Avatar

Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products.  This month’s release sees a total of 14 bulletins being released which address 45 CVEs.  The first 5 bulletins are rated critical and address vulnerabilities within Internet Explorer, Office, Windows, and VBScript. The remaining 9 bulletins are rated important and cover vulnerabilities within Windows Kernel Mode Drivers, Exchange, Task Scheduler, Remote Desktop, SChannel, and the Microsoft Graphics component.

Bulletins Rated Critical

MS15-018, MS15-019, MS15-020, MS15-021, and MS15-022 are rated Critical.

MS15-018 addresses multiple vulnerabilities within Internet Explorer, versions 6 through 11.  12 CVEs were resolved this month, including CVE-2015-0072, a cross-site scripting vulnerability that was publicly disclosed in February.  Most of the vulnerabilities that were patched were use-after-free vulnerabilities along with privilege escalation vulnerabilities.

This bulletin also addresses CVE-2015-0032, a vulnerability within the VBScript Engine that could allow arbitrary code execution if a user navigates to a specially crafted website. Although IE is used as an attack vector for this vulnerability and is not vulnerable itself, this bulletin addresses CVE-2015-0032 for IE, versions 8 through 11.  For IE versions 6 and 7 or for users who do not have IE installed, users are advised to install MS15-019 which will resolve this vulnerability.

MS15-019 addresses CVE-2015-0032, the same remote code execution vulnerability within the VBScript Engine that is addressed in MS15-018.  Note that this bulletin is targeted at systems where IE versions 6 or 7 are installed or if IE is not installed on the affected systems.  Users and administrators who have IE version 8 through 11 installed on their system(s) should install MS15-018 instead.

MS15-020 addresses 2 privately reported vulnerabilities within Windows that could allow remote code execution.  CVE-2015-0081 is a vulnerability within Windows Text Services, where improper handling of objects within memory could result result in arbitrary code execution if a user navigates to a specially crafted website. CVE-2015-0096 is a vulnerability where Windows fails to correctly load DLL files.  Exploitation of CVE-2015-0096 requires that a user open a file within the same directory as the specially crafted DLL file.

MS15-021 addresses 8 privately reported vulnerabilities within the Adobe Font Driver found within Windows.  Of the 8 vulnerabilities, 1 is a denial of service vulnerability (CVE-2015-0074) and 2 are information disclosure vulnerabilities (CVE-2015-0087, CVE-2015-0089).  The remain 5 vulnerabilities are various memory corruptions defects that could result in arbitrary code execution if a users views a specially crafted file or website.  These 5 vulnerabilities are documented in CVE-2015-0088, CVE-2015-0090, CVE-2015-0091, CVE-2015-0092, and CVE-2015-0093 respectively.

MS15-022 addresses 5 privately reported vulnerabilities within Microsoft Office 2007, 2010, and 2013.  Of the 5 reported vulnerabilities, 3 of them are remote code execution vulnerabilities resulting from improper parsing of rich text files (CVE-2015-0086), improper handling of objects in memory (CVE-2015-0097), or from use-after-free memory operations (CVE-2015-0085).  The remaining two vulnerabilities (CVE-2015-1633, CVE-2015-1636) are cross-site scripting vulnerabilities within Sharepoint.

Bulletins Rated Important

MS15-023, MS15-024, MS15-025, MS15-026, MS15-027, MS15-028, MS15-029, MS15-030, and MS15-031 are rated important.

MS15-023 addresses 4 privately reported vulnerabilities within Windows Kernel Mode Drivers.  This bulletin affects all currently supported versions of Windows.  Three of the vulnerabilities (CVE-2015-0077, CVE-2015-0094, CVE-2015-0095) are memory disclosure vulnerabilities that could allow an attacker to gain information about the system and use that information in combination with other attacks to compromise the system.  The other vulnerability, CVE-2015-0078, is a privilege escalation vulnerability that could allow an attacker to gain administrator privileges over the affected system and perform arbitrary administrative actions.

