This is Greg Blaum again with the Microsoft Patch Tuesday newsletter for February 2015.
The month Microsoft released a total of nine (9) security updates. For this month, three (3) of these are rated Critical, which Microsoft terms as a vulnerability whose exploitation could allow code to execute without any user interaction. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The other six (6) are rated Important.
Clarification of the McAfee Coverage column in the table below
Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list McAfee products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see a McAfee product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.
This month’s patches include the following:
Let’s take a closer look at each of the Microsoft Security Bulletins:
MS15-009 (CVE-2014-8967, CVE-2015-0017 through 2015-0023, CVE-2015-0025 through 2015-0031, CVE-2015-0035 through 2015-0046, CVE-2015-0048 through 2015-0055, and CVE-2015-0066 through 2015-0071)
After a one month hiatus, Microsoft is back with the standard cumulative Internet Explorer Security Update. This is a big one, resolving one (1) publicly disclosed and forty (40) privately reported vulnerabilities in different versions of Internet Explorer. The vulnerabilities in this update affect Internet Explorer 6 through Internet Explorer 11 on all currently supported versions of Windows. Because of the wide version numbers of Internet Explorer that have this vulnerability, this affects a very large installed base of Internet Explorer users. Let’s take a closer look at the vulnerabilities covered by this patch:
- A whopping thirty-five (35) of these vulnerabilities are Internet Explorer Memory Corruption Remote Code Execution vulnerabilities. An attacker could leverage any of these vulnerabilities to corrupt memory, gain the same rights as the currently logged in user, and then execute arbitrary code.
- Three (3) of the vulnerabilities are Address Space Layout Randomization (ASLR) Bypass vulnerabilities. These are classified as Security Feature Bypass vulnerabilities. By themselves, these vulnerabilities don’t allow arbitrary code to run. They’d have to be used in conjunction with another vulnerability.
- Two (2) of the vulnerabilities are Elevation of Privilege vulnerabilities. Similarly to the ASLR vulnerabilities, these vulnerabilities don’t allow arbitrary code to run and would have to be used in conjunction with another vulnerability.
- One (1) of the vulnerabilities is a Cross-domain Information Disclosure vulnerability. If exploited, an attacker could gain access to information in another Internet Explorer zone or domain.
- As in the past with the Internet Explorer vulnerabilities, attackers have to convince users with affected versions of Internet Explorer to view specially crafted content that exploits these vulnerabilities. The content could be on a compromised website or a forum/blog site that allows users to post their own content. Users could be convinced to visit one of these sites by clicking on a link in an Internet search results screen, an email message, or opening an infected attachment. Having good email hygiene with anti-spam and anti-phishing techniques (such as McAfee Email Protection) in place will help mitigate the potential for users to stray to an affected website. Since we expect some of the known-bad sites on the Internet to be harbors for this type of attack, having good web browsing habits and using tools such as McAfee SiteAdvisor, McAfee SiteAdvisor Enterprise and McAfee Web Protection can also help.
- At the time of this writing, Microsoft had only seen exploit code for CVE-2015-0071, which is one of the Internet Explorer ASLR Bypass vulnerabilities.
MS15-010 (CVE-2015-0003, CVE-2015-0010, and CVE-2015-0057 through 2015-0060)
This update addresses six (6) different vulnerabilities in Windows kernel-mode drivers. There are a mix of different vulnerability types that Microsoft has rolled this into one update: Remote Code Execution, Security Feature Bypass, Elevation of Privilege, and Denial of Service. The most critical of these are the Remote Code Execution vulnerabilities. Most of these vulnerabilities exist in Win32k.sys, although one is also in the Cryptography Next Generation (CNG) kernel-mode driver (cng.sys). Affected versions of Windows include all supported editions of Windows Vista, Windows 7, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.
This vulnerability is a Remote Code Execution vulnerability in the Group Policy component of Windows. Since it is in Group Policy, it affects Active Directory domain-joined systems and how the Group Policy component receives and applies policy data. In order for this to be exploited, a domain-joined system would need to be connected to a network that the attacker controls. The attacker could then take complete control of the vulnerable system and install programs, view/change/delete data, or create new accounts.
