Update on July 20th:
As an adjunction, Microsoft released an out-of-band patch on July 20th. They only release out-of-band patches for the most critical security bugs, so this one is very important.
Application Control with Memory Protection against remote code execution helps in protecting against this attack.
This is Greg Blaum again with the Microsoft Patch Tuesday newsletter for July 2015.
After a light June, we’re back to a heavy July for patches; Microsoft released a total of fourteen (14) new security bulletins. For this month, four (4) of these are rated Critical, which Microsoft terms as a vulnerability whose exploitation could allow code to execute without any user interaction. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The other ten (10) are rated Important.
Clarification of the Intel Security Coverage column in the table below
Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see a Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.
This month’s patches include the following:
Let’s take a closer look at each of the Microsoft Security Bulletins:
MS15-058 (CVE-2015-1761 through 1763)
We don’t often see security bulletins for Microsoft SQL Server. This one is a remote code execution vulnerability exists if an authenticated attacker runs a specially crafted query. Note that the attacker has to already be authenticated and have permissions to create or modify a database. It affects multiple versions of SQL Server, so be sure to check the bulletin for details. Given the widespread use of Microsoft SQL Server and the potential gold-mine of information that may be present in databases, db admins should patch their SQL Servers as soon as they can.
MS15-065 (CVE-2015-1729, 2015-1733, 2015-1738, 2015-1767, 2015-2372, 2015-2383 through 2385, 2015-2388 through 2391, 2015-2397, 2015-2398, 2015-2401 through 2404, 2015-2406, 2015-2408, 2015-2410 through 2414, 2015-2419, 2015-2421, 2015-2422, and 2015-2425)
Here is the standard cumulative Internet Explorer Security Update. This is another big Internet Explorer update, addressing 29 vulnerabilities in multiple versions of Internet Explorer. The vulnerabilities in this update affect Internet Explorer 6 through Internet Explorer 11 on all currently supported versions of Windows. Because of the wide version numbers of Internet Explorer that have these vulnerabilities, this affects a very large installed base of Internet Explorer users. Let’s take a closer look at the vulnerabilities covered by this patch:
- Twenty-one (21) of these vulnerabilities are Internet Explorer Remote Code Execution vulnerabilities. An attacker could leverage any of these vulnerabilities to corrupt memory, gain the same rights as the currently logged in user, and then execute arbitrary code.
- Five (5) of these vulnerabilities are Information Disclosure vulnerabilities. If exploited, an attacker could potentially read data that was not intended to be disclosed.
- Two (2) of these vulnerabilities are Security Feature Bypass vulnerabilities. One of them bypasses the Address Space Layout Randomization feature and the other bypasses the XSS filter.
- One (1) of these vulnerabilities is an Elevation of Privilege vulnerability. On its own, this vulnerability would not allow arbitrary code execution. It would need to be combined with an unprotected remote code execution vulnerability in order for an attacker to be able to execute arbitrary code.
- As in the past with the Internet Explorer vulnerabilities, attackers have to convince users with affected versions of Internet Explorer to view specially crafted content that exploits these vulnerabilities. The content could be on a compromised website or a forum/blog site that allows users to post their own content. Users could be convinced to visit one of these sites by clicking on a link in an Internet search results screen, an email message, or opening an infected attachment. Having good email hygiene with anti-spam and anti-phishing techniques (such as McAfee Email Protection) in place will help mitigate the potential for users to stray to an affected website. Since we expect some of the known-bad sites on the Internet to be harbors for this type of attack, having good web browsing habits and using tools such as McAfee SiteAdvisor, McAfee SiteAdvisor Enterprise and McAfee Web Protection can also help.
This security update resolves a Remote Code Execution vulnerability in the VBScript Scripting Engine. It could be triggered if a user visits a specially crafted website, giving the attacker the same user rights as the current user. Note that this is for VBScript on Windows Server 2003, Windows Vista, Windows Server 2008, and Windows Server 2008 Server Core with Internet Explorer 7 or earlier or without Internet Explorer. Anything running Internet Explorer 8 or later will get the fix with the MS15-065 update.
This bulletin addresses a Remote Code Execution vulnerability in the Remote Desktop Protocol (RDP). It affects Windows 7, Windows 8, Windows Server 2012, and Windows Server 2012 Server Core. While the most likely outcome would be a Denial of Service (DOS) attack on the remote desktop, it is possible that remote code execution may occur. VDI environments may be a target for this attack, so administrators should patch their VDI setups with this fix.
MS15-068 (CVE-2015-2361 and 2362)
Here we have a pair of Remote Code Execution vulnerabilities in Windows Hyper-V. For either of these to be exploited, an attacker would need to be authenticated and privileged on a guest virtual machine and then execute a specially crafted application. It would then allow remote code execution within the host context. If you’re using Windows Hyper-V, it is advised to get this patch deployed as soon as possible.
