This is Greg Blaum again with the Microsoft Patch Tuesday newsletter for March 2015.
The month Microsoft released a total of fourteen (14) security bulletins. For this month, five (5) of these are rated Critical, which Microsoft terms as a vulnerability whose exploitation could allow code to execute without any user interaction. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The other nine (9) are rated Important.
Clarification of the Intel Security Coverage column in the table below
Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see a Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.
This month’s patches include the following:
Let’s take a closer look at each of the Microsoft Security Bulletins:
MS15-018 (CVE-2015-0032, CVE-2015-0056, CVE-2015-0072, CVE-2015-0099, CVE-2015-0100, CVE-2015-1622 through 2015-1627, and CVE-2015-1634)
Here is the standard cumulative Internet Explorer Security Update. For a cumulative Internet Explorer update this one isn’t too large, addressing 12 vulnerabilities in multiple versions of Internet Explorer. The vulnerabilities in this update affect Internet Explorer 6 through Internet Explorer 11 on all currently supported versions of Windows. Because of the wide version numbers of Internet Explorer that have these vulnerabilities, this affects a very large installed base of Internet Explorer users. Let’s take a closer look at the vulnerabilities covered by this patch:
- Nine (9) of these vulnerabilities are Internet Explorer Memory Corruption Remote Code Execution vulnerabilities. An attacker could leverage any of these vulnerabilities to corrupt memory, gain the same rights as the currently logged in user, and then execute arbitrary code. It is important to note that one (1) of these vulnerabilities (CVE-2015-1625) has already been publicly disclosed, although Microsoft is not currently aware of any active exploitations that target that vulnerability.
- One (1) of these vulnerabilities is a Memory Corruption Remote Code Execution vulnerability in the VBScript engine when it is rendered in Internet Explorer. Similarly to the Memory Corruption Remote Code Execution vulnerabilities directly in Internet Explorer, at attacker could leverage this vulnerability to corrupt memory, gain the same rights as the currently logged in user, and then execute arbitrary code.
- Two (2) vulnerabilities are Elevation of Privilege vulnerabilities. One exists when Internet Explorer does not properly enforce cross-domain policies and the other exists when Internet Explorer doesn’t properly validate permissions and allows a script to be run with elevated privileges. By themselves, these vulnerabilities don’t allow arbitrary code to run. They’d have to be used in conjunction with another vulnerability.
- As in the past with the Internet Explorer vulnerabilities, attackers have to convince users with affected versions of Internet Explorer to view specially crafted content that exploits these vulnerabilities. The content could be on a compromised website or a forum/blog site that allows users to post their own content. Users could be convinced to visit one of these sites by clicking on a link in an Internet search results screen, an email message, or opening an infected attachment. Having good email hygiene with anti-spam and anti-phishing techniques (such as McAfee Email Protection) in place will help mitigate the potential for users to stray to an affected website. Since we expect some of the known-bad sites on the Internet to be harbors for this type of attack, having good web browsing habits and using tools such as McAfee SiteAdvisor, McAfee SiteAdvisor Enterprise and McAfee Web Protection can also help.
This is a Memory Corruption Remote Code Execution vulnerability in how the VBScript engine handles objects in memory when rendered in Internet Explorer. There are multiple attack vectors for this vulnerability, including web-based and embedding an ActiveX control in an application or Microsoft Office document if either of those use the Internet Explorer rendering engine. An attacker could gain the same rights as the currently logged in user and potentially execute arbitrary code or make system-level changes if the user is logged in with administrative rights.
MS15-020 (CVE-2015-0081 and CVE-2015-0096)
This bulletin addresses multiple Remote Code Execution vulnerabilities in Microsoft Windows. One exists in the Windows Text Services and the other exists when Microsoft Windows improperly handles loading DLL files. Exploitation of these vulnerabilities would require convincing a user to browse to a specially crafted website or opening a specially crafted file. In the case of the DLL planting vulnerability, a user would have to open a file within the same directory as a specially crafted DLL file. Both are Critical Remote Code Execution vulnerabilities; the Windows Text Services vulnerability has a simpler attack mechanism.
MS15-021 (CVE-2015-0074, and CVE-2015-0087 through 2015-0093)
Here we have multiple vulnerabilities in the Adobe Font Driver component of Microsoft Windows. Overall, this bulletin is rated as Critical by Microsoft. Breaking down the vulnerabilities, we see that there are five (5) Critical Remote Code Execution vulnerabilities, two (2) Important Information Disclosure vulnerabilities, and one (1) Moderate Denial of Service vulnerability. All of these vulnerabilities were privately reported to Microsoft.
MS15-022 (CVE-2015-0085, CVE-2015-0086, CVE-2015-0097, CVE-2015-1633, and CVE-2015-1636)
Five (5) vulnerabilities in Microsoft Office are covered by this bulletin. Three (3) of these are Remote Code Execution vulnerabilities and the other two (2) are Elevation of Privilege vulnerabilities. Only one (1) of the five (5) is actually rated a Critical vulnerability, but this raises the overall aggregate severity rating for this bulletin to Critical. Check the Microsoft bulletin to see which versions of Office and SharePoint Server are affected.
MS15-023 (CVE-2015-0077, CVE-2015-0078, CVE-2015-0094, and CVE-2015-0095)
This bulletin addresses four (4) vulnerabilities in Microsoft Windows that could result in an Information Disclosure, Denial of Service, or Elevation of Privilege. Which type of vulnerability is exposed is dependent on the affected version of Microsoft Windows and which of the four (4) vulnerabilities is being referenced. All of these vulnerabilities are in Windows kernel-mode drivers, and would need to be executed by an attacker who logs onto an affected system and runs a specially crafted application that attacks any of these vulnerabilities.
