Today’s VERT Alert addresses 9 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-601 on Wednesday, February 11.
| MS15-009 | Multiple Memory Corruption Vulnerabilities in Internet Explorer | MULTIPLE |
| Multiple Elevation of Privilege Vulnerabilities in Internet Explorer | MULTIPLE | |
| Multiple Internet Explorer ASLR Bypass Vulnerabilities | MULTIPLE | |
| Internet Explorer Cross-domain Information Disclosure Vulnerability | CVE-2015-0070 | |
| MS15-010 | Win32k Elevation of Privilege Vulnerability | CVE-2015-0003 |
| CNG Security Feature Bypass Vulnerability | CVE-2015-0010 | |
| Win32K Elevation of Privilege Vulnerability | CVE-2015-0057 | |
| Windows Cursor Object Double Free Vulnerability | CVE-2015-0058 | |
| TrueType Font Parsing Remote Code Execution Vulnerability | CVE-2015-0059 | |
| Windows Font Driver Denial of Service Vulnerability | CVE-2015-0060 | |
| MS15-011 | Group Policy Remote Code Execution Vulnerability | CVE-2015-0008 |
| MS15-012 | Excel Remote Code Execution Vulnerability | CVE-2015-0063 |
| Office Remote Code Execution Vulnerability | CVE-2015-0064 | |
| OneTableDocumentStream Remote Code Execution Vulnerability | CVE-2015-0065 | |
| MS15-013 | Microsoft Office Component Use After Free Vulnerability | CVE-2014-6362 |
| MS15-014 | Group Policy Security Feature Bypass Vulnerability | CVE-2015-0009 |
| MS15-015 | Windows Create Process Elevation of Privilege Vulnerability | CVE-2015-0062 |
| MS15-016 | TIFF Processing Information Disclosure Vulnerability | CVE-2015-0061 |
| MS15-017 | Virtual Machine Manager Elevation of Privilege Vulnerability | CVE-2015-0012 |
MS15-009
Microsoft starts out February making up for the lack of a January IE update, releasing fixes for 41 vulnerabilities. The upside is that one publicly exploited vulnerability was resolved; the downside is that the XSS released publicly last week wasn’t included in this patch drop.
MS15-010
The second bulletin this month should have been the second and third bulletins since it contains multiple updates for unassociated vulnerabilities. The only element that binds the vulnerabilities and updates together is the fact that both updates resolve issues with kernel mode drivers.
MS15-011
MS15-011 is the big bulletin this month, fixing a vulnerability labeled JASBUG, named after JAS Global Advisories, the group that discovered the issue. The most important take-away here is that the bulletin doesn’t actually fix the vulnerability but rather puts a framework in place that allows you to mitigate the vulnerability. JAS Global Advisors have released a fact sheet[1] that is worth a read and Microsoft has released a detailed KB[2] with configuration data related to the new changes. Everyone will have the reaction to immediately apply updates and the Microsoft recommended configurations but each domain’s specific criteria will need to be considered when deploying this update. End of Life platforms Windows 2000 and Windows XP are also affected; hopefully, no one is running them, but the still supported Windows Server 2003 also did not receive updates to this critical issue. This is an important consideration for enterprises that may have a slower than normal upgrade cycle.
MS15-012
The first of two office bulletins this month is rather typical affecting Excel and Word in all their variations including SharePoint, Office Web Apps, and the stand-alone viewers.
MS15-013
The second office bulletin this month addresses an ASLR bypass that exists in all supported versions of Microsoft office.
MS15-014
MS15-014 is the second group policy bulletin this month (it’s rare to see two of these in a year, let alone two in a single month). This one is rated important which feels like it may understate the issue. A man-in-the-middle attack could cause the Group Policy Security Configuration Engine policy file to be corrupted. When this file is corrupted, the system may revert to a default group policy, which could be less secure than the applied group policy.
MS15-015
The only “Windows” vulnerability this month is a privilege escalation that could allow an authenticated user to gain administrator access to the system.
MS15-016
The second last bulletin this month resolves an issue with TIFF image parsing that could allow memory disclosure. While this attack is not necessarily dangerous on its own, it could be paired with another attack to increase the likelihood of success.
MS15-017
The final bulletin this month is definitely one to keep an eye on if you are running Microsoft System Center Virtual Machine Manager in your environment. It is a privilege escalation issue that could give an attacker full control over all guest operating systems. As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems. Ease of Use (published exploits) to Risk Table
|
Automated Exploit
|
|||||||
|
Easy
|
|||||||
|
Moderate
|
|||||||
|
Difficult
|
MS15-011 | ||||||
|
Extremely Difficult
|
|||||||
|
No Known Exploit
|
MS15-013 MS15-014 MS15-016 | MS15-009 MS15-012 | MS15-010 MS15-015 MS15-017 | ||||
|
Exposure
|
Local Availability
|
Local Access
|
Remote Availability
|
Remote Access
|
Local Privileged
|
Remote Privileged
|
[1] https://www.jasadvisors.com/about-jas/jasbug-security-vulnerability-fact-sheet/ [2] https://support.microsoft.com/kb/3000483
