Published January 5, 2016
Revision Note: V53.0 (January 5, 2016): Added the 3133431 update to the Current Update section.
Summary: Microsoft is announcing the availability of an update for Adobe Flash Player in Internet Explorer on all supported editions of Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, and Windows 10; the update is also available for Adobe Flash Player in Microsoft Edge on all supported editions of Windows 10. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge.
Published December 8, 2015
Revision Note: V1.1 (December 8, 2015): Advisory updated to include more information about disabling DES by default in Windows 7 and Windows Server 2008 R2 and later operating systems. The update allows DES to be used between client and server to address scenarios in which DES is still required for application compatibility reasons.
Summary: Microsoft is announcing the availability of an update to harden scenarios in which Data Encryption Standard (DES) encryption keys are used with accounts to ensure that domain users, services, and computers that support other encryption types are not vulnerable to credential theft or elevation of privilege attacks. DES is considered a weak cipher due to well-known brute force and faster than brute force attacks. The cryptographic algorithm has also been removed from the standard [RFC 6649]. To further protect our users, Microsoft has disabled DES by default in Windows 7 and Windows Server 2008 R2 and later operating systems. However, this update does allow DES to be used between client and server to address scenarios in which DES is still required for application compatibility reasons. The improvement is part of ongoing efforts to bolster the effectiveness of encryption in Windows and still support legacy line-of-business (LOB) applications.
Published December 8, 2015
Revision Note: V1.0 (December 8, 2015): Advisory published.
Summary: Microsoft is aware of an SSL/TLS digital certificate for *.xboxlive.com for which the private keys were inadvertently disclosed. The certificate could be used in attempts to perform man-in-the-middle attacks. It cannot be used to issue other certificates, impersonate other domains, or sign code. This issue affects all supported releases of Microsoft Windows. Microsoft is not currently aware of attacks related to this issue.
Published November 30, 2015
Revision Note: V1.0 (November 30, 2015): Advisory published.
Summary: Microsoft is aware of unconstrained digital certificates from Dell Inc. for which the private keys were inadvertently disclosed. One of these unconstrained certificates could be used to issue other certificates, impersonate other domains, or sign code. In addition, these certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against Dell customers. This issue affects all supported releases of Microsoft Windows. Microsoft is not currently aware of attacks related to this issue.
Published November 10, 2015
Revision Note: V1.0 (November 10, 2015): Advisory published.
Summary: Microsoft is announcing the availability of a security update for Windows Hyper-V to protect against a denial of service condition that can be triggered with certain central processing unit (CPU) chipsets. Although the weakness resides in the chipset, Microsoft is issuing this security update to protect customers. The update prevents guests on a Hyper-V system from triggering a weakness in the CPU that could allow instructions from a Hyper-V guest to place its Hyper-V host’s CPU into an unresponsive state, leading to a denial of service condition for the guest operating systems running on the affected host. Successful exploitation of the CPU weakness would require kernel-mode code execution privileges on the guest operating system.
Published October 13, 2015
Revision Note: V2.0 (October 13, 2015): Advisory revised to broaden the affected software list to include Windows 10 systems that are running .NET Framework 3.5 applications and systems with .NET Framework 4.6 installed that are running .NET Framework 4.5/4.5.1/4.5.2 applications, and to provide customers running these configurations with steps for manually disabling RC4 in TLS. See the Affected Software and Suggested Actions sections of this advisory for more information.
Summary: On May 13, 2014, Microsoft announced the availability of an update for Microsoft .NET Framework that disables RC4 in Transport Layer Security (TLS) through the modification of the system registry. Use of RC4 in TLS could allow an attacker to perform man-in-the-middle attacks and recover plaintext from encrypted sessions.
Published October 13, 2015
Revision Note: V2.0 (October 13, 2015): Advisory revised to notify customers that an update is available that modifies the Code Integrity component in Windows to extend trust removal for the four digital certificates addressed by this advisory to also preclude kernel-mode code signing.
Summary: Microsoft is aware of four digital certificates that were inadvertently disclosed by D-Link Corporation that could be used in attempts to spoof content. The disclosed end-entity certificates cannot be used to issue other certificates or impersonate other domains, but could be used to sign code. This issue affects all supported releases of Microsoft Windows.
Published October 13, 2015
Revision Note: V1.1 (October 13, 2015): Advisory revised to announce that the Default Cipher Suite Prioritization update (3042058), originally released May 12, 2015 via the Microsoft Download Center (DLC) only, is now also available via Microsoft Update (MU) and Windows Server Update Services (WSUS). This is an update offering venue change only. There were no changes to the update files. Customers who have already successfully installed the update do not need to take any action.
Summary: On May 12, 2015, Microsoft announced the availability of an update to cryptographic cipher suite prioritization in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2. The update added additional cipher suites to the default list on affected systems and improved cipher suite priority ordering. The improvements were in keeping with ongoing efforts to bolster the effectiveness of encryption in Windows operating systems.
Published September 8, 2015
Revision Note: V1.0 (September 8, 2015):
Summary: Microsoft is announcing the availability of a defense-in-depth update that improves the enforcement of publisher rules by Windows AppLocker in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2. The improvement is part of ongoing efforts to bolster the effectiveness of security controls in Windows.
Published July 14, 2015
Severity Rating: Important
Revision Note: V1.0 (July 14, 2015): Advisory published
Summary: Microsoft is releasing this security advisory to inform customers that an update to the Microsoft Malicious Software Removal Tool (MSRT) is available that addresses a security vulnerability that was reported to Microsoft. The vulnerability could allow elevation of privilege if an attacker logs on to a target system and places a specially crafted dynamic link library (.dll) file in a local directory. An authenticated attacker who successfully exploited the vulnerability could elevate privileges on a target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.
