Today’s VERT Alert addresses 8 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expect to ship ASPL-618 on Wednesday, June 10th.
| Internet Explorer Information Disclosure Vulnerability | CVE-2015-1765 | |
| Multiple Elevation of Privilege Vulnerabilities | MULTIPLE | |
| Multiple Memory Corruption Vulnerabilities in Internet Explorer | MULTIPLE | |
| Windows Media Player RCE via DataObject Vulnerability | CVE-2015-1728 | |
| Microsoft Office Uninitialized Memory Use Vulnerability | CVE-2015-1770 | |
| Multiple Microsoft Office Memory Corruption Vulnerabilities | MULTIPLE | |
| Microsoft Common Control Use After Free Vulnerability | CVE-2015-1756 | |
| Microsoft Windows Kernel Information Disclosure Vulnerability | CVE-2015-1719 | |
| Microsoft Windows Kernel Use After Free Vulnerability | CVE-2015-1720 | |
| Win32k Null Pointer Dereference Vulnerability | CVE-2015-1721 | |
| Multiple Microsoft Windows Kernel Vulnerabilities | MULTIPLE | |
| Multiple Windows Kernel Buffer Overflow Vulnerabilities | MULTIPLE | |
| Multiple Win32k Memory Corruption Elevation of Privilege Vulnerabilities | MULTIPLE | |
| ADFS XSS Elevation of Privilege Vulnerability | CVE-2015-1757 | |
| Windows LoadLibrary EoP Vulnerability | CVE-2015-1758 | |
| Exchange Server-Side Request Forgery Vulnerability | CVE-2015-1764 | |
| Exchange Cross-Site Request Forgery Vulnerability | CVE-2015-1771 | |
| Exchange HTML Injection Vulnerability | CVE-2015-2359 |
MS15-056
This month starts like most with a cumulative update for Internet Explorer. While most of the vulnerabilities are standard fare, the publicly disclosed information disclosure vulnerability stands out. CVE-2015-1765 allows an attacker to access your browser history when you visit a malicious website that they control. While the worst-case scenario isn’t as bad as other vulnerabilities in this bundle, this attack is potentially easier to execute.
MS15-057
The second update this month resolves a single vulnerability affecting Windows Media Player versions 10 through 12 across Windows Server 2008 R2 and older operating systems. The result of visiting a website with a malicious DataObject is code execution in the context of the logged in user.
MS15-059
Up next, we have a patch that resolves three vulnerabilities in Microsoft Office. These issues affect the Microsoft Office Compatibility Pack, Office 2010 and Office 2013. Microsoft has included an important reminder that people often forget: While the bulletin states Microsoft Office, any individual Microsoft Office product fits that category, so even if you only have Microsoft Word installed, you could be offered this update.
MS15-060
The single Microsoft Common Control vulnerability patched in MS15-060 is interesting but due to it’s limited exposure. The vulnerability requires that the user run the Developer Tools in Internet Explorer. This likely limits the attack to a subset of developers and security researchers that are working with Internet Explorer, the average end-user is unlikely to run Developer Tools for any reason other than an accidental key press. This limited target base could lead to unique uses of this vulnerability.
MS15-061
This month the Windows Kernel-Mode Drivers update is rather large, not quite IE Cumulative Update size but still quite large, and it contains patches for every shipping version of Windows. This update has become a regular addition to Patch Tuesday, so everyone should be prepared for it and ready to apply these updates.
MS15-062
Active Directory Federation Services has seen a number of patches recently and this month we have another one. In this case, it’s a lack of proper sanitization on URLs that could lead to cross-site scripting, allowing the attacker to run scripts as the logged-in user. This security bulletin is interesting, as Microsoft has provided more details than they normally due regarding mitigation, indicating the vulnerable query parameter, the request path, and a simple attack string. While I’m sure that the string is sufficiently broken to avoid exploitation, administrators that cannot apply updates ASAP would be wise to deploy mitigations in their WAF to block requests that follow this format.
MS15-063
This month’s penultimate update resolves a single vulnerability in the Windows Kernel. This attack requires that a malicious DLL be placed on the system and then a special application needs to be run to call LoadLibrary.
MS15-064
The final bulletin resolves three vulnerabilities in Microsoft Exchange 2013. These attacks include a same-origin policy bypass, a CSRF, and HTML Injection, continuing the trend this month where most of the attacks occur in a web-based environment. As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems. Ease-of-Use (published exploits) to Risk Table
|
Automated Exploit
|
|||||||
|
Easy
|
|||||||
|
Moderate
|
|||||||
|
Difficult
|
MS15-062 | ||||||
|
Extremely Difficult
|
|||||||
|
No Known Exploit
|
MS15-056 MS15-057 MS15-059 MS15-060 | MS15-064 | MS15-061 MS15-063 | ||||
|
Exposure
|
Local Availability
|
Local Access
|
Remote Availability
|
Remote Access
|
Local Privileged
|
Remote Privileged
|