Here we have a single vulnerability in Microsoft Windows that could result in an Information Disclosure when parsing specially crafted PNG image format files. Exploitation could occur when a user browses to a website that has a specially crafted PNG image, such as a compromised website or a site where users can upload images. Photo sharing service sites could be a delivery vehicle for this or any other attack that involves specially crafted image files.
MS15-025 (CVE-2015-0073 and CVE-2015-0075)
This bulletin is for two (2) Elevation of Privilege vulnerabilities in Microsoft Windows. It is important to note that the fixes provided in this bulletin share affected binaries on both Windows 7 and Windows Server 2008 R2 with Security Advisory 3033929. Because of this overlap in binaries, update 3033929 supersedes update 3035131 on Windows 7 and Windows Server 2008 R2. This is documented in the Update FAQ section for MS15-025.
MS15-026 (CVE-2015-1628 through 2015-1632)
It has been several months since we’ve seen a bulletin issued for Microsoft Exchange Server. This bulletin addresses five (5) separate vulnerabilities in Exchange Server 2013 Service Pack 1 and Exchange Server 2013 Cumulative Update 7. Four (4) of these are Elevation of Privilege vulnerabilities and one (1) of them is a Spoofing vulnerability. The four (4) Elevation of Privilege vulnerabilities all exist within Outlook Web Access (OWA) components. Attackers who exploit any of these vulnerabilities could run script in the context of the currently logged in user. They would all require a user to click on a specially crafted URL, either via email or a web-based attack. Exchange Server administrators that are hosting Outlook Web Access should investigate this bulletin and apply the fixes.
This bulletin is for a Spoofing vulnerability in the NETLOGON component of Microsoft Windows. It is only applicable on domain-joined systems and could allow an attacker to run a specially crafted application and establish a connection with other domain-joined systems (like internal web servers, application servers, databases, etc.) as the impersonated user or system. While this is only listed as Important, the possible ramifications of insider user spoofing within a domain-joined system elevates the importance of getting this one deployed within corporate domain-joined environments.
Here we have a Security Feature Bypass vulnerability in the Windows Task Scheduler that could allow a user to use the Task Scheduler application to execute files that the user does not ordinarily have permissions to run. It is listed as Important on multiple versions of Windows desktop and server operating systems.
This is another image parsing vulnerability…this time it is an Information Disclosure vulnerability when parsing specially crafted JPEG XR (JXR) image format files. An attacker would not be able to execute code or elevate their user rights directly, but this vulnerability could potentially reveal information that could be used in later attacks.
This bulletin addresses a Denial of Service vulnerability in the Remote Desktop Protocol (RDP). As a Denial of Service attack, it would not allow an attacker to execute code or elevate their user rights, but it would prevent the use of Remote Desktop services on affected systems. By default, RDP is not enabled on any version of Windows, so only systems that have explicitly enabled RDP are at risk.
Finally, this bulletin addresses a vulnerability in the Schannel component of Microsoft Windows that could result in a Security Feature Bypass. Readers may have been hearing of the publicly disclosed FREAK (Factoring RSA Export Keys) vulnerability that exposes a security hole in SSL/TLS and could allow a man-in-the-middle attack whereby an attacker could decrypt secure communication that would normally happen between clients and servers. This particular vulnerability affects any Windows system that is using a vulnerable (unpatched) Schannel component to connect to a remote TLS server that is also unpatched for the FREAK vulnerability. It is only listed as Important, but given the widespread ramifications across the Internet, I’d highly advise getting this one deployed ASAP.
Security Advisory Reissuance:
While not listed as part of the overall March 2015 Patch Tuesday list, Microsoft reissued Security Advisory 3033929 on March 10th. Because of this, users will see new update binaries being made available on Windows 7 and Windows Server 2008 R2. It affects SHA-2 Code Signing Support on those versions of Microsoft Windows.
NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.
Memory Corruption Vulnerabilities:
Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.
Bonus Vulnerability Coverage: Just like last month, here’s another group of bonus vulnerabilities. Although not technically listed as a Microsoft Security Bulletin, Microsoft updated Microsoft Security Advisory 2755801 on March 10th to address new vulnerabilities in the Adobe Flash Player. This only addresses the integrated Adobe Flash Player that was released as part of Internet Explorer 10 and Internet Explorer 11. Other versions of the Adobe Flash Player should be updated via the Adobe website. The Microsoft operating systems affected are Windows 8 & 8.1, Windows RT & RT 8.1, and Windows Server 2012 & 2012 R2. Because Adobe Flash content is so prevalent on the Internet and the vulnerabilities could potentially allow an attacker to take control of the affected system, this should also be considered a Critical update. Details are also available in Adobe Security bulletin APSB15-05. McAfee Labs Security Advisories for these vulnerabilities will be published when available on the McAfee Labs Security Advisories Community site.
Windows 10 Technical Preview and Windows Server Technical Preview: Many users may be testing both the Windows 10 Technical Preview and Windows Server Technical Preview. It is important to note that many of the vulnerabilities this month affect these early preview releases of Microsoft operating systems. Users that are testing these preview releases are encouraged to apply appropriate updates to their systems by visiting Microsoft Windows Update.
Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in. As more details become available, you’ll find them on the McAfee Threat Center. You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.
The McAfee Labs Security Advisories can be found on the McAfee Labs Security Advisories Community site.
Finally, these briefings are archived on the McAfee Community site.
For additional useful security information, please make note of the following links:
You can also review the Microsoft Summary for March 2015 at the Microsoft site.
Until next month…stay safe!