Avatar

Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products.  This month’s release sees a total of 13 bulletins being released which address 48 CVEs. Three of the bulletins are listed as Critical and address vulnerabilities in Internet Explorer, GDI+ Font Parsing, and Windows Journal.  The remaining ten bulletins are marked as Important and address vulnerabilities in Microsoft Office, Sharepoint, .NET, Silverlight, Service Control Manager, Windows Kernel, VBScript/JScript, Microsoft Management Console, and Secure Channel.

Bulletins Rated Critical

MS15-043, MS15-044, and MS15-045 are rated Critical.

MS15-043 is this month’s Internet Explorer security bulletin with vulnerabilities in versions 6 through 11 being addressed. This month, 22 CVE were addressed the majority of those were memory corruption vulnerabilities that could result in remote code execution. There were also several ASLR bypass, elevation of privilege, and information disclosure vulnerabilities that were addressed this month.

MS15-044 addresses two CVE related to TrueType and OpenType Font parsing in various Microsoft applications including the core operating system and Microsoft Office, Microsoft Lync, and Microsoft Silverlight.  Please review the specific bulletin for all OS/Application versions that are affected.  The more severe of the two vulnerabilities (CVE-2015-1671) affects TrueType Font parsing and could result in remote code execution. This vulnerability could be exploited by forcing the user to view a specially crafted document or webpage that contains embedded TrueType fonts. The other vulnerability (CVE-2015-1670) affects OpenType Font parsing which could result in information disclosure.

MS15-045 addresses six CVE related to Windows Journal affecting multiple versions of Microsoft Windows. An attacker could exploit these vulnerabilities by having a user open a specially crafted Microsoft Journal File (*.int) which could result in remote code execution.  Two of the vulnerabilities (CVE-2015-1675 & CVE-2015-1695) were publicly disclosed but have not yet been seen being exploited.

Bulletins Rated as Important

MS15-046, MS15-047, MS15-048, MS15-049, MS15-050, MS15-051, MS15-052, MS15-053, MS15-054, and MS15-055 are rated as Important.

MS15-046 addresses two CVE related to Microsoft Office.  Both vulnerabilities (CVE-2015-1682 & CVE-2015-1683) are memory corruption vulnerabilities that could result in remote code execution if a user opens a specially crafted Microsoft Office document.

MS15-047 addresses a single vulnerability (CVE-2015-1700) in Microsoft SharePoint Server 2007 SP3, 2010 SP2, and 2013 SP1. This vulnerability allows an authenticated user to potentially execute remote code by sending a specially crafted content to a Microsoft SharePoint Server.

MS15-048 addresses two vulnerabilities in .NET Framework affecting multiple versions on all currently supported Microsoft operating systems. The first vulnerability, CVE-2015-1672 is a Denial of Service vulnerability related to the decryption of XML documents within the .NET Framework and can be exploited by sending specially crafted XML data to a vulnerable server hosting a .NET application. The second vulnerability, CVE-2015-1673, is a privilege escalation vulnerability in the Windows Forms libraries for .NET Framework caused by improper handling of objects in memory. In order for this vulnerability to be exploited, an attacker could use social engineering to convince a user into install a maliciously crafted partial trust application.

MS15-049 addresses a single vulnerability (CVE-2015-1715) in Microsoft Silverlight 5 and Microsoft Silverlight 5 Developer Runtime. This privilege escalation vulnerability allows a user to run a low integrity level application at medium or high integrity. In order to exploit this vulnerability, an attacker would need to convince a user to execute a maliciously crafted Silverlight executable.  Once the vulnerability has been exploited, an attacker would then have the ability to execute arbitrary code with an elevated privilege level.

MS15-050 addresses a single vulnerability (CVE-2015-1702) in Service Control Manager affecting multiple different versions of Microsoft Windows.  This vulnerability could allow a user that is logged in to execute a program to escalate privileges due to improper verification of impersonation levels in the Service Control Manager. Exploitation of this vulnerability would require an attacker to execute a maliciously crafted application that is designed to elevate privileges while logged into the system.

MS15-051 addresses six vulnerabilities associated with Windows Kernel-Mode Drivers affecting multiple different Microsoft Windows versions.  The majority are information disclosure vulnerabilities that could leak private address information.  The remaining vulnerability, CVE-2015-1701, is a privilege escalation vulnerability resulting from improper handling of objects in memory which could result in arbitrary code execution in kernel mode.

MS15-052 addresses a single vulnerability, CVE-2015-1674, in Windows Kernel affecting multiple versions of Microsoft Windows including Windows 8 & 8.1, Windows Server 2012 & 2012 R2, and Windows RT & RT 8.1. This particular vulnerability is a security feature bypass related to the Windows kernel failing to properly validate from which mode the request originates.

MS15-053 addresses two vulnerabilities in JScript and VBScript in multiple versions of Microsoft Windows potentially allowing Security Feature Bypass.  The first vulnerability, CVE-2015-1684, affects only VBScript.  The remaining vulnerability affects both VBScript and JScript. Both vulnerabilities, when rendered in Internet Explorer, remove Address Space Layer Randomization (ASLR) allowing an attacker to more accurately predict the memory offsets to specific functions.

MS15-054 addresses a single vulnerability, CVE-2015-1681, in Microsoft Management Console (MMC) affecting Microsoft Windows Vista and newer operating systems. This vulnerability allows an unauthenticated attacker to create a Denial of Service condition by getting a user to open a share containing a specially crafted .msc file.

MS15-055 addresses a single vulnerability, CVE-2015-1716, in Secure Channel affecting multiple versions of Microsoft Windows.  This vulnerability could result in information disclosure if an attacker is able to reduce the Diffie-Hellman ephemeral key length to 512 bytes in an encrypted TLS session.  Reducing the key length to 512 bytes makes the key exchanges weak and vulnerable to multiple different attacks.

Coverage

In response to these bulletin disclosures, Talos is releasing the following rules to address these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information.  For the most current rule information, please refer to your Defense Center, FireSIGHT Management Center or Snort.org.

Snort SIDs: 34379-34384, 34391-34392, 34405-34412, 34415, 34417-34425, 34430-34433, 34436-34437, 34444-34445

Related Links: Event Response Page



Authors

Talos Group

Talos Security Intelligence & Research Group