This is Greg Blaum again with the Microsoft Patch Tuesday newsletter for June 2015.
June is a lighter month for patches; Microsoft released a total of eight (8) new security bulletins. For this month, two (2) of these are rated Critical, which Microsoft terms as a vulnerability whose exploitation could allow code to execute without any user interaction. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The other six (6) are rated Important.
Clarification of the Intel Security Coverage column in the table below
Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see a Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.
This month’s patches include the following:
Let’s take a closer look at each of the Microsoft Security Bulletins:
MS15-056 (CVE-2015-1687, CVE-2015-1730 through 1732, CVE-2015-1735 through 1737, CVE-2015-1739 through 1745, CVE-2015-1747 and 1748, CVE-2015-1750 through 1755, CVE-2015-1765 and 1766 )
Here is the standard cumulative Internet Explorer Security Update. This is another big Internet Explorer update, addressing 24 vulnerabilities in multiple versions of Internet Explorer. The vulnerabilities in this update affect Internet Explorer 6 through Internet Explorer 11 on all currently supported versions of Windows. Because of the wide version numbers of Internet Explorer that have these vulnerabilities, this affects a very large installed base of Internet Explorer users. Let’s take a closer look at the vulnerabilities covered by this patch:
- Twenty (20) of these vulnerabilities are Internet Explorer Remote Code Execution vulnerabilities. An attacker could leverage any of these vulnerabilities to corrupt memory, gain the same rights as the currently logged in user, and then execute arbitrary code.
- Three (3) of these vulnerabilities are Elevation of Privilege vulnerabilities. On their own, these vulnerabilities would not allow arbitrary code execution. They would need to be combined with an unprotected remote code execution vulnerability in order for an attacker to be able to execute arbitrary code.
- The final one (1) vulnerability in this update is an Information Disclosure vulnerability. An attacker who exploited this vulnerability could potentially get access to the Internet Explorer browser history.
- As in the past with the Internet Explorer vulnerabilities, attackers have to convince users with affected versions of Internet Explorer to view specially crafted content that exploits these vulnerabilities. The content could be on a compromised website or a forum/blog site that allows users to post their own content. Users could be convinced to visit one of these sites by clicking on a link in an Internet search results screen, an email message, or opening an infected attachment. Having good email hygiene with anti-spam and anti-phishing techniques (such as McAfee Email Protection) in place will help mitigate the potential for users to stray to an affected website. Since we expect some of the known-bad sites on the Internet to be harbors for this type of attack, having good web browsing habits and using tools such as McAfee SiteAdvisor, McAfee SiteAdvisor Enterprise and McAfee Web Protection can also help.
This security update resolves a vulnerability in the Windows Media Player. A specially crafted media file could be created that would utilize this Remote Code Execution vulnerability. Typically you’d see these types of media files posted on a malicious site and perhaps a link to them sent to a user in an email.
MS15-059 (CVE-2015-1759, 1760, and 1770)
This bulletin addresses multiple Remote Code Execution vulnerabilities in Microsoft Office. One of these vulnerabilities is specifically in Microsoft Office Compatibility Service Pack 3. Vulnerability CVE-2015-1760 is present in both Microsoft Office 2010 Service Pack 2 and Microsoft Office 2013 Service Pack 1. The final vulnerability, CVE-2015-1770, is present in Microsoft Office 2013 Service Pack 1 and Microsoft Office 2013 RT Service Pack 1. All three (3) vulnerabilities are caused when Office improperly handles objects in memory and would be exploited by opening a specially crafted file with a vulnerable version of Microsoft Office. Note that users with more than one version of Microsoft Office installed may be prompted to install multiple updates.
Here we have a Remote Code Execution vulnerability in Microsoft Common Controls. It occurs when the code in the Common Controls attempts to access an object in memory that has either not been correctly initialized or has already been deleted. Interestingly, it is triggered when a user invokes the F12 Developer Tools in Internet Explorer.
MS15-061 (CVE-2015-1719 through 1727, 1768, and 2360)
This security update addresses ten (10) Elevation of Privilege vulnerabilities and one (1) Information Disclosure vulnerability in Windows Kernel-Mode Drivers. The Information Disclosure vulnerability is a result of improper handling of buffer elements, which allows an attacker to view the contents of specific memory addresses. The Elevation of Privilege vulnerabilities are a result of improperly freeing an object in memory, insufficient validation of data being passed from user mode to kernel mode, improperly validating user input, and attempting to access an object in memory that has either not been correctly initialized or has already been deleted. These vulnerabilities exist in Microsoft’s currently supported Client Operating Systems as well as Server Operating Systems.
This security update resolves an Elevation of Privilege vulnerability in Active Directory Federation Services (AD FS) 2.0 and 2.1. An attacker who would exploit this would be able to perform a cross-site scripting attack, resulting in the malicious script being run in the security context of the currently logged-on user.
Here we have an Elevation of Privilege vulnerability in Microsoft Windows. It exists in LoadLibrary, which loads a specified module (a .DLL or an .EXE) into memory. In order to exploit this vulnerability, an attacker would need to copy a malicious DLL file locally or onto a network share. Then a program would have to execute that would load the malicious DLL file. This vulnerability exists in multiple versions of Microsoft’s Client and Server Operating Systems.
MS15-064 (CVE-2015-1764, 1771, and 2359)
Finally, this bulletin addresses two (2) Information Disclosure vulnerabilities and one (1) Elevation of Privilege vulnerability in Microsoft Exchange Server 2013 Service Pack 1 and Microsoft Exchange Server 2013 Cumulative Update 8. All three (3) vulnerabilities are in Microsoft Exchange web applications. There are no workarounds for these vulnerabilities, so administrators of affected Exchange Servers should implement these fixes as soon as possible.
Bonus Vulnerability Coverage: Although not technically listed as a Microsoft Security Bulletin (listed as a Security Advisory), Microsoft updated Microsoft Security Advisory 2755801 on June 9th to address new vulnerabilities in the Adobe Flash Player. This only addresses the integrated Adobe Flash Player that was released as part of Internet Explorer 10 and Internet Explorer 11. Other versions of the Adobe Flash Player should be updated via the Adobe website. The Microsoft operating systems affected are Windows 8 & 8.1, Windows RT & RT 8.1, and Windows Server 2012 & 2012 R2. Because Adobe Flash content is so prevalent on the Internet and the vulnerabilities could potentially allow an attacker to take control of the affected system, this should also be considered a Critical update. Details are also available in Adobe Security bulletin APSB15-11. McAfee Labs Security Advisories for these vulnerabilities will be published when available on the McAfee Labs Security Advisories Community site.
NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.
Memory Corruption Vulnerabilities:
Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.
Windows 10 Technical Preview and Windows Server Technical Preview: Many users may be testing both the Windows 10 Technical Preview and Windows Server Technical Preview. It is important to note that many of the vulnerabilities this month affect these early preview releases of Microsoft operating systems. Users that are testing these preview releases are encouraged to apply appropriate updates to their systems by visiting Microsoft Windows Update.
Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in. As more details become available, you’ll find them on the McAfee Threat Center. You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.
The McAfee Labs Security Advisories can be found on the McAfee Labs Security Advisories Community site.
Finally, these briefings are archived on the McAfee Community site.
For additional useful security information, please make note of the following links:
You can also review the Microsoft Summary for June 2015 at the Microsoft site.
Until next month…stay safe!