Avatar

Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 14 bulletins being released which address 57 CVEs. Four of the bulletins are listed as Critical and address vulnerabilities in Windows Server Hyper-V, VBScript Scripting Engine, Remote Desktop Protocol (RDP) and Internet Explorer. The remaining ten bulletins are marked as Important and address vulnerabilities in SQL Server, Windows DCOM RPC, NETLOGON, Windows Graphic Component, Windows Kernel Mode Driver, Microsoft Office, Windows Installer, Windows, and OLE.

Bulletins Rated Critical

MS15-065, MS15-066, MS15-067 and MS15-068 are rated Critical.

MS15-065 is this month’s Internet Explorer security bulletin with vulnerabilities in versions 6 through 11 being addressed. This month 29 CVEs were addressed. The majority of those CVEs were memory corruption vulnerabilities that could result in remote code execution. A user viewing a specially crafted webpage using Internet Explorer could allow an attacker to exploit these vulnerabilities to gain the same user rights as the current user.

MS15-066 addresses a vulnerability (CVE-2015-2372) in the VBScript scripting engine in Microsoft Windows. A remote code execution vulnerability exists in the way that the VBScript engine, when rendered in Internet Explorer, handles objects in memory. This vulnerability could allow remote code execution if an attacker convinces the user to visit a specially crafted website or open an application or Microsoft Office document that hosts the IE rendering engine embedded with an ActiveX control marked “safe for initialization”. This vulnerability impacts all versions of Internet Explorer (versions 9 and higher are covered by the IE cumulative update MS15-065), along with Windows Server 2003, Windows Vista and Windows Server 2008.

MS15-067 addresses a vulnerability (CVE-2015-2373) in Microsoft Windows Remote Desktop Protocol (RDP). To exploit this vulnerability, an attacker would need to send a specially crafted sequence of packets to the RDP server service. Although the vulnerability could allow remote code execution, the most likely impact will be crashing the RDP server service. If RDP is disabled (the default setting), the system is not impacted by this vulnerability. The vulnerability impacts Windows 7, Windows 8 and Windows Server 2012.

MS15-068 addresses two Microsoft Hyper-V vulnerabilities (CVE-2015-2361 & CVE-2015-2362). These vulnerabilities exists in Windows Hyper-V in a host context if an authenticated and privileged user on a guest virtual machine hosted by Hyper-V runs a specially crafted application.To exploit these vulnerabilities, an attacker must have valid logon credentials for a guest virtual machine. These vulnerabilities impact Windows 2008, WIndows 2008 R2, Windows 8, Windows 8.1, Windows 2012 and Windows 2012 R2.

Bulletins Rated Important

MS15-058, MS15-069, MS15-070, MS15-071, MS15-072, MS15-073, MS15-074, MS15-075,  MS15-076, and MS15-077 are rated Important.

MS15-058 addresses multiple Microsoft SQL Server vulnerabilities. CVE-2015-1761 involves Microsoft SQL server improperly casting a pointer to an incorrect class. An attacker can use the vulnerability to gain elevated privileges if their credentials allow access to an affected SQL server database. CVE-2015-1762 & CVE-2015-1763 require an attacker to convince a privileged user to run specially crafted queries. These vulnerabilities impact  SQL Server 2008 (Service Pack 3 & 4), SQL Server 2008 R2 (Service Pack 2 & 3), SQL Server 2012 (Service Pack 1 & 2), and SQL Server 2014.

MS15-069 addresses two vulnerabilities in Windows. Both vulnerabilities require an attacker to first place a specially crafted dynamic link library (DLL) file in the target user’s current working directory. CVE-2015-2368 requires the attacker to convince the user to run an application that launches the DLL whereas CVE-2015-2369 requires the attacker to convince the user to open a specially crafted .RTF file. These vulnerabilities impact Windows Vista, Windows Server 2008, Windows Server 2008 R2, Windows 8.1, WIndows 2012 R2, and Windows RT 8.1.

