Skip to content ↓ | Skip to navigation ↓

Today’s VERT Alert addresses 11 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-610 on Wednesday, April 15th.

MS15-032 Multiple Memory Corruption Vulnerabilities in Internet Explorer MULTIPLE
Internet Explorer ASLR Bypass Vulnerability CVE-2015-1661
MS15-033 Microsoft Office Memory Corruption Vulnerability CVE-2015-1641
Multiple Microsoft Office Component Use After Free Vulnerabilities MULTIPLE
Microsoft Outlook App for Mac XSS Vulnerability CVE-2015-1639
MS15-034 HTTP.sys Remote Code Execution Vulnerability CVE-2015-1635
MS15-035 EMF Processing Remote Code Execution Vulnerability CVE-2015-1645
MS15-036 Multiple SharePoint XSS Vulnerabilities MULTIPLE
MS15-037 Task Schedule Elevation of Privilege Vulnerability CVE-2015-0098
MS15-038 NtCreateTransactionManager Type Confusion Vulnerability CVE-2015-1643
Windows MS-DOS device name Vulnerability CVE-2015-1644
MS15-039 MSXML3 Same Origin Policy SFB Vulnerability CVE-2015-1646
MS15-040 Active Directory Federation Services Information Disclosure Vulnerability CVE-2015-1638
MS15-041 ASP.NET Information Disclosure Vulnerability CVE-2015-1648
MS15-042 Windows Hyper-V DoS Vulnerability CVE-2015-1647

 

MS15-032

This month starts like most others, with an update for Internet Explorer. In total, 10 CVEs are resolved, 9 that lead to memory corruption and a lone ASLR bypass. The good news is that none of the vulnerabilities this month has been publicly disclosed. That said, updating IE should always be a high priority.

MS15-033

Up next this month, we have the Microsoft Office “mega-bulletin”, which resolves multiple vulnerabilities affecting Microsoft Office, SharePoint Server, Office Web Apps Server, Office Word Viewer, and the Compatibility Pack. There’s no shortage of affected products in this bulletin.

MS15-034

A critical vulnerability this month is MS15-034, a remote code execution in HTTP.sys, meaning that IIS is affected. There are no reports of public exploitation at this time but given the nature of this vulnerability, it will likely be a popular target for attackers, applying this patch as soon as possible is critical. The vulnerability involves the handling of specially crafted HTTP requests.

MS15-035

Also on the list this month is another graphic processing vulnerability. We’ve seen a couple of vulnerabilities of this nature this year and all of them are rather similar. They affect a specific graphic format; in this case Enhanced Metafile (EMF) images, and they can be used in a drive-by attack scenario.

MS15-036

The next bulletin this month resolves two cross-site scripting vulnerabilities in Microsoft SharePoint 2013 and Microsoft Project Server. While Microsoft considers XSS to be an elevation of privilege, keep in mind that it will allow the attacker to execute script in your browser, which could have worse outcomes than privilege escalation.

MS15-037

MS15-037 is an interesting update because no files are included in the patch. Instead, the update looks for invalid scheduled tasks related to Windows Defender and removes them. The vulnerability described by CVE-2015-0098 has to do with using invalid tasks to execute your own applications, these applications will execute in the context of System.

MS15-038

The next update this month resolves two vulnerabilities in Windows that could lead to privilege escalation.

MS15-039

MSXML 3.0 ships with every supported version of Microsoft Windows. The vulnerability allows the attacker to download the Same Origin Policy by making use of the document type declaration (DTD) used in XML files.

MS15-040

A vulnerability that only affects Windows Server 2012 R2 is resolved in MS15-040, specifically on systems using Active Directory Federation Services. If a user logs off a session, ADFS may not properly terminate the session, allowing a malicious individual to reopen the application and resume the previous users session with their permissions and access.

MS15-041

The second last bulletin this month closes an information disclosure issue related to ASPL.NET custom error messages. When custom errors are disabled, the generation of an error could portions of the web configuration file. Microsoft has noted that this is not the recommended configuration for production systems, which should, hopefully, limit this issue to test environments.

MS15-042

The final bulletin this month is a vulnerability affecting Microsoft Hyper-V. When a malicious application is executed in a guest operating system, it could prevent the management of other guest operating systems. This update changes the Virtual Machine Manager’s user input validation logic.

As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

Ease of Use (published exploits) to Risk Table

Automated Exploit
             
Easy
     MS15-040        
Moderate
             
Difficult
             
Extremely Difficult
             
No Known Exploit
MS15-039
MS15-041
 MS15-042 MS15-032
MS15-033
MS15-035
  MS15-036 MS15-037MS15-038 MS15-034
Exposure
Local
Availability
Local
Access
Remote
Availability
Remote
Access
Local
Privileged
Remote
Privileged