Skip to content ↓ | Skip to navigation ↓

Today’s VERT Alert addresses 8 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expect to ship ASPL-618 on Wednesday, June 10th.

 

MS15-056

Internet Explorer Information Disclosure Vulnerability CVE-2015-1765
Multiple Elevation of Privilege Vulnerabilities MULTIPLE
Multiple Memory Corruption Vulnerabilities in Internet Explorer MULTIPLE

MS15-057

Windows Media Player RCE via DataObject Vulnerability CVE-2015-1728

MS15-059

Microsoft Office Uninitialized Memory Use Vulnerability CVE-2015-1770
Multiple Microsoft Office Memory Corruption Vulnerabilities MULTIPLE

MS15-060

Microsoft Common Control Use After Free Vulnerability CVE-2015-1756

MS15-061

Microsoft Windows Kernel Information Disclosure Vulnerability CVE-2015-1719
Microsoft Windows Kernel Use After Free Vulnerability CVE-2015-1720
Win32k Null Pointer Dereference Vulnerability CVE-2015-1721
Multiple Microsoft Windows Kernel Vulnerabilities MULTIPLE
Multiple Windows Kernel Buffer Overflow Vulnerabilities MULTIPLE
Multiple Win32k Memory Corruption Elevation of Privilege Vulnerabilities MULTIPLE

MS15-062

ADFS XSS Elevation of Privilege Vulnerability CVE-2015-1757

MS15-063

Windows LoadLibrary EoP Vulnerability CVE-2015-1758

MS15-064

Exchange Server-Side Request Forgery Vulnerability CVE-2015-1764
Exchange Cross-Site Request Forgery Vulnerability CVE-2015-1771
Exchange HTML Injection Vulnerability CVE-2015-2359

MS15-056

This month starts like most with a cumulative update for Internet Explorer. While most of the vulnerabilities are standard fare, the publicly disclosed information disclosure vulnerability stands out. CVE-2015-1765 allows an attacker to access your browser history when you visit a malicious website that they control. While the worst-case scenario isn’t as bad as other vulnerabilities in this bundle, this attack is potentially easier to execute.

MS15-057

The second update this month resolves a single vulnerability affecting Windows Media Player versions 10 through 12 across Windows Server 2008 R2 and older operating systems. The result of visiting a website with a malicious DataObject is code execution in the context of the logged in user.

MS15-059

Up next, we have a patch that resolves three vulnerabilities in Microsoft Office. These issues affect the Microsoft Office Compatibility Pack, Office 2010 and Office 2013. Microsoft has included an important reminder that people often forget: While the bulletin states Microsoft Office, any individual Microsoft Office product fits that category, so even if you only have Microsoft Word installed, you could be offered this update.

MS15-060

The single Microsoft Common Control vulnerability patched in MS15-060 is interesting but due to it’s limited exposure. The vulnerability requires that the user run the Developer Tools in Internet Explorer. This likely limits the attack to a subset of developers and security researchers that are working with Internet Explorer, the average end-user is unlikely to run Developer Tools for any reason other than an accidental key press. This limited target base could lead to unique uses of this vulnerability.

MS15-061

This month the Windows Kernel-Mode Drivers update is rather large, not quite IE Cumulative Update size but still quite large, and it contains patches for every shipping version of Windows. This update has become a regular addition to Patch Tuesday, so everyone should be prepared for it and ready to apply these updates.

MS15-062

Active Directory Federation Services has seen a number of patches recently and this month we have another one. In this case, it’s a lack of proper sanitization on URLs that could lead to cross-site scripting, allowing the attacker to run scripts as the logged-in user. This security bulletin is interesting, as Microsoft has provided more details than they normally due regarding mitigation, indicating the vulnerable query parameter, the request path, and a simple attack string. While I’m sure that the string is sufficiently broken to avoid exploitation, administrators that cannot apply updates ASAP would be wise to deploy mitigations in their WAF to block requests that follow this format.

MS15-063

This month’s penultimate update resolves a single vulnerability in the Windows Kernel. This attack requires that a malicious DLL be placed on the system and then a special application needs to be run to call LoadLibrary.

MS15-064

The final bulletin resolves three vulnerabilities in Microsoft Exchange 2013. These attacks include a same-origin policy bypass, a CSRF, and HTML Injection, continuing the trend this month where most of the attacks occur in a web-based environment.

 

As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

 

Ease-of-Use (published exploits) to Risk Table

Automated Exploit
Easy
Moderate
Difficult
MS15-062
Extremely Difficult
No Known Exploit
MS15-056
MS15-057

MS15-059
MS15-060
MS15-064 MS15-061
MS15-063
Exposure
Local
Availability
Local
Access
Remote
Availability
Remote
Access
Local
Privileged
Remote
Privileged