MS15-024 addresses 1 privately reported information disclosure vulnerability within Windows. CVE-2015-0080 is a vulnerability where Windows improperly parses specially crafted PNG files.  Exploitation is possible if an attacker convinces a victim to navigate to a webpage with the specially crafted PNG file.  Remote code execution and privilege escalation are not directly possible.  However, this vulnerability could allow attackers to gain valuable information about the system, which could then be used in further exploitation.

MS15-025 addresses 2 privately reported vulnerabilities within the Windows Kernel that could allow privilege escalation.  CVE-2015-0073 is a vulnerability within Windows Registry Virtualization that allows a user to modify the virtual store of another user.  An attacker could then use the other user account to execute arbitrary code.  CVE-2015-0075 is a vulnerability where Windows fails to properly validate and enforce user impersonation levels.  In order to exploit this vulnerability, an attacker would need to login to a system and run an executable designed to exploit this vulnerability.

MS15-026 addresses 5 privately reported vulnerabilities within Microsoft Exchange Server 2013.  Four of these vulnerabilities are cross-site scripting vulnerabilities within Outlook Web App and are documented in CVE-2015-1628, CVE-2015-1629, CVE-2015-1630, and CVE-2015-1632.  The other vulnerability (CVE-2015-1631) is a Forged Meeting Request Spoofing vulnerability where Exchange does not properly validate the organizer’s identity when accepted or modifying meetings requests.

MS15-027 addresses 1 privately reported vulnerability within the NETLOGON service.  CVE-2015-0005 is a vulnerability where the NETLOGON service fails to properly establish a secure connection without challenging for credentials when given a computer name on a system that is part of a domain.  In order to exploit this vulnerability, an attacker would need to need to be authenticated on a system and run an executable that would would establish a secure connection to another system and exploit this vulnerability.  The attacker would then be able to impersonate a user on the system the attacker connected to.

MS15-028 addresses 1 privately reported vulnerability within the Windows Task Scheduler.  CVE-2015-0084 is a security feature bypass vulnerability where Windows Task Scheduler fails to validate and enforce user impersonation levels.  Exploitation of this vulnerability could allow a user account with limited privileges to execute binaries that the account would not normally be able to execute via Task Scheduler.

MS15-029 addresses 1 privately reported vulnerability within the Microsoft Graphics Component within Windows.  CVE-2015-0076 is an information disclosure vulnerability resulting from Windows improperly handling uninitialized memory when parsing a JPEG XR (.jxr) image.  In order to exploit this vulnerability, a user would need to navigate to website containing the specially crafted image.  Remote code execution and privilege escalation are not directly possible.  However, this vulnerability could allow attackers to gain valuable information about the system, which could then be used in further exploitation.

MS15-030 addresses 1 privately reported vulnerability within Remote Desktop.  CVE-2015-0079 is a denial of service vulnerability within Remote Desktop Protocol (RDP) that is the result of RDP failing to free objects from memory.  At attacker could cause a denial of service by initiating multiple RDP session on a targeted system, causing the targeted system to stop responding.

MS15-031 addresses 1 publicly disclosed vulnerability, the Factoring attack on RSA export-grade keys (FREAK) within SChannel. CVE-2015-1637 is assigned to track the FREAK vulnerability across all currently supported Microsoft operating systems.  As a special note, this patch does not disable the EXPORT_RSA ciphers within Windows Server 2003, but instead moves them down in the list of preferred ciphers. EXPORT_RSA ciphers are disabled by default in Windows Vista/Server 2008 and later operating systems.

Coverage

In response to these bulletin disclosures, Talos is releasing the following rules to address these vulnerabilities.  Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information.  For the most current rule information, please refer to your Defense Center or FireSIGHT Management Center.

Snort SIDs: 21232, 33287-33288, 33705-33739, 33741-33744, 33760-33811

Related Links: Event Response Page



Authors

Talos Group

Talos Security Intelligence & Research Group