This is Greg Blaum again with the Microsoft Patch Tuesday newsletter for May 2015.
The month Microsoft released a total of thirteen (13) security bulletins. For this month, three (3) of these are rated Critical, which Microsoft terms as a vulnerability whose exploitation could allow code to execute without any user interaction. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The other ten (10) are rated Important.
Clarification of the Intel Security Coverage column in the table below
Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see a Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.
This month’s patches include the following:
Let’s take a closer look at each of the Microsoft Security Bulletins:
MS15-043 (CVE-2015-1658, CVE-2015-1684 through 1686, CVE-2015-1688 and 1689, CVE-2015-1691 and 1692, CVE-2015-1694, CVE-2015-1703 through 1706, and CVE-2015-1708 through 1714, CVE-2015-1717 and 1718)
Here is the standard cumulative Internet Explorer Security Update. This is a big Internet Explorer update, addressing 22 vulnerabilities in multiple versions of Internet Explorer. The vulnerabilities in this update affect Internet Explorer 6 through Internet Explorer 11 on all currently supported versions of Windows. Because of the wide version numbers of Internet Explorer that have these vulnerabilities, this affects a very large installed base of Internet Explorer users. Let’s take a closer look at the vulnerabilities covered by this patch:
- Fourteen (14) of these vulnerabilities are Internet Explorer Memory Corruption Remote Code Execution vulnerabilities. An attacker could leverage any of these vulnerabilities to corrupt memory, gain the same rights as the currently logged in user, and then execute arbitrary code.
- Three (3) of these vulnerabilities are Address Space Layout Randomization (ASLR) bypass vulnerabilities. Two (2) of these are in scripting (VBScript and/or Jscript) and the other one is in Internet Explorer itself. An attacker who successfully exploited this vulnerability could bypass the Address Space Layout Randomization (ASLR) security feature. On its own, this vulnerability would not allow arbitrary code execution. It would need to be combined with an unprotected remote code execution vulnerability in order for an attacker to be able to execute arbitrary code.
- Four (4) of these vulnerabilities are Elevation of Privilege vulnerabilities. These occur when Internet Explorer fails to properly validate permissions, potentially allowing code to be executed with elevated privileges. These would need to be combined with another vulnerability to allow arbitrary code to execute.
- The final one (1) vulnerability in this update is an Internet Explorer Clipboard Information Disclosure vulnerability. With this vulnerability, Internet Explorer fails to properly restrict access to the clipboard. This could allow a malicious website to access data temporarily stored in the Windows clipboard.
- As in the past with the Internet Explorer vulnerabilities, attackers have to convince users with affected versions of Internet Explorer to view specially crafted content that exploits these vulnerabilities. The content could be on a compromised website or a forum/blog site that allows users to post their own content. Users could be convinced to visit one of these sites by clicking on a link in an Internet search results screen, an email message, or opening an infected attachment. Having good email hygiene with anti-spam and anti-phishing techniques (such as McAfee Email Protection) in place will help mitigate the potential for users to stray to an affected website. Since we expect some of the known-bad sites on the Internet to be harbors for this type of attack, having good web browsing habits and using tools such as McAfee SiteAdvisor, McAfee SiteAdvisor Enterprise and McAfee Web Protection can also help.
MS15-044 (CVE-2015-1670 and 1671)
This security update resolves two (2) vulnerabilities in the Microsoft Font Drivers. One of these is an Information Disclosure Vulnerability and the other one is a Remote Code Execution vulnerability. Since the Remote Code Execution vulnerability is the more severe, it raises the overall classification level of this update to a Remote Code Execution update. These vulnerabilities are in OpenType and TrueType Font Parsing. Because so many programs use these libraries (Windows, Office, Lync, & Silverlight), it is highly advisable to get this update deployed.
MS15-045 (CVE-2015-1675, CVE-2015-1695 through 1699)
This bulletin addresses a Remote Code Execution vulnerability in Windows Journal. It exists when a specially crafted Journal file is opened with a vulnerable version of the Windows Journal. An attacker would need to convince a user to open the corrupted Journal file. Note that two (2) of the six (6) vulnerabilities in this update have been publicly disclosed.
MS15-046 (CVE-2015-1682 and 1683)
Here we have two (2) Remote Code Execution vulnerabilities in Microsoft Office. They could be exploited if a user opens a specially crafted file with a vulnerable version of Microsoft Office. It covers a wide version of Microsoft Office software, including the desktop versions as well as Web Apps and multiple version of SharePoint Server. These vulnerabilities also exist in Office for Mac. Given the extremely high usage of Microsoft Office and the propensity for wide dissemination of Office files, system administrators should get this update deployed quickly.
This security update addresses multiple Remote Code Execution vulnerabilities in Microsoft SharePoint Server. A special note on this update is that there are multiple vulnerabilities but they’re lumped together in one CVE entry since they all share the same underlying issue with related code. An attacker would need to be authenticated to SharePoint in order to exploit these vulnerabilities by sending specially crafted page content to the SharePoint site. SharePoint administrators should investigate this one and get their systems patched, particularly if they are public-facing SharePoint sites.
