VERT Threat Alert - March 11, 2015

Today’s VERT Alert addresses 14 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-605 on Wednesday, March 11th.

 

MS15-018

Multiple Memory Corruption Vulnerabilities in Internet Explorer

MULTIPLE

VBScript Memory Corruption Vulnerability

CVE-2015-0032

Internet Explorer Elevation of Privilege Vulnerability

CVE-2015-0072

Internet Explorer Elevation of Privilege Vulnerability

CVE-2015-1627

MS15-019

VBScript Memory Corruption Vulnerability

CVE-2015-0032

MS15-020

WTS Remote Code Execution Vulnerability

CVE-2015-0081

DLL Planting Remote Code Execution Vulnerability

CVE-2015-0096

MS15-021

Adobe Font Driver Denial of Service Vulnerability

CVE-2015-0074

Multiple Adobe Font Driver Information Disclosure Vulnerabilities

MULTIPLE

Multiple Adobe Font Driver Remote Code Execution Vulnerabilities

MULTIPLE

MS15-022

Microsoft Office Component Use After Free Vulnerability

CVE-2015-0085

Microsoft Office Memory Corruption Vulnerability

CVE-2015-0086

Microsoft Word Local Zone Remote Code Execution Vulnerability

CVE-2015-0097

Multiple SharePoint XSS Vulnerabilities

MULTIPLE

MS15-023

Microsoft Windows Kernel Memory Disclosure Vulnerability

CVE-2015-0077

Win32k Elevation of Privilege Vulnerability

CVE-2015-0078

Microsoft Windows Kernel Memory Disclosure Vulnerability

CVE-2015-0094

Microsoft Windows Kernel Memory Disclosure Vulnerability

CVE-2015-0095

MS15-024

Malformed PNG Parsing Information Disclosure Vulnerability

CVE-2015-0080

MS15-025

Registry Virtualization Elevation of Privilege Vulnerability

CVE-2015-0073

Impersonation level Check Elevation of Privilege Vulnerability

CVE-2015-0075

MS15-026

Multiple OWA XSS Vulnerabilities

MULTIPLE

Exchange Forged Meeting Request Spoofing Vulnerability

CVE-2015-1631

MS15-027

NETLOGON Spoofing Vulnerability

CVE-2015-0005

MS15-028

Task Scheduler Security Feature Bypass Vulnerability

CVE-2015-0084

MS15-029

JPEG XR Parser Information Disclosure Vulnerability

CVE-2015-0076

MS15-030

Remote Desktop Protocol (RDP) Denial of Service Vulnerability

CVE-2015-0079

MS15-031

Schannel Security Feature Bypass Vulnerability

CVE-2015-1637

 

MS15-018

We start this Patch Tuesday like we start most, with an IE update that resolves multiple vulnerabilities, including one (CVE-2015-1625) that was publicly disclosed prior to the update release. One noteworthy item in the list is CVE-2015-0032, a vulnerability in VBScript, which is also addressed by MS15-019. The correct patch (MS15-018 vs. MS15-019) is determined by the version of Internet Explorer installed on the affected system.

MS15-019

As mentioned above, MS15-019 fixes a vulnerability in VBScript. In particular, MS15-019 contains fixes for VBScript 5.6 and 5.7, as well as VBScript 5.8 on Windows Server 2008 R2 Server Core only.

MS15-020

Up next, we have two vulnerabilities affecting the Windows Operating system. The first affects Windows Text Services and could be targeted to perform a web-based drive-by attack. The second is a DLL Planting vulnerability that involves pointing the icon location of a shortcut at a malicious DLL that will run in memory when the icon is viewed (browsing to the folder) in Windows Explorer.

MS15-021

This bulletin describes multiple vulnerabilities affecting the Adobe Font Driver, which could allow a malicious website to execute code on the users system.

MS15-022

This month’s Office bulletin includes a rather extensive software list; every version of Office from 2007 to 2013, as well as Word and Excel Viewer, Office Compatibility Pack, SharePoint Server, and Office Web Apps. It’s important to note that there are updates for both SharePoint Server and the services running on SharePoint Server (such as Word Automation Services).

MS15-023

Up next, we have several privilege escalation vulnerabilities in Windows Kernel-Mode Drivers. This is becoming an expected update at this month, as Win32k.sys is updated almost as frequently as Internet Explorer and Microsoft Office.

MS15-024

MS15-024 is the first of two image-parsing bulletins this month. This bulletin refers to a vulnerability parsing the PNG image format that could lead to information disclosure.

MS15-025

This privilege escalation bulletin describes two issues involving differing types of impersonation. With CVE-2015-0073, the attacker modifies the virtual store of another user via Windows Registry Virtualization. CVE-2015-0075, on the other hand, has to do with Windows impersonation levels and the inability of Windows to properly validate and enforce these levels.

MS15-026

Microsoft Exchange is seeing updates on a more frequently basis in recent years and once again we have multiple Cross Site Scripting vulnerabilities resolved in this bulletin. Additionally, an interesting vulnerability that allows an attacker to schedule or modify meetings while spoofing the meeting organizer is also patched today. Enterprises may want to be hyper vigilant about validating meeting requests and meeting changes until patches are rolled out for this update.

MS15-027

MS15-027 is an interesting vulnerability that allows an attacker able to sniff network traffic to establish a secure channel by spoofing the name of the computer involved in the NETLOGON session. An update is available for all supported server releases of Windows and Microsoft recommends installing it on all servers, not just domain controllers.

MS15-028

This bulletin is similar to MS15-025 in that it involves Windows ability to validate and enforce impersonation levels, in this case when using the Windows Task Scheduler. When first reading this, I was reminded of the blog posts that advised users on how to bypass UAC by using Task Scheduler a number of years ago.

MS15-029

The second image-parsing vulnerability of the month, this one deals with JPEG XR (.jxr) image formats. As with MS15-024, successful exploitation of this vulnerability could lead to information disclosure.

MS15-030

The second last bulletin of the month resolves an issue with RDP that could allow an attacker to prevent users from logging in to remote desktop. A longer-term attack could cause the system to stop responding.

MS15-031

The final bulletin this month resolves a vulnerability that could allow a TLS downgrade to an RSA Export Key. This vulnerability has been disclosed as part of the FREAK Attack. For more details, see the VERT Alert previously released regarding FREAK[1]

 

As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

 

Ease of Use (published exploits) to Risk Table

Automated Exploit
             
Easy
             
Moderate
             
Difficult
    MS15-018        
Extremely Difficult
             
No Known Exploit
MS15-024
MS15-027
MS15-029

MS15-031
  MS15-019
MS15-020

MS15-021
MS15-030 MS15-022
MS15-026
MS15-023
MS15-025
MS15-028
 
 
Exposure
Local
Availability
Local
Access
Remote
Availability
Remote
Access
Local
Privileged
Remote
Privileged