch dump of the year sees Microsoft deliver fixes for multiple products, while Apple has security updates for iOS, macOS, Safari, and iTunes, and Adobe patches nine products including Flash Player and InDesign.
Redmond's holiday fixes
The December edition of Patch Update Tuesday will see a dozen bulletins from Microsoft to address security holes in both of its browsers as well as Windows, Office, and the .NET Framework.
- MS16-144 is a cumulative update for Internet Explorer to address a total of eight CVE-listed vulnerabilities that allow for web pages to perform remote code execution, data disclosure, and security bypass attacks.
- MS16-145 is the cumulative update for the Edge browser. It addresses 11 flaws that could allow remote code execution and information disclosure.
- MS16-146 is a patch for the Microsoft Graphics Component in Windows. It addresses three CVE-listed flaws that would allow for a malformed webpage or document to remotely execute code and harvest user information.
- MS16-147 fixes a bug in Windows Uniscribe that allows web pages and documents to perform remote code execution via an error in the handling of objects in memory.
- MS16-148 remedies 13 CVE-listed flaws in Office, including remote code execution, information disclosure, and security bypass holes. The update is being posted for Office 2007, 2010, 2013, 2013 RT, 2016, and both versions of Office for Mac.
- MS16-149 covers an information disclosure hole in Windows Crypto Driver and an elevation of privilege vulnerability in the Windows Installer component. To exploit the flaws, the victim would need to run either a specially crafted application or load an insecure library.
- MS16-150 addresses a single elevation of privilege flaw in the Windows Secure Kernel that could allow a malicious application to circumvent virtual trust level protections.
- MS16-151 fixes two elevation of privilege flaws in the Windows Kernel-Mode Driver.
- MS16-152 is an information disclosure bug in Windows Kernel that could allow a malicious application to harvest personal data.
- MS16-153 patches a single CVE-listed flaw in the Windows Common File Log system that could allow information disclosure to a malicious application.
- MS16-154 is Microsoft's release of the Adobe Flash Player update for Edge and Internet Explorer. It addresses a total of 17 CVE-listed flaws.
- MS16-155 patches an information disclosure vulnerability in the .NET Framework.
Meanwhile, in Cupertino...
Apple has kicked off the week with a bundle of security updates on consecutive days. The releases address flaws in iOS and macOS, as well as a number of Apple products for Windows.
- iOS 10.2 update brings with it fixes for 64 different CVE-listed vulnerabilities in the core components of iOS itself, as well as the built-in Safari browser and the WebKit browser engine. The update can be downloaded from the iOS Software Update tool.
- macOS Sierra 10.12.2 includes patches to address 72 flaws, including the WebKit and Safari vulnerabilities.
- Safari 10.0.2 will be released for those Macs not yet on Sierra. It contains fixes for 23 vulnerabilities in the WebKit engine and a patch for a cross-site scripting bug in the Safari reader.
- tvOS 10.1 will be pushed out for the AppleTV set-top box and contains patches for 49 CVE-listed flaws, 23 of those being WebKit fixes.
- iTunes 12.5.4 for Windows PCs brings with it 23 patches for WebKit.
- iCloud for Windows 6.1 remedies the 23 WebKit vulnerabilities as well as an information disclosure hole in the iCloud desktop software for Windows 7 and later.
And who can forget Adobe?
The media software giant chose to deliver nine updates of its own to close out the year, including its monthly Flash Player bug fix parade.
- Adobe Flash Player, also known as "the internet's screen door," will see 17 CVE-listed bugs patched this month for Windows, macOS, and Linux versions. Systems running Google Chrome, Microsoft Edge, and Internet Explorer 11 or later should get the update automatically through their browser.
- Adobe Animate has been updated to plug a single memory corruption flaw.
- Adobe Experience Manager Forms will get fixes for a pair of cross-site scripting vulnerabilities.
- Adobe DNG Converter on Windows and Mac has been patched for a critical memory corruption vulnerability.
- Adobe Experience Manager is updated to protect against four cross-site scripting vulnerabilities.
- Adobe InDesign is now protected from a critical memory corruption vulnerability in Windows and macOS.
- ColdFusion Builder on Windows, macOS and Linux has been updated to address an information disclosure vulnerability.
- Adobe Digital Editions has been patched to address two information disclosure leaks on the Windows, macOS and Android versions of the reader software.
- Adobe RoboHelp has received an update to remedy a single cross-site scripting vulnerability.
Users and administrators are advised to test and apply the updates as soon as possible. ®