This is Greg Blaum again with the Microsoft Patch Tuesday newsletter for April 2015.
The month Microsoft released a total of eleven (11) security bulletins. For this month, four (4) of these are rated Critical, which Microsoft terms as a vulnerability whose exploitation could allow code to execute without any user interaction. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The other seven (7) are rated Important.
Clarification of the Intel Security Coverage column in the table below
Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see a Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.
This month’s patches include the following:
Let’s take a closer look at each of the Microsoft Security Bulletins:
MS15-032 (CVE-2015-1652, CVE-2015-1657, CVE-2015-1659 through 2015-1662, and CVE-2015-1665 through 2015-1668)
Here is the standard cumulative Internet Explorer Security Update. For a cumulative Internet Explorer update this one isn’t too large, addressing 10 vulnerabilities (2 less than last month) in multiple versions of Internet Explorer. The vulnerabilities in this update affect Internet Explorer 6 through Internet Explorer 11 on all currently supported versions of Windows. Because of the wide version numbers of Internet Explorer that have these vulnerabilities, this affects a very large installed base of Internet Explorer users. Let’s take a closer look at the vulnerabilities covered by this patch:
- Nine (9) of these vulnerabilities are Internet Explorer Memory Corruption Remote Code Execution vulnerabilities. An attacker could leverage any of these vulnerabilities to corrupt memory, gain the same rights as the currently logged in user, and then execute arbitrary code.
- The remaining one (1) vulnerability is an Address Space Layout Randomization (ASLR) bypass vulnerability. An attacker who successfully exploited this vulnerability could bypass the Address Space Layout Randomization (ASLR) security feature that is built in to Internet Explorer. On its own, this vulnerability would not allow arbitrary code execution. It would need to be combined with an unprotected remote code execution vulnerability in order for an attacker to be able to execute arbitrary code.
- As in the past with the Internet Explorer vulnerabilities, attackers have to convince users with affected versions of Internet Explorer to view specially crafted content that exploits these vulnerabilities. The content could be on a compromised website or a forum/blog site that allows users to post their own content. Users could be convinced to visit one of these sites by clicking on a link in an Internet search results screen, an email message, or opening an infected attachment. Having good email hygiene with anti-spam and anti-phishing techniques (such as McAfee Email Protection) in place will help mitigate the potential for users to stray to an affected website. Since we expect some of the known-bad sites on the Internet to be harbors for this type of attack, having good web browsing habits and using tools such as McAfee SiteAdvisor, McAfee SiteAdvisor Enterprise and McAfee Web Protection can also help.
MS15-033 (CVE-2015-1641, CVE-2015-1649 through 2015-1651, and CVE-2015-1639)
This security update resolves vulnerabilities in several different versions of Microsoft Office. This includes multiple Remote Code Execution vulnerabilities that could allow a successful attacker to run arbitrary code in the context of the current user. The Remote Code Execution vulnerabilities are a result of Microsoft Office improperly handling rich text format files and improperly handling objects in memory. These vulnerabilities could be exploited by an attacker sending a specially crafted file via email or hosting it on a website and convincing the user to open the file.
In addition to the Windows versions of Microsoft Office being affected, the Mac version of Microsoft Office has an Elevation of Privilege vulnerability that is caused when it improperly sanitizes HTML strings. Similar to the Windows vulnerabilities, it would have to be exploited by convincing a user to open a specially crafted file that exploits the vulnerability.
This bulletin addresses a Remote Code Execution vulnerability in the HTTP.sys component of Microsoft Windows. It exists when the HTTP.sys component improperly parses specially crafted HTTP requests. This vulnerability is rated Critical for all currently supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2. Given the nature of this vulnerability, it is highly advised to deploy it aggressively.
Here we have a Remote Code Execution vulnerability in the Microsoft Graphics Component that is part of Windows. It exists when the component improperly processes a specially crafted Enhanced Metafile (EMF) image format file. As with most vulnerabilities that are exploited with a specially crafted file, it could be exploited via email or web attack scenarios. An attacker would need to convince the user to open the specially crafted file. It affects multiple versions of Microsoft Windows, although not the most current releases.
