Avatar

Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 14 bulletins released which address 58 CVEs. Four bulletins are rated “Critical” this month and address vulnerabilities in Internet Explorer, Graphics Component, Office, and Edge. The other ten bulletins are rated “Important” and address vulnerabilities within Remote Desktop Protocol (RDP), Server Message Block (SMB), XML Core Services, Mount Manager, System Center Operations Manager, UDDI Services, Command Line, WebDAV, Windows, and the .NET Framework.

Bulletins Rated Critical

MS15-079, MS15-080, MS15-081, and MS15-091 are rated “Critical”.

MS15-079 is this month’s Internet Explorer security bulletin. Thirteen CVEs were addressed this month which affected Internet Explorer versions 7 through 11. As is the case with previous Internet Explorer security bulletins, this one primarily addresses use-after-free vulnerabilities and ASLR bypasses. One particular CVE to note is CVE-2015-2423, an information disclosure vulnerability that is also present in Office and Windows. Users will need to install this bulletin as well as MS15-081 and MS15-088 to patch IE, Office, and Windows respectively. For further details about this vulnerability, please see MS15-088.

MS15-080 addresses sixteen CVEs in the Microsoft Graphics Component, which is utilized by the .NET Framework, Lync, Office, and Silverlight. This bulletin address flaws that could allow remote code execution if a user were to open a maliciously crafted document or visit a web page containing embedded OpenType or TrueType fonts. The Windows Adobe Type Manager, Windows DirectWrite, Office, and Windows kernel were all patched to correctly handle OpenType fonts, TrueType fonts, OGL fonts, and memory objects respectively. This bulletin also addresses flaws in validating impersonation levels that could allow an attacker to gain administrator privileges on a targeted system.

MS15-081 addresses eight CVEs in Microsoft Office versions 2007, 2010, 2013, 2013 RT, Office for Mac 2011, and Office for Mac 2016. The most severe of these vulnerabilities could allow an attacker who specifically crafts a malicious Office document to achieve remote code execution on a targeted system. Two particular CVEs to note in this bulletin are CVE-2015-2466 and CVE-2015-2470. CVE-2015-2466 is flaw in the way Office validates Office templates prior to use and could allow for remote code execution. CVE-2015-2470 is an integer underflow vulnerability that could allow for a privilege escalation attack. Note that CVE-2015-2423, the information disclosure vulnerability that also affects IE and Windows, is also addressed in the bulletin.

MS15-091 addresses four CVEs in Microsoft Edge, Microsoft’s new web browser introduced within Windows 10. Three of the CVEs (CVE-2015-2441, CVE-2015-2442, CVE-2015-2446) are memory corruption vulnerabilities, such as use-after-free and integer overflow conditions. The remaining CVE (CVE-2015-2449) is an ASLR bypass vulnerability.

Bulletins Rated Important

MS15-082, MS15-083, MS15-084, MS15-085, MS15-086, MS15-087, MS15-088, MS15-089, MS15-090, and MS15-092 are rated “Important”.

MS15-082 addresses two privately reported vulnerabilities (CVE-2015-2472, CVE-2015-2473) in Remote Desktop Protocol (RDP). CVE-2015-2472 is a session host spoofing vulnerability that manifests when the Remote Desktop Session Host fails to properly validate certificates during authentication. Exploitation of this vulnerability requires that a man-in-the-middle attacker to craft an untrusted certificate that matches the issuer name and serial number of a trusted certificate. CVE-2015-2473 is a DLL planting remote code execution vulnerability where the Windows RDP client fails to handle loading certain specially crafted DLLs properly. Exploitation of CVE-2015-2473 requires an attacker to first plant a maliciously crafted DLL in a target user’s current working directory and then for the user to open a maliciously crafted RDP file. Note that a workaround exists that may help mitigate CVE-2015-2473.

MS15-083 addresses a single privately reported vulnerability in Service Message Block (SMB). CVE-2015-2474 is remote code execution flaw that manifests when SMB fails to properly handle certain logging activities. Exploitation of this vulnerability requires an attacker to be authenticated on the target system and to send a specially crafted string to the SMB server error logging. Workarounds are available that may help mitigate this vulnerability.

