Today’s VERT Alert addresses 11 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-610 on Wednesday, April 15th.
| MS15-032 | Multiple Memory Corruption Vulnerabilities in Internet Explorer | MULTIPLE |
| Internet Explorer ASLR Bypass Vulnerability | CVE-2015-1661 | |
| MS15-033 | Microsoft Office Memory Corruption Vulnerability | CVE-2015-1641 |
| Multiple Microsoft Office Component Use After Free Vulnerabilities | MULTIPLE | |
| Microsoft Outlook App for Mac XSS Vulnerability | CVE-2015-1639 | |
| MS15-034 | HTTP.sys Remote Code Execution Vulnerability | CVE-2015-1635 |
| MS15-035 | EMF Processing Remote Code Execution Vulnerability | CVE-2015-1645 |
| MS15-036 | Multiple SharePoint XSS Vulnerabilities | MULTIPLE |
| MS15-037 | Task Schedule Elevation of Privilege Vulnerability | CVE-2015-0098 |
| MS15-038 | NtCreateTransactionManager Type Confusion Vulnerability | CVE-2015-1643 |
| Windows MS-DOS device name Vulnerability | CVE-2015-1644 | |
| MS15-039 | MSXML3 Same Origin Policy SFB Vulnerability | CVE-2015-1646 |
| MS15-040 | Active Directory Federation Services Information Disclosure Vulnerability | CVE-2015-1638 |
| MS15-041 | ASP.NET Information Disclosure Vulnerability | CVE-2015-1648 |
| MS15-042 | Windows Hyper-V DoS Vulnerability | CVE-2015-1647 |
MS15-032
This month starts like most others, with an update for Internet Explorer. In total, 10 CVEs are resolved, 9 that lead to memory corruption and a lone ASLR bypass. The good news is that none of the vulnerabilities this month has been publicly disclosed. That said, updating IE should always be a high priority.
MS15-033
Up next this month, we have the Microsoft Office “mega-bulletin”, which resolves multiple vulnerabilities affecting Microsoft Office, SharePoint Server, Office Web Apps Server, Office Word Viewer, and the Compatibility Pack. There’s no shortage of affected products in this bulletin.
MS15-034
A critical vulnerability this month is MS15-034, a remote code execution in HTTP.sys, meaning that IIS is affected. There are no reports of public exploitation at this time but given the nature of this vulnerability, it will likely be a popular target for attackers, applying this patch as soon as possible is critical. The vulnerability involves the handling of specially crafted HTTP requests.
MS15-035
Also on the list this month is another graphic processing vulnerability. We’ve seen a couple of vulnerabilities of this nature this year and all of them are rather similar. They affect a specific graphic format; in this case Enhanced Metafile (EMF) images, and they can be used in a drive-by attack scenario.
MS15-036
The next bulletin this month resolves two cross-site scripting vulnerabilities in Microsoft SharePoint 2013 and Microsoft Project Server. While Microsoft considers XSS to be an elevation of privilege, keep in mind that it will allow the attacker to execute script in your browser, which could have worse outcomes than privilege escalation.
MS15-037
MS15-037 is an interesting update because no files are included in the patch. Instead, the update looks for invalid scheduled tasks related to Windows Defender and removes them. The vulnerability described by CVE-2015-0098 has to do with using invalid tasks to execute your own applications, these applications will execute in the context of System.
MS15-038
The next update this month resolves two vulnerabilities in Windows that could lead to privilege escalation.
MS15-039
MSXML 3.0 ships with every supported version of Microsoft Windows. The vulnerability allows the attacker to download the Same Origin Policy by making use of the document type declaration (DTD) used in XML files.
MS15-040
A vulnerability that only affects Windows Server 2012 R2 is resolved in MS15-040, specifically on systems using Active Directory Federation Services. If a user logs off a session, ADFS may not properly terminate the session, allowing a malicious individual to reopen the application and resume the previous users session with their permissions and access.
MS15-041
The second last bulletin this month closes an information disclosure issue related to ASPL.NET custom error messages. When custom errors are disabled, the generation of an error could portions of the web configuration file. Microsoft has noted that this is not the recommended configuration for production systems, which should, hopefully, limit this issue to test environments.
MS15-042
The final bulletin this month is a vulnerability affecting Microsoft Hyper-V. When a malicious application is executed in a guest operating system, it could prevent the management of other guest operating systems. This update changes the Virtual Machine Manager’s user input validation logic. As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems. Ease of Use (published exploits) to Risk Table
|
Automated Exploit
|
|||||||
|
Easy
|
MS15-040 | ||||||
|
Moderate
|
|||||||
|
Difficult
|
|||||||
|
Extremely Difficult
|
|||||||
|
No Known Exploit
|
MS15-039 MS15-041 | MS15-042 | MS15-032 MS15-033 MS15-035 | MS15-036 | MS15-037MS15-038 | MS15-034 | |
|
Exposure
|
Local Availability
|
Local Access
|
Remote Availability
|
Remote Access
|
Local Privileged
|
Remote Privileged
|