MS15-036 (CVE-2015-1640 and CVE-2015-1653)
We infrequently see security vulnerabilities in Microsoft SharePoint Server. This particular one is an Elevation of Privilege vulnerability that occurs when SharePoint Server improperly sanitizes a specially crafted request. If the attack is successful, the attacker could potentially perform cross-site scripting attacks and inject script to be executed in the security context of the currently authenticated user. SharePoint Server administrators should investigate this vulnerability and consider patching it rather quickly even though it is not rated Critical. The capability to potentially execute a cross-site scripting attack means this attack could be combined with another vulnerability such as a Remote Code Execution vulnerability in any browser software.
This security update resolves an Elevation of Privilege vulnerability in the Task Scheduler component of Microsoft Windows. The attack vector for this requires the attacker to be able to log in to the target system and determine whether or not the known invalid task is present. If it is present, the attacker could make changes to have the task execute a specially crafted application in the System account security context.
MS15-038 (CVE-2015-1643 and CVE-2015-1644)
Both of the security vulnerabilities in this update are Elevation of Privilege vulnerabilities that are a result of Microsoft Windows failing to properly validate and enforce impersonation levels. They exist in two (2) separate components, but are packaged together in this update. In both vulnerabilities, an attacker would need to log on to the system and then execute a specially crafted package.
Here we have a Security Feature Bypass vulnerability in the XML Core Services 3.0 component. Attackers have to convince users to click on a specially crafted link, usually via email or web attack scenarios. It affects multiple versions of Microsoft Windows, although not the most current releases.
This security update resolves an Information Disclosure vulnerability in Active Directory Federation Services (AD FS) component of Windows Server 2012 R2. If a user leaves their web browser open after logging off from an application that utilizes AD FS and an attacker immediately reopens the application in the browser, unintentional information disclosure could occur. This happens because the logoff actually fails and the attacker is therefore not prompted for user credentials.
Here is an Information Disclosure vulnerability in multiple versions of the Microsoft .NET Framework. If a server running ASP.NET applications has custom error messages disabled, an attacker could send a specially crafted web request and view parts of a web configuration file resulting in potentially exposing sensitive information. Administrators that are using ASP.NET applications with affected versions of the .NET Framework should target deploying this security update aggressively. Given the potential damage of exposing some information in web configuration files, this is a serious vulnerability.
Here we have a Denial of Service vulnerability in Hyper-V. This exists when an authenticated attacker runs a specially crafted application in a virtual machine (VM) session. It does not allow an attacker to elevate user rights or execute code on other VMs running on the same Hyper-V server. Because it is a Denial of Service vulnerability, it could potentially cause other VMs on the same host to not be manageable by Microsoft Virtual Machine Manager. If you’re using Hyper-V, install this update.
Additional Security Advisories:
Microsoft Security Advisory 3009008 – Vulnerability in SSL 3.0 Could Allow Information Disclosure
This security update disables SSL 3.0 by default in Internet Explorer 11. Also, Microsoft is announcing that they’re disabling SSL 3.0 across Microsoft online services over the coming months. This vulnerability is present in the overall design of the SSL 3.0 protocol and is present wherever it is utilized, so it is not specific to Microsoft.
Microsoft Security Advisory 3045755 – Update to Improve PKU2U Authentication
This security update improves the authentication used by the Public Key Cryptography User-to-User (PKU2U) security support provider (SSP). Public Key Cryptography User-to-User (PKU2U) is a security support provider (SSP) protocol that enables peer-to-peer authentication. It does so in the Windows HomeGroup feature which permits sharing between computers that are not members of a domain.
NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.
Memory Corruption Vulnerabilities:
Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.
Windows 10 Technical Preview and Windows Server Technical Preview: Many users may be testing both the Windows 10 Technical Preview and Windows Server Technical Preview. It is important to note that many of the vulnerabilities this month affect these early preview releases of Microsoft operating systems. Users that are testing these preview releases are encouraged to apply appropriate updates to their systems by visiting Microsoft Windows Update.
Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in. As more details become available, you’ll find them on the McAfee Threat Center. You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.
The McAfee Labs Security Advisories can be found on the McAfee Labs Security Advisories Community site.
Finally, these briefings are archived on the McAfee Community site.
For additional useful security information, please make note of the following links:
You can also review the Microsoft Summary for April 2015 at the Microsoft site.
Until next month…stay safe!