MS15-084 addresses three vulnerabilities in Microsoft XML Core Services (MSXML). All three vulnerabilities (CVE-2015-2434, CVE-2015-2440, CVE-2015-2471) are Information Disclosure vulnerabilities. CVE-2015-2434 and CVE-2015-2471 are flaws that manifest when MSXML explicitly allows SSL 2.0 connections and this bulletin addresses the potential man-in-the-middle scenario by configuring MSXML to use more secure protocols instead of SSL 2.0. CVE-2015-2440 is a flaw that could be used to expose the location of system functions in memory and allow for an attacker to bypass ASLR.

MS15-085 addresses a single privately reported vulnerability in the Mount Manager component within Windows. CVE-2015-1769 is a privilege escalation vulnerability that manifests when Mount Manager component fails to properly process symbolic links. Exploitation of this vulnerability is possible via a malicious USB device being inserted into a target system. An attacker could then write a malicious binary to disk and execute it.

MS15-086 addresses a single privately reported vulnerability in Microsoft System Center Operations Manager (SCOM). CVE-2015-2420 is a cross-site scripting vulnerability that could allow an attacker to spoof content, gather information, or perform any arbitrary action within the context of the targeted user. In order for this vulnerability to be exploited, an attacker would need to trick a user into visiting an affected website a specially crafted URL through social engineering.

MS15-087 addresses a single privately reported vulnerability in the Universal Description, Discovery, and Integration (UDDI) Service component within Windows. CVE-2015-2475 is a privilege escalation vulnerability that manifests when UDDI Service fails to properly validate or sanitize the search parameter in a FRAME tag. An attacker could exploit this vulnerability by engineering a cross-site scripting attack that could then leak authorization cookies or redirect users to a malicious webpage. Note that a workaround exists that may help mitigate this vulnerability.

MS15-088 addresses a single information disclosure vulnerability in Windows, but that is also present in IE and Office. CVE-2015-2423 is an information disclosure vulnerability that manifests when files with medium integrity level become “accessible to Internet Explorer running in Enhanced Protected Mode (EPM)”. Exploitation of CVE-2015-2423 requires an attacker to leverage another vulnerability within IE with EPM to execute code and then execute Excel, Notepad, Powerpoint, Visio, or Word using an unsafe command line parameter.

The flaws in Internet Explorer and Office for this CVE are addressed in MS15-079 and MS15-081 respectively. Users will need to install the other two applicable bulletins to fully address this particular flaw completely. Note that a workaround exists and may help in mitigating CVE-2015-2423.

MS15-089 addresses a single privately reported vulnerability in the Web Distributed Authoring and Versioning (WebDAV) component within Windows. CVE-2015-2476 is an information disclosure vulnerability that manifests itself when the WebDAV client is explicitly allowed to use SSL 2.0. This bulletin addresses the potential man-in-the-middle scenario by configuring WebDAV to default to more secure protocols instead of SSL 2.0.

MS15-090 addresses three privately reported vulnerabilities in Windows. All three CVEs are privilege escalation vulnerabilities that could allow an attacker to gain administrative privileges on the targeted system. CVE-2015-2428 manifests itself within Windows Object Manager and is exploitable via an authenticated attacker who runs a specifically crafted executable. CVE-2015-2429 manifests itself within Windows Registry when it improperly permits certain registry interactions within a vulnerable sandboxed application. CVE-2015-2430 manifests itself within the File System when it improperly permits certain file system interactions within a vulnerable sandboxed application. Both CVE-2015-2429 and CVE-2015-2430 can be exploited via a user opening a specifically crafted file that invokes a vulnerable sandboxed application.

MS15-092 addresses three privately reported vulnerability in the RyuJIT compiler within the Microsoft .NET Framework. All three CVEs (CVE-2015-2479, CVE-2015-2480, CVE-2015-2481) are privilege escalation vulnerabilities that manifest when the RyuJIT compiler performs improper optimization of certain parameters the results in a code generation error. Exploitation of these vulnerabilities is possible via an attacker crafting a special .NET application and socially engineering users to run the malicious application.

Coverage

In response to these bulletin disclosures, Talos is releasing the following rules to address these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Defense Center, FireSIGHT Management Center or Snort.org.

Snort SIDs: 35139-35140, 35473-35530

Related Links: Event Response Page



Authors

Talos Group

Talos Security Intelligence & Research Group