This is Greg Blaum with the Microsoft Patch Tuesday newsletter for August 2015.
Welcome to the first Patch Tuesday update after the release of Windows 10 by Microsoft Corporation. This month Microsoft released a total of fourteen (14) new security bulletins. For this month, four (4) of these are rated Critical, which Microsoft terms as a vulnerability whose exploitation could allow code to execute without any user interaction. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The other ten (10) are rated Important.
Clarification of the Intel Security Coverage column in the table below
Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see a Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.
Let’s take a closer look at each of the Microsoft Security Bulletins:
MS15-079 (CVE-2015-2423, 2441 through 2452)
Here is the standard cumulative Internet Explorer Security Update. This Internet Explorer update addresses 13 vulnerabilities in multiple versions of Internet Explorer. The vulnerabilities in this update affect Internet Explorer 6 through Internet Explorer 11 on all currently supported versions of Windows. Because of the wide version numbers of Internet Explorer that have these vulnerabilities, this affects a very large installed base of Internet Explorer users. Let’s take a closer look at the vulnerabilities covered by this patch:
- Ten (10) of these vulnerabilities are Internet Explorer Remote Code Execution vulnerabilities. An attacker could leverage any of these vulnerabilities to corrupt memory, gain the same rights as the currently logged in user, and then execute arbitrary code.
- Two (2) of these vulnerabilities are Security Feature Bypass vulnerabilities. Both of them bypass the Address Space Layout Randomization (ASLR) feature.
- One (1) of these vulnerabilities is an Information Disclosure vulnerabilities. If exploited, an attacker could potentially read data that was not intended to be disclosed.
- As in the past with the Internet Explorer vulnerabilities, attackers have to convince users with affected versions of Internet Explorer to view specially crafted content that exploits these vulnerabilities. The content could be on a compromised website or a forum/blog site that allows users to post their own content. Users could be convinced to visit one of these sites by clicking on a link in an Internet search results screen, an email message, or opening an infected attachment. Having good email hygiene with anti-spam and anti-phishing techniques (such as McAfee Email Protection) in place will help mitigate the potential for users to stray to an affected website. Since we expect some of the known-bad sites on the Internet to be harbors for this type of attack, having good web browsing habits and using tools such as McAfee SiteAdvisor, McAfee SiteAdvisor Enterprise and McAfee Web Protection can also help.
MS15-080 (CVE-2015-2432 & 2433, 2435, 2453 through 2456, and 2458 through 2465)
For this security update, there are multiple vulnerabilities that exist in Microsoft graphics component that is shared amongst multiple applications. It resolves vulnerabilities in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Microsoft Lync, and Microsoft Silverlight. Users will be offered multiple update packages based on what products are installed on their machines.
Here are the vulnerabilities broken down into groups:
· Six (6) OpenType Font Parsing
· Five (5) TrueType Font Parsing
· Office Graphics Component Remote Code Execution (RCE)
· Kernel Address Space Layout Randomization (ASLR) Security Feature Bypass
· Client/Server Run-time Subsystem (CSRSS) Elevation of Privilege
· Windows Kernel-Mode Driver (KMD) Security Feature Bypass
· Windows Shell Security Feature Bypass
MS15-081 (CVE-2015-1642, 2423, 2466 through 2470, and 2477)
This security update resolves multiple vulnerabilities in Microsoft Office software. It affects the following versions of Microsoft Office software: Office 2007, Office 2010, Office 2013, Office 2013 RT, Office for Mac 2011, Office for Mac 2016, Word Viewer, and the Office Compatibility Pack SP3.
Here are the vulnerabilities broken down into groups:
· Five (5) Memory Corruption
· Unsafe Command Line Parameter Passing Information Disclosure (this vulnerability *has* been publicly disclosed)
· Office Remote Code Execution in failure to properly validate templates
· Office Integer Underflow Remote Code Execution
MS15-082 (CVE-2015-2472 & 2473)
This bulletin addresses two (2) vulnerabilities in the Remote Desktop Protocol (RDP). It affects multiple versions of Windows, including client and server versions. Please check the bulletin for specifics on the versions affected. Get these updates deployed to hosts with RDP enabled.
The first vulnerability is a failure of the Remote Desktop Session Host (RDSH) to properly validate certificates during authentication. If successfully exploited, an attacker could impersonate the RDP client session. The second vulnerability is a result of the Microsoft Windows Remote Desktop Protocol client improperly handling the loading of certain specially crafted DLL files. A successful exploitation of this vulnerability would result in the attacker being able to take complete control of an affected system.
