Today’s VERT Alert addresses 14 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-623 on Wednesday, July 15th.
| MS15-058 | SQL Server Elevation of Privilege Vulnerability | CVE-2015-1761 |
| SQL Server Remote Code Execution Vulnerability | CVE-2015-1762 | |
| SQL Server Remote Code Execution Vulnerability | CVE-2015-1763 | |
| MS15-065 | VBScript Memory Corruption Vulnerability | CVE-2015-2372 |
| Internet Explorer XSS Filter Bypass Vulnerability | CVE-2015-2398 | |
| Internet Explorer Elevation of Privilege Vulnerability | CVE-2015-2402 | |
| JScript9 Memory Corruption Vulnerability | CVE-2015-2419 | |
| Internet Explorer ASLR Bypass | CVE-2015-2421 | |
| Multiple Memory Corruption Vulnerabilities in Internet Explorer | MULTIPLE | |
| Multiple Internet Explorer Information Disclosure Vulnerabilities | MULTIPLE | |
| MS15-066 | VBScript Memory Corruption Vulnerability | CVE-2015-2372 |
| MS15-067 | Remote Desktop Protocol (RDP) Remote Code Execution Vulnerability | CVE-2015-2373 |
| MS15-068 | Hyper-V Buffer Overflow Vulnerability | CVE-2015-2361 |
| Hyper-V System Data Structure Vulnerability | CVE-2015-2362 | |
| MS15-069 | Windows DLL Remote Code Execution Vulnerability | CVE-2015-2368 |
| DLL Planting Remote Code Execution Vulnerability | CVE-2015-2369 | |
| MS15-070 | Multiple Microsoft Office Memory Corruption Vulnerabilities | Multiple |
| Microsoft Excel ASLR Bypass Vulnerability | CVE-2015-2375 | |
| Microsoft Excel DLL Remote Code Execution Vulnerability | CVE-2015-2378 | |
| MS15-071 | Elevation of Privilege Vulnerability in Netlogon | CVE-2015-2374 |
| MS15-072 | Graphics Component EOP Vulnerability | CVE-2015-2364 |
| MS15-073 | Multiple Elevation of Privilege Vulnerability | MULTIPLE |
| Multiple Information Disclosure Vulnerability | MULTIPLE | |
| MS15-074 | Windows Installer EoP Vulnerability | CVE-2015-2371 |
| MS15-075 | OLE Elevation of Privilege Vulnerability I | CVE-2015-2416 |
| OLE Elevation of Privilege Vulnerability II | CVE-2015-2417 | |
| MS15-076 | Windows RPC Elevation of Privilege Vulnerability | CVE-2015-2370 |
| MS15-077 | ATMFD.DLL Memory Corruption Vulnerability | CVE-2015-2387 |
MS15-058
The July Patch Tuesday starts off with June’s forgotten patch. This is the mystery bulletin that had it’s ID assigned but was held back last month. We now know that resolves three privately reported vulnerabilities in Microsoft SQL Server.
MS15-065
Up next, we have the latest Internet Explorer Cumulative update, which resolves 29 vulnerabilities. This includes CVE-2015-2398, CVE-2015-2421, CVE-2015-2413, and CVE-2015-2419 – all of which have been publicly disclosed. While none of these are currently being exploited, the knowledge that they are public should skyrocket the patch priority of this month’s update for most enterprises.
MS15-066
Just as we saw back in March, this month we have another update to VBScript where the update is spread across multiple bulletins. In this case, the update includes MS15-065, for versions of IE that ship with VBScript bundled, and MS15-066 for standalone versions of VBScript.
MS15-067
Up next, we have a vulnerability that only affects the latest Microsoft operating systems – Windows 7, Windows 8, and Windows Server 2012. This is one of the more critical issues this month since an unauthenticated attacker can target a listening service. If you have any affected boxes listening on the RDP port remotely, you may want to restrict or disable access until you can apply this update.
MS15-068
Another vulnerability that appears near the top of the list this month is MS15-068, which resolves two vulnerabilities in Hyper-V. In both cases, the Hyper-V vulnerabilities could allow an attacker with privileged access to a guest VM to break out of the VM and gain access to the host environment. Those running shared hosting on Microsoft Hyper-V should pay close attention to the deployment of this patch, as they will be the biggest targets until their systems are up-to-date.
MS15-069
DLL Loading issues were common for a while but now the updates seem to appear less frequently. This month the issues appear once again with two vulnerabilities, both of which involve loading malicious DLLs onto the system. The attack vector for these vulnerabilities has a huge impact in decreasing the risk compared to a number of other bulletins released this month.
MS15-070
A Microsoft patch drop isn’t complete without at least one Microsoft Office bulletin. This month’s quota is met by MS15-070, which resolves a large number of vulnerabilities affecting all supported versions of Microsoft Office as well as Excel Service on SharePoint Server 2007, 2010, and 2013.
MS15-071
There’s almost always a moment of fear when a vulnerability’s title includes “Netlogon” and it mentions the domain controller. Luckily, MS15-071 requires that an attacker already have credentials and access to a primary domain controller. That attacker could then create a fake backup domain controller. Since most domain controllers are locked down and not exposed to the Internet, the risk here should be limited to insider threats. That is not, however, a mitigation and enterprises should apply this update as soon as possible.
MS15-072
Up next, we have a vulnerability in Windows Graphics, another common sight on Patch Tuesday. This particular vulnerability occurs when processing bitmap conversions. Luckily, this does not appear to be a file format issue, which means that drive by attacks are not possible.
MS15-073
Much like Internet Explorer and Office, we can expect to see Win32k patched every single month. This was true again this month with 6 vulnerabilities in Win32k resolved in this update.
MS15-074
This update is an interesting elevation of privilege due to its complexity, which should limit its attractiveness to attackers. The attacker must gain access to a system, find a vulnerable .msi file, and load custom code that the .msi can find and execute.
MS15-075
Up next we have two vulnerabilities in Microsoft OLE that could be used to elevate privileges. According to Microsoft, attackers could chain exploits for these vulnerabilities with Internet Explorer vulnerabilities in order to gain higher privileges within IE.
MS15-076
The penultimate update this month fixes a vulnerability that allows for DCE/RPC connection reflection. Microsoft has stated that an attacker would need to be logged into a system and run a specially crafted application in order to exploit this vulnerability and elevate their privileges.
MS15-077
The final vulnerability this month should be at the top of everyone’s list, it’s the ATM Font Driver vulnerability that was released in the data dump from the recent Hacking Team Hack. Since exploit code is available, patching this should be a priority.
Additional Details
Adobe has released updates for Acrobat/Reader (APSB15-15), Shockwave (APSB15-17), and Flash (APSB15-18). Additionally, Oracle released their July CPU today including updates for Oracle Database, MySQL, Solaris, and Java. As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems. Ease-of-Use (published exploits) to Risk Table
|
Automated Exploit
|
MS15-077 | ||||||
|
Easy
|
|||||||
|
Moderate
|
MS15-070 | ||||||
|
Difficult
|
|||||||
|
Extremely Difficult
|
MS15-065 | ||||||
|
No Known Exploit
|
MS15-066 MS15-072 MS15-075 MS15-076 | MS15-058 MS15-071 MS15-073 MS15-074 | MS15-067 MS15-068 MS15-069 | ||||
|
Exposure
|
Local Availability
|
Local Access
|
Remote Availability
|
Remote Access
|
Local Privileged
|
Remote Privileged
|
