VERT Threat Alert - February 10, 2015

Today’s VERT Alert addresses 9 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-601 on Wednesday, February 11th.

 

MS15-009

Multiple Memory Corruption Vulnerabilities in Internet Explorer

MULTIPLE

Multiple Elevation of Privilege Vulnerabilities in Internet Explorer

MULTIPLE

Multiple Internet Explorer ASLR Bypass Vulnerabilities

MULTIPLE

Internet Explorer Cross-domain Information Disclosure Vulnerability

CVE-2015-0070

MS15-010

Win32k Elevation of Privilege Vulnerability

CVE-2015-0003

CNG Security Feature Bypass Vulnerability

CVE-2015-0010

Win32K Elevation of Privilege Vulnerability

CVE-2015-0057

Windows Cursor Object Double Free Vulnerability

CVE-2015-0058

TrueType Font Parsing Remote Code Execution Vulnerability

CVE-2015-0059

Windows Font Driver Denial of Service Vulnerability

CVE-2015-0060

MS15-011

Group Policy Remote Code Execution Vulnerability

CVE-2015-0008

MS15-012

Excel Remote Code Execution Vulnerability

CVE-2015-0063

Office Remote Code Execution Vulnerability

CVE-2015-0064

OneTableDocumentStream Remote Code Execution Vulnerability

CVE-2015-0065

MS15-013

Microsoft Office Component Use After Free Vulnerability

CVE-2014-6362

MS15-014

Group Policy Security Feature Bypass Vulnerability

CVE-2015-0009

MS15-015

Windows Create Process Elevation of Privilege Vulnerability

CVE-2015-0062

MS15-016

TIFF Processing Information Disclosure Vulnerability

CVE-2015-0061

MS15-017

Virtual Machine Manager Elevation of Privilege Vulnerability

CVE-2015-0012

 

MS15-009

Microsoft starts out February making up for the lack of a January IE update, releasing fixes for 41 vulnerabilities. The upside is that one publicly exploited vulnerability was resolved; the downside is that the XSS released publicly last week wasn’t included in this patch drop.

MS15-010

The second bulletin this month should have been the second and third bulletins since it contains multiple updates for unassociated vulnerabilities. The only element that binds the vulnerabilities and updates together is the fact that both updates resolve issues with kernel mode drivers.

MS15-011

MS15-011 is the big bulletin this month, fixing a vulnerability labeled JASBUG, named after JAS Global Advisories, the group that discovered the issue. The most important take-away here is that the bulletin doesn’t actually fix the vulnerability but rather puts a framework in place that allows you to mitigate the vulnerability. JAS Global Advisors have released a fact sheet[1] that is worth a read and Microsoft has released a detailed KB[2] with configuration data related to the new changes. Everyone will have the reaction to immediately apply updates and the Microsoft recommended configurations but each domain’s specific criteria will need to be considered when deploying this update. End of Life platforms Windows 2000 and Windows XP are also affected; hopefully, no one is running them, but the still supported Windows Server 2003 also did not receive updates to this critical issue. This is an important consideration for enterprises that may have a slower than normal upgrade cycle.

MS15-012

The first of two office bulletins this month is rather typical affecting Excel and Word in all their variations including SharePoint, Office Web Apps, and the stand-alone viewers.

MS15-013

The second office bulletin this month addresses an ASLR bypass that exists in all supported versions of Microsoft office.

MS15-014

MS15-014 is the second group policy bulletin this month (it’s rare to see two of these in a year, let alone two in a single month). This one is rated important which feels like it may understate the issue. A man-in-the-middle attack could cause the Group Policy Security Configuration Engine policy file to be corrupted. When this file is corrupted, the system may revert to a default group policy, which could be less secure than the applied group policy.

MS15-015

The only “Windows” vulnerability this month is a privilege escalation that could allow an authenticated user to gain administrator access to the system.

MS15-016

The second last bulletin this month resolves an issue with TIFF image parsing that could allow memory disclosure. While this attack is not necessarily dangerous on its own, it could be paired with another attack to increase the likelihood of success.

MS15-017

The final bulletin this month is definitely one to keep an eye on if you are running Microsoft System Center Virtual Machine Manager in your environment. It is a privilege escalation issue that could give an attacker full control over all guest operating systems.

 

As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

 

Ease of Use (published exploits) to Risk Table

Automated Exploit
             
Easy
             
Moderate
             
Difficult
          MS15-011  
Extremely Difficult
             
No Known Exploit
MS15-013
MS15-014
MS15-016
  MS15-009
MS15-012
    MS15-010
MS15-015
MS15-017
 
 
Exposure
Local
Availability
Local
Access
Remote
Availability
Remote
Access
Local
Privileged
Remote
Privileged