MS15-048 (CVE-2015-1672 and 1673)
This security update resolves two (2) vulnerabilities in multiple versions of the Microsoft .NET Framework. One of the vulnerabilities is an Elevation of Privilege vulnerability and the other is a Denial of Service vulnerability. Since the more serious of these is the Elevation of Privilege, it raises the overall classification of this update to that level. Both vulnerabilities are in the .NET XML Decryption capability. It covers a wide variety of .NET Framework versions on multiple Operating Systems, so please check the Microsoft article for specifics.
Here we have an Elevation of Privilege vulnerability in Microsoft Silverlight. This vulnerability improperly allows Silverlight applications that are supposed to run at low integrity level to be executed at medium integrity level or higher. Note that this affects Microsoft Silverlight on Windows as well as on Mac. Silverlight applications can execute within the web browser if the Silverlight plug-in is installed and enabled.
The Windows Service Control Manager (SCM) has an Elevation of Privilege vulnerability that is resolved by this update. An attacker has to logon to a system and then run a specially crafted application that is designed to increase privileges. A special note on this update is that although Windows Server 2003 is listed as a vulnerable Operating System, Microsoft is not issuing an update for it.
MS15-051 (CVE-2015-1676 through 1680 and CVE-2015-1701)
This security update resolves multiple Information Disclosure and Elevation of Privilege vulnerabilities in Windows Kernel-Mode Drivers. Five (5) of the vulnerabilities in this update are Kernel Memory Disclosure vulnerabilities, which could allow disclosure of kernel memory contents. The Elevation of Privilege vulnerability in in the Win32k.sys driver exists when it improperly handles objects in memory. Note that the Elevation of Privilege vulnerability has been publicly disclosed and Microsoft was aware of limited and targeted attacks.
Here is a Security Feature Bypass vulnerability in Microsoft Windows that affects the more recent versions of Microsoft’s desktop and server Operating Systems. An attacker would need to logon to a system and then run a specially crafted application in order to exploit this vulnerability.
MS15-053 (CVE-2015-1684 and 1686)
Here we have multiple Security Feature Bypass vulnerabilities in the Microsoft JScript and VBScript Scripting Engines. These vulnerabilities are in the Address Space Layout Randomization (ASLR) security feature. Note that the vulnerabilities in this update are for systems with Internet Explorer 7 or earlier as well as systems without Internet Explorer installed. Earlier we mentioned Security Feature Bypass vulnerabilities in the Cumulative Internet Explorer update package, and systems with Internet Explorer 8 or later will utilize that update to address the vulnerabilities that Microsoft mentions in MS15-053.
Here we have a Denial of Service vulnerability in the file format of Microsoft Management Console (MMC) files. A specially crafted .msc file would need to be opened in order to exploit this vulnerability. It exists in multiple versions of Windows desktop and server Operating Systems.
Rounding out the plethora of May updates is an Information Disclosure vulnerability in the Secure Channel (Schannel) component. It exists when the Schannel component allows the use of a weak Diffie-Hellman ephemeral (DFE) key length of 512 bits in an encrypted TLS session. Microsoft is resolving this vulnerability by increasing the minimum allowable DFE key length from 512 bits to 1024 bits.
Additional Security Advisories:
Microsoft Security Advisory 3042058 – Update to Default Cipher Suite Priority Order
This update adds four (4) new cipher suites which add support for Perfect Forward Secrecy (PFS). Also included in this update, Microsoft makes improvements to the cipher suite priority ordering.
Microsoft Security Bulletin MS15-041 Important – Vulnerability in .NET Framework Could Allow Information Disclosure (3048010)
Previously published on April 14th, Microsoft updated this bulletin to address issues with a previous update (3037580) for the Microsoft .NET Framework.
Bonus Vulnerability Coverage: After not having one last month, we’re back to more bonus vulnerabilities. Although not technically listed as a Microsoft Security Bulletin (listed as a Security Advisory), Microsoft updated Microsoft Security Advisory 2755801 on May 12th to address new vulnerabilities in the Adobe Flash Player. This only addresses the integrated Adobe Flash Player that was released as part of Internet Explorer 10 and Internet Explorer 11. Other versions of the Adobe Flash Player should be updated via the Adobe website. The Microsoft operating systems affected are Windows 8 & 8.1, Windows RT & RT 8.1, and Windows Server 2012 & 2012 R2. Because Adobe Flash content is so prevalent on the Internet and the vulnerabilities could potentially allow an attacker to take control of the affected system, this should also be considered a Critical update. Details are also available in Adobe Security bulletin APSB15-09. McAfee Labs Security Advisories for these vulnerabilities will be published when available on the McAfee Labs Security Advisories Community site.
NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.
Memory Corruption Vulnerabilities:
Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.
Windows 10 Technical Preview and Windows Server Technical Preview: Many users may be testing both the Windows 10 Technical Preview and Windows Server Technical Preview. It is important to note that many of the vulnerabilities this month affect these early preview releases of Microsoft operating systems. Users that are testing these preview releases are encouraged to apply appropriate updates to their systems by visiting Microsoft Windows Update.
Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in. As more details become available, you’ll find them on the McAfee Threat Center. You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.
The McAfee Labs Security Advisories can be found on the McAfee Labs Security Advisories Community site.
Finally, these briefings are archived on the McAfee Community site.
For additional useful security information, please make note of the following links:
You can also review the Microsoft Summary for May 2015 at the Microsoft site.
Until next month…stay safe!