MS15-069 (CVE-2015-2368 and 2369)
This security update addresses two (2) Remote Code Execution vulnerabilities in Microsoft Windows. They both exist regarding the loading of specially crafted dynamic link library (DLL) files and could result in an attacker taking complete control of an affected system. They affect a wide range of client and server Windows operating systems.
MS15-070 (CVE-2015-2375 through 2380, 2015-2415, and 2015-2424)
This security update resolves multiple vulnerabilities in Microsoft Office. Six (6) of these are memory corruption vulnerabilities, one (1) is an Address Space Layout Randomization vulnerability, and the other one (1) is a Remote Code Execution vulnerability. These affect a wide range of Office products, from 2007 through 2013 (including 2013 RT versions), one product on Mac, Viewers, and Excel Services on three (3) different versions of SharePoint. Lots of updates to be applied here, but it is highly advised to get them deployed.
Here we have an Elevation of Privilege vulnerability in Microsoft Windows. It exists in Netlogon and could allow an attacker to get elevated domain credentials by running a specially crafted application that establishes a secure channel to a Primary Domain Controller (PDC) as a Backup Domain Controller (BDC). Therefore, this affects domain controllers…so get those critical infrastructure servers updated.
A vulnerability in a graphics component in Microsoft Windows could potentially allow Elevation of Privilege if the component doesn’t properly process bitmap conversions. The attacker does need to be authenticated in order to exploit this one. It affects client and server versions of Microsoft Windows.
MS15-073 (CVE-2015-2363, 2015-2365 through 2367, 2015-2381 and 2382)
Here we see several three (3) Elevation of Privilege vulnerabilities and three (3) Information Disclosure vulnerabilities in Windows Kernel-Mode drivers. The Elevation of Privilege vulnerabilities are a result of the way the kernel-mode drivers handle objects in memory. The Information Disclosure vulnerabilities could potentially allow the disclosure of kernel memory contents, addresses, or other sensitive kernel information that could potentially be used to attack the system in the future. While these aren’t the more serious Remote Code Execution vulnerabilities, they could lead to future attacks on systems, so it is best to close these holes quickly.
This is a single Elevation of Privilege vulnerability in the Windows Installer service and how it runs custom action scripts. This is a more complex attack vector with a lot of moving parts to exploit this vulnerability. It affects a wide range of client and server Windows operating systems.
MS15-075 (CVE-2015-2416 and 2417)
Here we’ve got a pair of Elevation of Privilege vulnerabilities in Microsoft Windows OLE. They could be combined with another vulnerability to allow arbitrary code to run, but by themselves they don’t allow for remote code execution.
This is a vulnerability in Windows Remote Procedure Call (RPC) authentication. An attacker that is already logged on to the system has to execute a crafted application that would then exploit this vulnerability which allows DCE/RPC connection reflection.
Finally, this bulletin addresses an Elevation of Privilege vulnerability in the Adobe Type Manager (ATM) Font Driver. The attacker would need to already be logged on to the system and then execute a specially crafted application in order to exploit this vulnerability.
Bonus Vulnerability Coverage: Although not technically listed as a Microsoft Security Bulletin (listed as a Security Advisory), Microsoft updated Microsoft Security Advisory 2755801 on July 8th to address new vulnerabilities in the Adobe Flash Player. This only addresses the integrated Adobe Flash Player that was released as part of Internet Explorer 10 and Internet Explorer 11. Other versions of the Adobe Flash Player should be updated via the Adobe website. The Microsoft operating systems affected are Windows 8 & 8.1, Windows RT & RT 8.1, and Windows Server 2012 & 2012 R2. Because Adobe Flash content is so prevalent on the Internet and the vulnerabilities could potentially allow an attacker to take control of the affected system, this should also be considered a Critical update. Details are also available in Adobe Security bulletin APSB15-16. McAfee Labs Security Advisories for these vulnerabilities is published in MTIS15-104.
NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.
Memory Corruption Vulnerabilities:
Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.
Windows 10 Technical Preview and Windows Server Technical Preview: Many users may be testing both the Windows 10 Technical Preview and Windows Server Technical Preview. It is important to note that many of the vulnerabilities this month affect these early preview releases of Microsoft operating systems. Users that are testing these preview releases are encouraged to apply appropriate updates to their systems by visiting Microsoft Windows Update.
Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in. As more details become available, you’ll find them on the McAfee Threat Center. You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.
The McAfee Labs Security Advisories can be found on the McAfee Labs Security Advisories Community site.
Finally, these briefings are archived on the McAfee Community site.
For additional useful security information, please make note of the following links:
You can also review the Microsoft Summary for July 2015 at the Microsoft site.
Until next month…stay safe!