MS15-070 addresses multiples vulnerabilities in Microsoft Office. The most severe of these vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. Successfully exploiting these vulnerabilities will allow the attacker to run arbitrary code in the context of the user being exploited. These vulnerabilities impact Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, Microsoft Office 2013 RT, Microsoft Office for Mac, Microsoft Excel Viewer 2007 Service Pack 3, Microsoft Compatibility Pack Service Pack 3, Microsoft Word Viewer, Microsoft Sharepoint Server 2007, Microsoft Sharepoint Server 2010, and Microsoft Sharepoint Server 2013.

MS15-071 addresses a vulnerability (CVE-2015-2374) in Windows. To exploit this vulnerability, an attacker needs to be logged in to a domain-joined system and be able to observe network traffic. An attacker could then run a specially crafted application that could establish a secure channel connection belonging to a different computer. This vulnerability impacts Windows Server 2003, Windows VIsta, WIndows Server 2008, Windows Server 2008 R2, Windows 7, Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT, Windows RT 8.1.

MS15-072 addresses a vulnerability (CVE-2015-2364) in Windows graphics component. To exploit this vulnerability, the attacker must first log onto the impacted system. Then, by running specially crafted application, that takes advantage of the Windows graphics component failing to properly process bitmap conversions, gain elevated privileges. This vulnerability impacts Windows Server 2003, Windows Vista, WIndows Server 2008, Windows Server 2008 R2, Windows 7, Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, WIndows RT and Windows RT 8.1

MS15-073 addresses six vulnerabilities in the Windows Kernel Mode Driver.  Three of these vulnerabilities are privilege escalations vulnerabilities (CVE-2015-2363, CVE-2015-2365, CVE-2015-2366) that could allow an attacker to gain control over the targeted system due to the way the kernel mode driver handles objects in memory. The other three vulnerabilities are information disclosure vulnerabilities (CVE-2015-2367, CVE-2015-2381, CVE-2015-2382) that could allow the attacker learn the location of system resources in memory due to the way the kernel mode driver fails to handle certain non-initialized values in memory and due to the driver leaking private address information during a function call.

MS15-074 addresses a vulnerability (CVE-2015-2371) in the Windows Installer.  This vulnerability could allow a privilege escalation attack to occur due to the way Windows Installer may, in some case, execute custom action scripts.  Successful exploitation would give an attacker complete control of the targeted system.  To exploit this vulnerability, an attacker would need to compromise a user who is logged into the vulnerable system.  The attacker would then need to find a vulnerable .MSI package installed on the system and then place a specially crafted custom action script that the vulnerable .MSI package could then execute.

MS15-075 addresses two vulnerabilities (CVE-2015-2416 & CVE-2015-2417) in the Windows Object Linking & Embedding (OLE) component. This vulnerability could allow a privilege escalation attack to occur due to the way OLE fails to properly handle objects in memory.  To exploit this vulnerability, an attacker would either need to be able to login to a vulnerable system and execute a specially crafted application that exploits this vulnerability, or convince a user to execute a malicious application that could then allow the attacker to gain control of the system.

MS15-076 addresses a vulnerability (CVE-2015-2370) in Microsoft Remote Procedure Call (RPC).  This vulnerability could allow a privilege escalation attack to occur when Windows RPC inadvertently allows DCE/RPC connection reflection.  Exploitation of this vulnerability would require an attacker to either to be able to login to a vulnerable system and execute a specially crafted application that exploits this vulnerability, or convince a user to execute a malicious application that could then allow the attacker to gain control of the system.

MS15-077 addresses a vulnerability (CVE-2015-2387) in the Adobe Type Manager Font Driver (ATMFD).   This vulnerability could allow a privilege escalation attack to occur due to the way the ATMFD fails to handle objects in memory properly.  Exploitation of this vulnerability would require an attacker to either to be able to login to a vulnerable system and execute a specially crafted application that exploits this vulnerability, or convince a user to execute a malicious application that could then allow the attacker to gain control of the system.  Note that workarounds exist that can mitigate this vulnerability if patching is not immediately feasible. For details on these workarounds, please review the advisory released by Microsoft.  This vulnerability has been publically disclosed and and targeted attacks are known to have occurred.

Coverage

In response to these bulletin disclosures, Talos is releasing the following rules to address these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Defense Center, FireSIGHT Management Center or Snort.org.

Snort SIDs: 34741-34742, 35116-35117, 35119-35216

Related Links: Event Response Page



Authors

Talos Group

Talos Security Intelligence & Research Group