Avatar

Microsoft’s Patch Tuesday has arrived. Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release is fairly light with a total of 6 bulletins released addressing 33 vulnerabilities. Half of the bulletins are rated “Critical” and address vulnerabilities in Internet Explorer, JScript/VBScript, and the Windows Shell. The other half of the bulletins are rated “Important” and address vulnerabilities in Edge, Office, and the Windows Kernel.

Bulletins Rated Critical

MS15-106, MS15-108, are MS15-109 are rated Critical in this month’s release.

MS15-106 is this month’s Internet Explorer security bulletin for versions 7 through 11. In total, 14 vulnerabilities were addressed with most of them being memory corruption conditions that could allow arbitrary code execution.  This bulletin also addresses 2 memory corruption flaws and 2 information disclosure flaw in the JScript/VBScript scripting engine for Internet Explorer versions 8 through 11 only. Users and organizations that currently use Internet Explorer 7 or who do not have Internet Explorer installed will need to install MS15-108 to address the vulnerabilities in the VBScript/JScript scripting engine.

MS15-108 addresses four vulnerabilities the JScript/VBScript scripting engine. Users who use Internet Explorer 7 or who do not have Internet Explorer installed on the system will see this update available to them. Otherwise, these vulnerabilities are resolved in MS15-106. Two of the vulnerabilities (CVE-2015-2482, CVE-2015-6055) are memory corruption flaws that could result in arbitrary code execution.CVE-2015-6052) is a ASLR Bypass vulnerability. Exploitation of these three vulnerabilities is possible if a user visits a maliciously crafted web page using Internet Explorer.

The final vulnerability addressed is an information disclosure vulnerability (CVE-2015-6059) that could be used to discloses the contents of its memory, which “could provide an attacker with information to further compromise the user’s computer or data.”

MS15-109 addresses two vulnerabilities in the Windows Shell. Both CVE-2015-2515 and CVE-2015-2548 are remote code execution flaws that manifest when Windows Shell fails to properly handles objects in memory, resulting in a use-after-free condition. For CVE-2015-2515, exploitation of this vulnerability is possible if a user opens a maliciously crafted toolbar object in Windows. For CVE-2015-2548, exploitation of this vulnerability is possible if a user navigates to a maliciously crafted webpage using Internet Explorer.

Bulletins Rated Important

MS15-107, MS15-110, are MS15-111 are rated Important in this month’s release.

MS15-107 is this month’s Edge security bulletin addressing two vulnerabilities. CVE-2015-6057 is an information disclosure vulnerability that could allow an adversary to gather information to further compromise the user’s computer. CVE-2015-6058 is an XSS Filter Bypass that could allow disabled scripts to execute in the wrong security context leading to information disclosure. Exploitation of CVE-2015-6058 is possible if a user navigates to a web page hosting malicious content (i.e. user submitted content) that is designed to exploit this flaw.

MS15-110 addresses six vulnerabilities in all currently supported versions of Office. Three vulnerabilities (CVE-2015-2555, CVE-2015-2557, CVE-2015-2558) are memory corruption flaws that could result in arbitrary code execution in the context of the current user’s privileges that could be exploited if a user opens a maliciously crafted Office document. The other three are:

  • CVE-2015-2556 is an information disclosure vulnerability in Sharepoint that manifests due to SharePoint InfoPath Services failing to properly parse the Document Type Definition (DTD) of an XML document. Exploitation of this vulnerability could allow an adversary to browse the contents of arbitrary files on the Sharepoint server if the adversary has write permissions to the site. An adversary would need to upload a maliciously crafted file to a page and the send a specifically crafted web request to the SharePoint server.
  • CVE-2015-6037 is XSS spoofing vulnerability that manifests due to an Office Web Apps server failing to properly sanitize a user requests. Exploitation of this vulnerability could allow an adversary to perform XSS attacks on an affected system and run scripts in the context of the current user. An example where exploitation of this vulnerability is possible is if a user clicks on a specifically crafted URL that directs the user to a targeted Office Web App site.
  • CVE-2015-6039 is a security feature bypass vulnerability in SharePoint that manifests when the “Office Marketplace is allowed to inject JavaScript code that persists onto a SharePoint page” due to SharePoint failing to enforce permissions levels.  Exploitation of the vulnerability would require an adversary to possess the ability to update a Marketplace instance in order to add malicious code to a Marketplace app to could be pushed to the Sharepoints instances consuming the app.

MS15-111 addresses five vulnerabilities in the Windows Kernel. Three of the vulnerabilities (CVE-2015-2549, CVE-2015-2550, CVE-2015-2554) are privilege escalation vulnerabilities that manifest when the kernel fails to handle objects in memory properly. Another privilege escalation vulnerability (CVE-2015-2553) is also addressed which manifests when Windows fails to validate junctions when mount points are created. CVE-2015-2552 is a Trusted Boot security feature bypass vulnerability caused by Windows failing to properly enforce the Windows Trusted Boot policy. Exploitation of CVE-2015-2552 could allow an adversary to disable code integrity checks, which would allow test-signed executables and drivers as well as bypass BitLocker and Device Encryption security features.

Coverage

In response to these bulletin disclosures, Talos is releasing the following rules to address these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Defense Center, FireSIGHT Management Center or Snort.org.

Snort SIDs: 36427-36428, 36436, 36452, 36458-36459, 34393-34394, 36401-36426, 36429-36448, 36450-36451



Authors

Talos Group

Talos Security Intelligence & Research Group