This post was written by Yves Younan.

Microsoft’s first Update Tuesday of 2015 is pretty light, there’s a total of eight bulletins, all covering a single vulnerability. Seven of these bulletins are rated as important and just one is rated critical. No bulletin for IE is being released this month. Two of the vulnerabilities were publicly disclosed prior to today, while another one was being actively exploited by attackers.

Microsoft made a number of changes to Update Tuesday last month, such as dropping deployment priority in favor of their exploitability index (XI). This month more changes were made to the program: Microsoft is no longer providing their Advance Notification Service (ANS) to the general public, but is instead only providing it to premier customers.

The first bulletin of the year is MS15-001. It fixes a single vulnerability in the Application Compatibility Infrastructure in Windows (CVE-2015-0002) that could allow an attacker to gain elevated privileges. The vulnerability occurs due to an improper check of the authorization to modify the Application Compatibility cache, allowing an attacker to execute a privileged application by inserting an entry into the cache. The vulnerability has an XI of two and was publicly disclosed by Project Zero because their 90-day deadline for resolving the issue had passed.

The only critical bulletin this month is MS15-002 which fixes CVE-2015-0014: a buffer overflow in the Windows Telnet Service that can be triggered by sending maliciously crafted packets to the service, allowing an attacker to gain remote code execution on the machine. One important mitigating factor is the fact that the telnet service is not enabled (or even installed in many cases) by default. The vulnerability was privately disclosed to Microsoft and has an XI of two.

Our third bulletin of the month, MS15-003, corrects a single CVE (CVE-2015-0004) that could lead to an elevation of privileges. This error occurs in the Windows User Profile Service, where a malicious application could load registry hives of another user, potentially allowing it to execute privileged applications. Like MS15-001, this issue was publicly disclosed by Project Zero because the deadline for resolving the issue was exceeded. The vulnerability has an XI of two.

Next up is MS15-004, rated important, which fixes a directory traversal issue (CVE-2015-0016) in the Windows component TS WebProxy. If exploited, the vulnerability could lead to an elevation of privileges for the local attacker to the current user (including Administrator). One attack scenario would involve convincing a user to visit a malicious website in order to exploit the vulnerability and elevate the attacker’s privileges. The vulnerability has an XI of zero (denoting active exploitation) and is currently being used to escape IE’s sandbox in conjunction with other vulnerabilities: allowing the attacker’s payload to go from low integrity to medium integrity.

CVE-2015-0006 is fixed by MS15-005. This vulnerability is a security feature bypass in Network Location Awareness (NLA) where an attacker spoofs DNS and LDAP responses which would cause the machine to apply a domain profile when connected to an untrusted network. This could allow an attacker to relax the firewall policy or configuration of services, which would increase the exposed attack surface. This issue has an XI of three and was privately reported to Microsoft.

The next bulletin, MS15-006, fixes a vulnerability (CVE-2015-0001) that could allow an attacker to dump the contents of a running process due to a problem in Windows Error Reporting. Attackers would require administrator privileges to exploit this vulnerability, but it could allow them to view the contents of protected processes. The vulnerability was privately reported to Microsoft and has an XI of two.

Bulletin MS15-007 provides a patch for a Denial of Service (CVE-2015-0015) in the RADIUS implementation of the Network Policy Server or the Internet Authentication Service. An unauthenticated attacker could exploit the vulnerability by sending a specially crafted username to the server, resulting in the denial of service. The vulnerability was privately reported. It has an XI of three and a DoS Exploitability Assessment of ‘permanent’, meaning that exploitation could cause the system to hang, requiring a manual reboot.

The final bulletin of the month is MS15-008 and affects Kernel Mode Drivers in Windows. The vulnerability (CVE-2015-0011) could allow an attacker with a local account to gain elevated privileges. The vulnerability exists in the WebDav driver where it fails to correctly enforce impersonation levels. An attacker running a specially crafted application could use this to gain privileges on the machine. The vulnerability was privately reported to Microsoft and has an XI of two.

Talos is releasing the following signatures to deal with these vulnerabilities: SIDs 32965-32966, 33048-33053.

Related items: Event Response Page


Talos Group

Talos Security Intelligence & Research Group