Skip to content ↓ | Skip to navigation ↓

 

Today’s VERT Alert addresses 9 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-601 on Wednesday, February 11.

MS15-009 Multiple Memory Corruption Vulnerabilities in Internet Explorer MULTIPLE
Multiple Elevation of Privilege Vulnerabilities in Internet Explorer MULTIPLE
Multiple Internet Explorer ASLR Bypass Vulnerabilities MULTIPLE
Internet Explorer Cross-domain Information Disclosure Vulnerability CVE-2015-0070
MS15-010 Win32k Elevation of Privilege Vulnerability CVE-2015-0003
CNG Security Feature Bypass Vulnerability CVE-2015-0010
Win32K Elevation of Privilege Vulnerability CVE-2015-0057
Windows Cursor Object Double Free Vulnerability CVE-2015-0058
TrueType Font Parsing Remote Code Execution Vulnerability CVE-2015-0059
Windows Font Driver Denial of Service Vulnerability CVE-2015-0060
MS15-011 Group Policy Remote Code Execution Vulnerability CVE-2015-0008
MS15-012 Excel Remote Code Execution Vulnerability CVE-2015-0063
Office Remote Code Execution Vulnerability CVE-2015-0064
OneTableDocumentStream Remote Code Execution Vulnerability CVE-2015-0065
MS15-013 Microsoft Office Component Use After Free Vulnerability CVE-2014-6362
MS15-014 Group Policy Security Feature Bypass Vulnerability CVE-2015-0009
MS15-015 Windows Create Process Elevation of Privilege Vulnerability CVE-2015-0062
MS15-016 TIFF Processing Information Disclosure Vulnerability CVE-2015-0061
MS15-017 Virtual Machine Manager Elevation of Privilege Vulnerability CVE-2015-0012

 

MS15-009

Microsoft starts out February making up for the lack of a January IE update, releasing fixes for 41 vulnerabilities. The upside is that one publicly exploited vulnerability was resolved; the downside is that the XSS released publicly last week wasn’t included in this patch drop.

 

MS15-010

The second bulletin this month should have been the second and third bulletins since it contains multiple updates for unassociated vulnerabilities. The only element that binds the vulnerabilities and updates together is the fact that both updates resolve issues with kernel mode drivers.

 

MS15-011

MS15-011 is the big bulletin this month, fixing a vulnerability labeled JASBUG, named after JAS Global Advisories, the group that discovered the issue. The most important take-away here is that the bulletin doesn’t actually fix the vulnerability but rather puts a framework in place that allows you to mitigate the vulnerability.

JAS Global Advisors have released a fact sheet[1] that is worth a read and Microsoft has released a detailed KB[2] with configuration data related to the new changes. Everyone will have the reaction to immediately apply updates and the Microsoft recommended configurations but each domain’s specific criteria will need to be considered when deploying this update.

End of Life platforms Windows 2000 and Windows XP are also affected; hopefully, no one is running them, but the still supported Windows Server 2003 also did not receive updates to this critical issue. This is an important consideration for enterprises that may have a slower than normal upgrade cycle.

 

MS15-012

The first of two office bulletins this month is rather typical affecting Excel and Word in all their variations including SharePoint, Office Web Apps, and the stand-alone viewers.

 

MS15-013

The second office bulletin this month addresses an ASLR bypass that exists in all supported versions of Microsoft office.

 

MS15-014

MS15-014 is the second group policy bulletin this month (it’s rare to see two of these in a year, let alone two in a single month). This one is rated important which feels like it may understate the issue.

A man-in-the-middle attack could cause the Group Policy Security Configuration Engine policy file to be corrupted. When this file is corrupted, the system may revert to a default group policy, which could be less secure than the applied group policy.

 

MS15-015

The only “Windows” vulnerability this month is a privilege escalation that could allow an authenticated user to gain administrator access to the system.

 

MS15-016

The second last bulletin this month resolves an issue with TIFF image parsing that could allow memory disclosure. While this attack is not necessarily dangerous on its own, it could be paired with another attack to increase the likelihood of success.

 

MS15-017

The final bulletin this month is definitely one to keep an eye on if you are running Microsoft System Center Virtual Machine Manager in your environment. It is a privilege escalation issue that could give an attacker full control over all guest operating systems.

As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

 

Ease of Use (published exploits) to Risk Table

Automated Exploit
Easy
Moderate
Difficult
MS15-011
Extremely Difficult
No Known Exploit
MS15-013
MS15-014
MS15-016
MS15-009
MS15-012
MS15-010
MS15-015
MS15-017
Exposure
Local
Availability
Local
Access
Remote
Availability
Remote
Access
Local
Privileged
Remote
Privileged

 

[1] https://www.jasadvisors.com/about-jas/jasbug-security-vulnerability-fact-sheet/

[2] https://support.microsoft.com/kb/3000483