Today’s VERT Threat Alert addresses 13 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-614 on Wednesday, May 13th.
| MS15-043 | VBScript ASLR Bypass | CVE-2015-1684 |
| VBScript and JScript ASLR Bypass | CVE-2015-1686 | |
| Internet Explorer ASLR Bypass | CVE-2015-1685 | |
| Multiple Elevation of Privilege Vulnerabilities | MULTIPLE | |
| Internet Explorer Clipboard Information Disclosure Vulnerability | CVE-2015-1692 | |
| Multiple Memory Corruption Vulnerabilities in Internet Explorer | MULTIPLE | |
| MS15-044 | OpenType Font Parsing Vulnerability | CVE-2015-1670 |
| TrueType Font Parsing Vulnerability | CVE-2015-1671 | |
| MS15-045 | Multiple Windows Journal Remote Code Execution Vulnerabilities | MULTIPLE |
| MS15-046 | Multiple Microsoft Office Memory Corruption Vulnerabilities | MULTIPLE |
| MS15-047 | Microsoft SharePoint Page Content Vulnerabilities | CVE-2015-1700 |
| MS15-048 | .NET XML Decryption Denial of Service Vulnerability | CVE-2015-1672 |
| Windows Forms Elevation of Privilege Vulnerability | CVE-2015-1673 | |
| MS15-049 | Microsoft Silverlight Out of Browser Application Vulnerability | CVE-2015-1715 |
| MS15-050 | Service Control Manager Elevation of Privilege Vulnerability | CVE-2015-1702 |
| MS15-051 | Multiple Microsoft Windows Kernel Memory Disclosure Vulnerabilities | MULTIPLE |
| Win32k Elevation of Privilege Vulnerability | CVE-2015-1701 | |
| MS15-052 | Windows Kernel Security Feature Bypass Vulnerability | CVE-2015-1674 |
| MS15-053 | VBScript ASLR Bypass | CVE-2015-1684 |
| VBScript and JScript ASLR Bypass | CVE-2015-1686 | |
| MS15-054 | Microsoft Management Console File Format Denial of Service Vulnerability | CVE-2015-1681 |
| MS15-055 | Schannel Information Disclosure Vulnerability | CVE-2015-1716 |
MS15-043
This month starts, as expected, with the latest cumulative update for Internet Explorer. Back in March we saw CVE crossover between Internet Explorer and the VBScript/Jscript patch and we see that again now with MS15-043 and MS15-053. Microsoft has laid out the details in a table available in both bulletins, so if you find yourself confused over patch selection, you can refer to the table. Beyond this, the patched vulnerabilities are rather typical Internet Explorer issues, nothing here should be overly surprising.
MS15-044
The next bulletin seems fairly straightforward; it’s simply two font-parsing vulnerabilities but when you dig a little deeper, you realize that this bulletin has the potential to be confusing for some users. One of the vulnerabilities, CVE-2015-1671, affects a large number of Microsoft products and there are 5 separate updates available. Users that have Office, .NET, Silverlight, and Lync installed on Windows will need to apply all 5 updates in order to fully address this vulnerability.
MS15-045
Up next, we have 6 vulnerabilities in Windows Journal. We usually only see one Windows Journal bulletin a year but it’s a great example of software that the majority of Windows users will never use. If you fall into that group of users that don’t use Windows Journal, consider uninstalling it from your system and, in enterprises, removing it from your images. One of the vulnerabilities resolved in this bulletin had been publicly disclosed and, while it wasn’t exploited prior to patch release, this is a great reason to reduce your attack surface.
MS15-046
MS15-046 resolves a pair of Microsoft Office vulnerabilities. The bulletin includes a list of affected software, which is rather extensive but, at this point, also expected. The list includes: Office 2007 through 2013. PowerPoint Viewer, Word Automation Services for SharePoint Server 2010 and 2013, Office Web Apps 2010, Office Web Apps Server 2013, SharePoint Foundation 2010, and SharePoint Server 2013.
MS15-047
While MS15-047 is the only bulletin identified as a SharePoint bulletin, those keeping score will have noted that the bulletin above, MS15-046, also contains SharePoint related patches. Ensure that you install all required patches for your platform.
MS15-048
Next up is the typical .NET bulletin. While there’s nothing overly unique about this bulletin, it’s worth pointing out that this is one of two .NET updates you may need to install alongside MS15-044. VERT will also be publishing additional information about .NET and Server 2003 via the Tripwire State of Security blog in the near future as people rush to get their systems squared aware before the Server 2003 EOL date.
MS15-049
The situation presented by MS15-049, is similar to MS15-048 (since Silverlight is also referenced in MS15-044), however Microsoft has bundled the updates for MS15-049 and MS15-044 (as they apply to Silverlight) into a single update. This should help to ease the patching processing and limit the moving parts involved in ensuring systems are fully up-to-date.
MS15-050
This bulletin resolves a single vulnerability in the Windows Service Control Manager that could lead to elevation of privilege due to improper verification of impersonation levels. It is important to note that while Windows Server 2003 is vulnerable, Microsoft has stated that they will not be making an update available due to the ‘comprehensive architectural changes’ it would require.
MS15-051
A number of information disclosure vulnerabilities are resolved by MS15-051 but the more interesting vulnerability is a privilege escalation attack (CVE-2015-1701). Microsoft has stated that this vulnerability was disclosed publicly and has been used in limited, targeted attacks. This should elevate the priority of this patch in your monthly update process.
MS15-052
This bulletin resolves another ASLR bypass resolved this month, this one existing within the Windows Kernel.
MS15-053
This bulletin co-exists with MS15-043; this is the VBScript and JScript specific patch that goes along with the Internet Explorer patch (based on VBScript/JScript version and IE Version). If you are confused about the patches you need to apply and can’t use an automated update mechanism, refer to the table in the Microsoft bulletin to determine which updates your system requires.
MS15-054
The penultimate bulletin this month addresses an issue similar to those that we’ve seen in the past. A file format vulnerability related to icon information embedded in the file. In this case we’re talking about .msc files that are opened by the Microsoft Management Console. Successful exploitation of this vulnerability will lead to a denial of service.
MS15-055
The final update this month is for Schannel and it disables 512-bit Diffie-Hellman ephemeral keys, the use of which could lead to information disclosure. This update sets the ClientMinKeyBitLength registry key default to 1024-bit, however the value can be set lower (allowing 512-bit keys). This is also true after the update is applied. Also note that Microsoft states that this update replaces MS15-052 and must be installed after MS15-052, if you are manually installing updates. As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems. Ease of Use (published exploits) to Risk Table
|
Automated Exploit
|
MS15-051 | ||||||
|
Easy
|
|||||||
|
Moderate
|
|||||||
|
Difficult
|
|||||||
|
Extremely Difficult
|
MS15-045 | ||||||
|
No Known Exploit
|
MS15-052 MS15-053 MS15-055 | MS15-054 | MS15-043 MS15-044 MS15-046 MS15-047 MS15-048 MS15-049 | MS15-050 | |||
|
Exposure
|
Local Availability
|
Local Access
|
Remote Availability
|
Remote Access
|
Local Privileged
|
Remote Privileged
|