Here we have multiple vulnerabilities in Microsoft Office products that could potentially allow Remote Code Execution. Each of them is caused when the affected Microsoft Office product improperly handles objects in memory while parsing specially crafted Microsoft Office files. Versions of Office affected include Office 2007, Office 2010, Office 2013, SharePoint Server 2010, Office Web Apps 2010, Word & Excel Viewers, and the Office Compatibility Pack SP3.
This vulnerability also exists in Microsoft Office, but it is a Security Feature Bypass when Office fails to use the Address Space Layout Randomization (ASLR) feature. To be exploited, a user would need to open a specially crafted file while using an unpatched version of Microsoft Office. This vulnerability has been publicly disclosed and could be exploited by an attacker emailing the specially crafted file or posting it on a website and convincing a user to open it. Microsoft Office 2007, 2010, and 2013 are affected by this vulnerability.
Here is another Group Policy vulnerability; this one is a Security Feature Bypass that could cause Group Policy settings to revert to their default and potentially less-secure state. To be exploited, an attacker would need to utilize a man-in-the-middle attack to modify domain controller responses to domain-joined client requests. A man-in-the-middle attack is one in which an attacker re-routes network communication between two communicating machines through the attacker’s computer, unbeknownst to the two communicating machines.
This vulnerability is particularly interesting. It exists in Microsoft Windows and is an Elevation of Privilege vulnerability in process creation. It only exists in a very specific scenario where a process uses SeAssignPrimaryTokenPrivilege. If this were to be exploited, an attacker could elevate privileges to the Administrator level and then install programs, view/change/delete data, or create new accounts. This vulnerability could conceivably be combined with the delivery of malware and result in the attacker having full administrative privileges on the compromised machine. Although it is labeled Important, I’d highly advise deployment of this update. It affects all supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows 2012, Windows RT, Windows 8.1, Windows 2012 R2, and Windows RT 8.1.
This security update is rated as Important and addresses an Information Disclosure vulnerability in the Microsoft Graphics Component in Microsoft Windows. It exists when the graphics component improperly handles uninitialized memory when parsing specially crafted TIFF files. Exploitation could occur when a user browses to a website that has a specially crafted TIFF image, such as a compromised website or a site where users can upload images. Although this vulnerability would not allow an attacker to execute code or elevate user rights, it could be used to obtain information to be used for future attacks.
Lastly, this security update resolves an Elevation of Privilege vulnerability in Microsoft System Center Virtual Machine Manager. An attacker would need to have valid Active Directory logon credentials and log in to the affected system in order to exploit this vulnerability. Once exploited, the attacker could not only gain administrative privileges to the System Center VMM server, but could also take control of all virtual machines that are controlled by the System Center Virtual Machine Manager.
NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.
Bonus Vulnerability Coverage: Just like last month, here’s another group of bonus vulnerabilities. Although not technically listed as a Microsoft Security Bulletin, Microsoft updated Microsoft Security Advisory 2755801 on February 5th to address new vulnerabilities in the Adobe Flash Player. This only addresses the integrated Adobe Flash Player that was released as part of Internet Explorer 10 and Internet Explorer 11. Other versions of the Adobe Flash Player should be updated via the Adobe website. The Microsoft operating systems affected are Windows 8 & 8.1, Windows RT & RT 8.1, and Windows Server 2012 & 2012 R2. Because Adobe Flash content is so prevalent on the Internet and the vulnerabilities could potentially allow an attacker to take control of the affected system, this should also be considered a Critical update. Details are also available in Adobe Security bulletinAPSB15-04. McAfee Labs Security Advisories for these vulnerabilities are published in MTIS15-023 and MTIS15-024 on theMcAfee Labs Security Advisories Community site.
Windows 10 Technical Preview and Windows Server Technical Preview: Many users may be testing both the Windows 10 Technical Preview and Windows Server Technical Preview. It is important to note that many of the vulnerabilities this month affect these early preview releases of Microsoft operating systems. Users that are testing these preview releases are encouraged to apply appropriate updates to their systems by visiting Microsoft Windows Update.
Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in. As more details become available, you’ll find them on the McAfee Threat Center. You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.
The McAfee Labs Security Advisories can be found on the McAfee Labs Security Advisories Community site.
Finally, these briefings are archived on the McAfee Community site.
For additional useful security information, please make note of the following links:
You can also review the Microsoft Summary for February 2015 at the Microsoft site.
Until next month…stay safe!