Here we have a Remote Code Execution vulnerability when Server Message Block (SMB) improperly handles certain logging activities. It only affects Windows Vista and Server 2008 (including the Server Core installation). Server Message Block (SMB) is a network file sharing protocol that is built-in to Windows.
MS15-084 (CVE-2015-2434, 2440, and 2471)
This security update addresses three (3) Information Disclosure vulnerabilities in XML Core Services. Some versions of the XML Core Services are provided as part of Microsoft Windows, other versions ship with additional software such as Microsoft Office.
The following versions of XML Core Services are affected:
· Microsoft XML Core Services 3.0 and Microsoft XML Core Services 6.0 on all supported releases of Microsoft Windows except Windows 10, which is not affected.
· Microsoft XML Core Services 5.0 on Microsoft Office 2007 Service Pack 3
· Microsoft XML Core Services 5.0 on Microsoft InfoPath 2007 Service Pack 3
This security update resolves an Elevation of Privilege vulnerability in the Mount Manager component of Microsoft Windows. It is a result of the Mount Manager improperly processing symbolic links when a USB device is inserted into a target system.
Here we have an Elevation of Privilege vulnerability in Microsoft System Center Operations Manager 2012 and 2012 R2. It is a result of improper validation of input and could allow an attacker to inject a client-side script into the user’s browser. Primary risk profile for this vulnerability are users who are authorized to access the System Center Operations Manager web consoles.
This update resolves an Elevation of Privilege vulnerability in the Universal Description, Discovery, and Integration (UDDI) Services. It affects Windows Server 2008 (including the Server Core installation) and multiple versions of BizTalk Server.
Here we have an Information Disclosure vulnerability in Microsoft Windows, Internet Explorer, and Microsoft Office. To be exploited, it has to be combined with another vulnerability in Internet Explorer. When exploited, an attacker could then use this unsafe command line parameter passing vulnerability to execute Notepad, Visio, PowerPoint, Excel, or Word and have Information Disclosure. This vulnerability *has* been publicly disclosed.
This is a single Information Disclosure vulnerability in the Microsoft Web Distributed Authoring and Versioning (WebDAV) client. Similar to other vulnerabilities we’ve seen, it is a result of the use of SSL 2.0 and is resolved by defaulting to a more secure protocol than SSL 2.0.
MS15-090 (CVE-2015-2428 through 2430)
Here we’ve got a trio of Elevation of Privilege vulnerabilities in Microsoft Windows. They exist in the following components: Windows Object Manager, Windows Registry, and Windows Filesystem. They are present in client and server versions of Microsoft Windows.
MS15-091 (CVE-2015-2441 & 2442, 2446, and 2449)
This is our first Windows 10-only security vulnerability update. It resolves four (4) separate vulnerabilities in Microsoft Edge, the new web browser client that is built-in to Windows 10. Three (3) of the vulnerabilities are Remote Code Execution Memory Corruption vulnerabilities and the other one is an Address Space Layout Randomization (ASLR) Security Feature Bypass vulnerability. Get this deployed to those new Windows 10 systems.
MS15-092 (CVE-2015-2479 through 2481)
Finally, this bulletin addresses three (3) Elevation of Privilege vulnerabilities in the Microsoft .NET Framework. It affects the Microsoft .NET Framework 4.6 on all supported versions of Microsoft Windows, except the Itanium editions.
Bonus Vulnerability Coverage: Although not technically listed as a Microsoft Security Bulletin (listed as a Security Advisory), Microsoft updated Microsoft Security Advisory 2755801 on August 11th to address new vulnerabilities in the Adobe Flash Player. This only addresses the integrated Adobe Flash Player that was released as part of Internet Explorer 10, Internet Explorer 11, and Microsoft Edge. Other versions of the Adobe Flash Player should be updated via the Adobe website. The Microsoft operating systems affected are Windows 8 & 8.1, Windows RT & RT 8.1, Windows Server 2012 & 2012 R2, and Windows 10. Because Adobe Flash content is so prevalent on the Internet and the vulnerabilities could potentially allow an attacker to take control of the affected system, this should also be considered a Critical update. Details are also available in Adobe Security bulletin APSB15-19. McAfee Labs Security Advisories for these vulnerabilities will be published on the McAfee Labs Security Advisories Community site.
NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.
Memory Corruption Vulnerabilities:
Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.
Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in. As more details become available, you’ll find them on the McAfee Threat Center. You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.
The McAfee Labs Security Advisories can be found on the McAfee Labs Security Advisories Community site.
Finally, these briefings are archived on the McAfee Community site.
For additional useful security information, please make note of the following links:
You can also review the Microsoft Summary for August 2015 at the Microsoft site.
Until next month…stay safe!