Skip to content ↓ | Skip to navigation ↓

Today’s VERT Alert addresses 14 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-623 on Wednesday, July 15th.

MS15-058 SQL Server Elevation of Privilege Vulnerability CVE-2015-1761
SQL Server Remote Code Execution Vulnerability CVE-2015-1762
SQL Server Remote Code Execution Vulnerability CVE-2015-1763
MS15-065 VBScript Memory Corruption Vulnerability CVE-2015-2372
Internet Explorer XSS Filter Bypass Vulnerability CVE-2015-2398
Internet Explorer Elevation of Privilege Vulnerability CVE-2015-2402
JScript9 Memory Corruption Vulnerability CVE-2015-2419
Internet Explorer ASLR Bypass CVE-2015-2421
Multiple Memory Corruption Vulnerabilities in Internet Explorer MULTIPLE
Multiple Internet Explorer Information Disclosure Vulnerabilities MULTIPLE
MS15-066 VBScript Memory Corruption Vulnerability CVE-2015-2372
MS15-067 Remote Desktop Protocol (RDP) Remote Code Execution Vulnerability CVE-2015-2373
MS15-068 Hyper-V Buffer Overflow Vulnerability CVE-2015-2361
Hyper-V System Data Structure Vulnerability CVE-2015-2362
MS15-069 Windows DLL Remote Code Execution Vulnerability CVE-2015-2368
DLL Planting Remote Code Execution Vulnerability CVE-2015-2369
MS15-070 Multiple Microsoft Office Memory Corruption Vulnerabilities Multiple
Microsoft Excel ASLR Bypass Vulnerability CVE-2015-2375
Microsoft Excel DLL Remote Code Execution Vulnerability CVE-2015-2378
MS15-071 Elevation of Privilege Vulnerability in Netlogon CVE-2015-2374
MS15-072 Graphics Component EOP Vulnerability CVE-2015-2364
MS15-073 Multiple Elevation of Privilege Vulnerability MULTIPLE
Multiple Information Disclosure Vulnerability MULTIPLE
MS15-074 Windows Installer EoP Vulnerability CVE-2015-2371
MS15-075 OLE Elevation of Privilege Vulnerability I CVE-2015-2416
OLE Elevation of Privilege Vulnerability II CVE-2015-2417
MS15-076 Windows RPC Elevation of Privilege Vulnerability CVE-2015-2370
MS15-077 ATMFD.DLL Memory Corruption Vulnerability CVE-2015-2387

MS15-058

The July Patch Tuesday starts off with June’s forgotten patch. This is the mystery bulletin that had it’s ID assigned but was held back last month. We now know that resolves three privately reported vulnerabilities in Microsoft SQL Server.

MS15-065

Up next, we have the latest Internet Explorer Cumulative update, which resolves 29 vulnerabilities. This includes CVE-2015-2398, CVE-2015-2421, CVE-2015-2413, and CVE-2015-2419 – all of which have been publicly disclosed. While none of these are currently being exploited, the knowledge that they are public should skyrocket the patch priority of this month’s update for most enterprises.

MS15-066

Just as we saw back in March, this month we have another update to VBScript where the update is spread across multiple bulletins. In this case, the update includes MS15-065, for versions of IE that ship with VBScript bundled, and MS15-066 for standalone versions of VBScript.

MS15-067

Up next, we have a vulnerability that only affects the latest Microsoft operating systems – Windows 7, Windows 8, and Windows Server 2012. This is one of the more critical issues this month since an unauthenticated attacker can target a listening service. If you have any affected boxes listening on the RDP port remotely, you may want to restrict or disable access until you can apply this update.

MS15-068

Another vulnerability that appears near the top of the list this month is MS15-068, which resolves two vulnerabilities in Hyper-V. In both cases, the Hyper-V vulnerabilities could allow an attacker with privileged access to a guest VM to break out of the VM and gain access to the host environment. Those running shared hosting on Microsoft Hyper-V should pay close attention to the deployment of this patch, as they will be the biggest targets until their systems are up-to-date.

MS15-069

DLL Loading issues were common for a while but now the updates seem to appear less frequently. This month the issues appear once again with two vulnerabilities, both of which involve loading malicious DLLs onto the system. The attack vector for these vulnerabilities has a huge impact in decreasing the risk compared to a number of other bulletins released this month.

MS15-070

A Microsoft patch drop isn’t complete without at least one Microsoft Office bulletin. This month’s quota is met by MS15-070, which resolves a large number of vulnerabilities affecting all supported versions of Microsoft Office as well as Excel Service on SharePoint Server 2007, 2010, and 2013.

MS15-071

There’s almost always a moment of fear when a vulnerability’s title includes “Netlogon” and it mentions the domain controller. Luckily, MS15-071 requires that an attacker already have credentials and access to a primary domain controller. That attacker could then create a fake backup domain controller. Since most domain controllers are locked down and not exposed to the Internet, the risk here should be limited to insider threats. That is not, however, a mitigation and enterprises should apply this update as soon as possible.

MS15-072

Up next, we have a vulnerability in Windows Graphics, another common sight on Patch Tuesday. This particular vulnerability occurs when processing bitmap conversions. Luckily, this does not appear to be a file format issue, which means that drive by attacks are not possible.

MS15-073

Much like Internet Explorer and Office, we can expect to see Win32k patched every single month. This was true again this month with 6 vulnerabilities in Win32k resolved in this update.

MS15-074

This update is an interesting elevation of privilege due to its complexity, which should limit its attractiveness to attackers. The attacker must gain access to a system, find a vulnerable .msi file, and load custom code that the .msi can find and execute.

MS15-075

Up next we have two vulnerabilities in Microsoft OLE that could be used to elevate privileges. According to Microsoft, attackers could chain exploits for these vulnerabilities with Internet Explorer vulnerabilities in order to gain higher privileges within IE.

MS15-076

The penultimate update this month fixes a vulnerability that allows for DCE/RPC connection reflection. Microsoft has stated that an attacker would need to be logged into a system and run a specially crafted application in order to exploit this vulnerability and elevate their privileges.

MS15-077

The final vulnerability this month should be at the top of everyone’s list, it’s the ATM Font Driver vulnerability that was released in the data dump from the recent Hacking Team Hack. Since exploit code is available, patching this should be a priority.

Additional Details

Adobe has released updates for Acrobat/Reader (APSB15-15), Shockwave (APSB15-17), and Flash (APSB15-18). Additionally, Oracle released their July CPU today including updates for Oracle Database, MySQL, Solaris, and Java.

As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

Ease-of-Use (published exploits) to Risk Table

Automated Exploit
MS15-077
Easy
Moderate
MS15-070
Difficult
Extremely Difficult
MS15-065
No Known Exploit
MS15-066
MS15-072
MS15-075
MS15-076
MS15-058
MS15-071
MS15-073
MS15-074
MS15-067
MS15-068
MS15-069
Exposure
Local
Availability
Local
Access
Remote
Availability
Remote
Access
Local
Privileged
Remote
Privileged