Today’s VERT Alert addresses 14 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-605 on Wednesday, March 11.
| Multiple Memory Corruption Vulnerabilities in Internet Explorer | MULTIPLE | |
| VBScript Memory Corruption Vulnerability | CVE-2015-0032 | |
| Internet Explorer Elevation of Privilege Vulnerability | CVE-2015-0072 | |
| Internet Explorer Elevation of Privilege Vulnerability | CVE-2015-1627 | |
| VBScript Memory Corruption Vulnerability | CVE-2015-0032 | |
| WTS Remote Code Execution Vulnerability | CVE-2015-0081 | |
| DLL Planting Remote Code Execution Vulnerability | CVE-2015-0096 | |
| Adobe Font Driver Denial of Service Vulnerability | CVE-2015-0074 | |
| Multiple Adobe Font Driver Information Disclosure Vulnerabilities | MULTIPLE | |
| Multiple Adobe Font Driver Remote Code Execution Vulnerabilities | MULTIPLE | |
| Microsoft Office Component Use After Free Vulnerability | CVE-2015-0085 | |
| Microsoft Office Memory Corruption Vulnerability | CVE-2015-0086 | |
| Microsoft Word Local Zone Remote Code Execution Vulnerability | CVE-2015-0097 | |
| Multiple SharePoint XSS Vulnerabilities | MULTIPLE | |
| Microsoft Windows Kernel Memory Disclosure Vulnerability | CVE-2015-0077 | |
| Win32k Elevation of Privilege Vulnerability | CVE-2015-0078 | |
| Microsoft Windows Kernel Memory Disclosure Vulnerability | CVE-2015-0094 | |
| Microsoft Windows Kernel Memory Disclosure Vulnerability | CVE-2015-0095 | |
| Malformed PNG Parsing Information Disclosure Vulnerability | CVE-2015-0080 | |
| Registry Virtualization Elevation of Privilege Vulnerability | CVE-2015-0073 | |
| Impersonation level Check Elevation of Privilege Vulnerability | CVE-2015-0075 | |
| Multiple OWA XSS Vulnerabilities | MULTIPLE | |
| Exchange Forged Meeting Request Spoofing Vulnerability | CVE-2015-1631 | |
| NETLOGON Spoofing Vulnerability | CVE-2015-0005 | |
| Task Scheduler Security Feature Bypass Vulnerability | CVE-2015-0084 | |
| JPEG XR Parser Information Disclosure Vulnerability | CVE-2015-0076 | |
| Remote Desktop Protocol (RDP) Denial of Service Vulnerability | CVE-2015-0079 | |
| Schannel Security Feature Bypass Vulnerability | CVE-2015-1637 |
MS15-018
We start this Patch Tuesday like we start most, with an IE update that resolves multiple vulnerabilities, including one (CVE-2015-1625) that was publicly disclosed prior to the update release. One noteworthy item in the list is CVE-2015-0032, a vulnerability in VBScript, which is also addressed by MS15-019. The correct patch (MS15-018 vs. MS15-019) is determined by the version of Internet Explorer installed on the affected system.
MS15-019
As mentioned above, MS15-019 fixes a vulnerability in VBScript. In particular, MS15-019 contains fixes for VBScript 5.6 and 5.7, as well as VBScript 5.8 on Windows Server 2008 R2 Server Core only.
MS15-020
Up next, we have two vulnerabilities affecting the Windows Operating system. The first affects Windows Text Services and could be targeted to perform a web-based drive-by attack. The second is a DLL Planting vulnerability that involves pointing the icon location of a shortcut at a malicious DLL that will run in memory when the icon is viewed (browsing to the folder) in Windows Explorer.
MS15-021
This bulletin describes multiple vulnerabilities affecting the Adobe Font Driver, which could allow a malicious website to execute code on the users system.
MS15-022
This month’s Office bulletin includes a rather extensive software list; every version of Office from 2007 to 2013, as well as Word and Excel Viewer, Office Compatibility Pack, SharePoint Server, and Office Web Apps. It’s important to note that there are updates for both SharePoint Server and the services running on SharePoint Server (such as Word Automation Services).
MS15-023
Up next, we have several privilege escalation vulnerabilities in Windows Kernel-Mode Drivers. This is becoming an expected update at this month, as Win32k.sys is updated almost as frequently as Internet Explorer and Microsoft Office.
MS15-024
MS15-024 is the first of two image-parsing bulletins this month. This bulletin refers to a vulnerability parsing the PNG image format that could lead to information disclosure.
MS15-025
This privilege escalation bulletin describes two issues involving differing types of impersonation. With CVE-2015-0073, the attacker modifies the virtual store of another user via Windows Registry Virtualization. CVE-2015-0075, on the other hand, has to do with Windows impersonation levels and the inability of Windows to properly validate and enforce these levels.
MS15-026
Microsoft Exchange is seeing updates on a more frequently basis in recent years and once again we have multiple Cross Site Scripting vulnerabilities resolved in this bulletin. Additionally, an interesting vulnerability that allows an attacker to schedule or modify meetings while spoofing the meeting organizer is also patched today. Enterprises may want to be hyper vigilant about validating meeting requests and meeting changes until patches are rolled out for this update.
MS15-027
MS15-027 is an interesting vulnerability that allows an attacker able to sniff network traffic to establish a secure channel by spoofing the name of the computer involved in the NETLOGON session. An update is available for all supported server releases of Windows and Microsoft recommends installing it on all servers, not just domain controllers.
MS15-028
This bulletin is similar to MS15-025 in that it involves Windows ability to validate and enforce impersonation levels, in this case when using the Windows Task Scheduler. When first reading this, I was reminded of the blog posts that advised users on how to bypass UAC by using Task Scheduler a number of years ago.
MS15-029
The second image-parsing vulnerability of the month, this one deals with JPEG XR (.jxr) image formats. As with MS15-024, successful exploitation of this vulnerability could lead to information disclosure.
MS15-030
The second last bulletin of the month resolves an issue with RDP that could allow an attacker to prevent users from logging in to remote desktop. A longer-term attack could cause the system to stop responding.
MS15-031
The final bulletin this month resolves a vulnerability that could allow a TLS downgrade to an RSA Export Key. This vulnerability has been disclosed as part of the FREAK Attack. For more details, see the VERT Alert previously released regarding FREAK[1] As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems. Ease of Use (published exploits) to Risk Table
|
Automated Exploit
|
|||||||
|
Easy
|
|||||||
|
Moderate
|
|||||||
|
Difficult
|
MS15-018 | ||||||
|
Extremely Difficult
|
|||||||
|
No Known Exploit
|
MS15-024 MS15-027 MS15-029 MS15-031 | MS15-019 MS15-020 MS15-021 | MS15-030 | MS15-022 MS15-026 | MS15-023 MS15-025 MS15-028 | ||
|
Exposure
|
Local Availability
|
Local Access
|
Remote Availability
|
Remote Access
|
Local Privileged
|
Remote Privileged
|
