Avatar

Microsoft’s Patch Tuesday for February 2015 has arrived.  This month’s round of security updates is large with Microsoft releasing 9 bulletins addressing 56 CVEs.  3 of the bulletins are rated critical and address vulnerabilities within Internet Explorer, Windows, and Group Policy.  The remaining 6 bulletins are rated important and address vulnerabilities in Office, Windows, Group Policy, and System Center Manager.

Bulletins Rated Critical

MS15-009, MS15-010, and MS15-011 are rated Critical.

MS15-009 is targeted at addressing multiple vulnerabilities within Internet Explorer, versions 6 through 11.  In total, 41 different CVEs were addressed with the vast majority of the those CVEs fixing use-after-free vulnerabilities that could result in remote code execution.  A couple ASLR bypasses, privilege escalation vulnerabilities, and a cross-site information disclosure vulnerability were also addressed this month.  In addition, this bulletin includes a fix for CVE-2014-8967, which was publicly disclosed in December 2014.

MS15-010 addresses 6 CVEs within Windows Kernel Mode Drivers covering several types of vulnerabilities.  3 privilege escalation vulnerabilities (CVE-2015-0003, CVE-2015-0057,  CVE-2015-0058), a denial of service vulnerability (CVE-2015-0060), and a Security Feature Bypass flaw (CVE-2015-0010, disclosed by Google’s Project Zero last month), were all addressed in this month’s update.  CVE-2015-0059 was also addressed and is the most serious with remote code execution possible due to Windows failing to parse TrueType fonts properly.

MS15-011 addresses a single, privately reported vulnerability (CVE-2015-0008) within Group Policy that could allow remote code execution.  In order for this vulnerability to be exploited, a victim with a domain-configured system would need to connect to an untrusted network, such a Wi-Fi hotspot.  As a special note, Windows Server 2003 is identified as vulnerable, but will not be patched due to existing architecture limitations within the Operating System.

Bulletins Rated Important

MS15-012, MS15-013, MS15-014, MS15-015, MS15-016, and MS15-017 are rated Important.

MS15-012 addresses 3 privately reported vulnerabilities within Microsoft Office.  All 3 vulnerabilities are remote code execution flaws that can potentially be exploited if a user opens a maliciously crafted spreadsheet with Excel (CVE-2015-0063) or a maliciously crafted document with Word (CVE-2015-0064 and CVE-2015-0065).

MS15-013 addresses a single vulnerability within Microsoft Office that was previously disclosed.  CVE-2014-6362 is a use-after-free vulnerability resulting in remote code execution if a users opens a maliciously crafted document.  The impact of the vulnerability, however, is mitigated if a user enforces the use ASLR.

MS15-014 addresses a single, privately reported vulnerability within Windows Group Policy.  CVE-2015-0009 is a possible security-feature bypass vulnerability by way of a man-in-the-middle attack corrupting the Group Policy Security Configuration Engine policy file on a targeted system.  This, in turn, forces Windows to revert the Group Policy settings to their default state, which could potentially be less secure.

MS15-015 addresses a single, privately reported vulnerability within Windows that could allow privilege escalation.  CVE-2015-0062 is the result of Windows failing to validate and enforce impersonation levels when a process is created.  As a special note, this vulnerability is only exploitable in specific scenarios where SeAssignPrimaryTokenPrivilege is not available for normal processes.

MS15-016 addresses a single, privately disclosed vulnerability within the Microsoft Graphic Component.  CVE-2015-0061 is a simple information disclosure that could be used to gather information on the stack, potentially allowing an attacker to bypass ASLR.

MS15-017 addresses a single, privately disclosed vulnerability within Microsoft System Center 2012 R2 Virtual Machine Manager.  CVE-2015-0012 is a privilege escalation vulnerability that results from Virtual Machine Manager failing to validate a user’s role, allowing an attacker to gain control of all the virtual machines controlled by the VMM server.  Note that this vulnerability requires an attacker to have valid Active Directory credentials and for the attacker to be able to login using those credentials.  Once an attacker has logged onto the server, they are able to gain control of all the virtual machines controlled by the VMM server.

Coverage

In response to these bulletin disclosures, Talos is releasing the following rules to address these vulnerabilities.  Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information.  For the most current rule information, please refer to your Defense Center.

Snort SID: 33312-33325, 33331-33338, 33340-33341, 33345-33349, 33352-33354, 33356-33361, 33365-33366, 33412-33428

Related Links: Event Response Page



Authors

Talos Group

Talos Security Intelligence & Research Group