Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 12 bulletins released which address 55 CVEs. Five bulletins are rated “Critical” this month and address vulnerabilities in Edge, Graphics Component, Internet Explorer, Journal, and Office. The other seven bulletins are rated “Important” and address vulnerabilities in the .NET Framework, Active Directory, Exchange, Hyper-V, Media Center, Skype for Business, and Task Management.

Bulletins Rated Critical

MS15-094, MS15-095, MS15-097, MS-098, and MS15-099 are rated “Critical”.

MS15-094 is this month’s Internet Explorer security bulletin. Seventeen CVEs are addressed this month which affected Internet Explorer versions 7 through 11. As is the case with previous Internet Explorer security bulletins, most of the vulnerabilities patched are use-after-free conditions along with privilege escalation and information disclosure flaws. Note that CVE-2015-2542, a publicly disclosed vulnerability, is addressed in this bulletin.

MS15-095 is this month’s Edge security bulletin. Edge is Microsoft’s new web browser introduced with Windows 10. Four CVEs are addressed in this month’s release with all four being remote code execution flaws stemming from memory corruption conditions. Note that CVE-2015-2542, a publicly disclosed vulnerability, is addressed in this bulletin.

MS15-097 addresses 11 vulnerabilities in the Microsoft Graphics Component targeting Lync, Office, and Windows. Five vulnerabilities are specific to the Windows Adobe Type Manager library and its mishandling of OpenType fonts that can result in privilege escalation, remote code execution, and denial of service (the denial of service vulnerability was discovered by Talos, see TALOS-2015-007). The remote code execution vulnerabilities can be triggered if a user opens a maliciously crafted document or visits a web page containing embedded OpenType fonts. The remaining six CVEs are vulnerabilities within the kernel that could allow privilege escalation or ASLR bypass. These vulnerabilities are due to improper enforcement of the impersonation levels and improper handling of objects in memory.

MS15-098 addresses five vulnerabilities in Windows Journal. CVE-2015-2513, CVE-2015-2514, CVE-2015-2519, and CVE-2015-2530 are remote code execution vulnerabilities while CVE-2015-2516 is a denial of service vulnerability that causes Windows Journal to unexpectedly terminate. An attacker who specifically crafts a malicious Journal file to exploit these vulnerabilities would be able to execute code in the context of the current user. Note that exploitation is only achievable if a user opens the specifically crafted Journal file. Workarounds are available to mitigate risk of exploitation.

MS15-099 addresses four vulnerabilities in Microsoft Office components. Three CVEs (CVE-2015-2520, CVE-2015-2521, CVE-2015-2523) are memory corruption vulnerabilities in Microsoft Office 2007, 2010, 2013, 2013 RT, 2011 for Mac, 2016 for Mac, Office Compatibility Pack, and Excel Viewer that could allow arbitrary code execution. An attacker who crafts a malformed, malicious Excel document could execute arbitrary code against a user if opened. Possible exploitation vectors include email with a specifically crafted Excel document attached or a website hosting the specifically crafted document that the user could download and open with one of the affected products.

The remaining CVE (CVE-2015-2522) is a Sharepoint Cross-Site Scripting (XSS) vulnerability that could allow an attacker to steal sensitive information such as authentication cookies and recently submitted data. Exploitation of this vulnerability would require an attacker to submit specifically crafted content to the target site and then for this content to be viewed by a user.

Bulletins Rated Important

MS15-096, MS15-100, MS15-101, MS15-102, MS15-103, MS15-104, and MS15-105 are rated “Important”.

MS15-096 addresses CVE-2015-2535, a denial of service vulnerability in Active Directory. This vulnerability manifests itself if an authenticated attacker creates multiple machine accounts. Exploitation of the vulnerability could result in the Active Directory service becoming non-responsive. Note that exploitation requires the authenticated user to possess privileges to add machines to the domain. If the user does not have privileges, then this vulnerability is not exploitable.

MS15-100 addresses CVE-2015-2509, a remote code execution vulnerability in Windows Media Center that manifests itself if Media Center opens a specially crafted Media Center link (.mcl). An attacker who crafts a specifically .mcl file to reference malicious code can execute arbitrary code in the context of the current user. Exploitation of this vulnerability would require an attacker to use social engineering to have the user install the malicious .mcl file. Once installed, arbitrary code can be executed from an attacker-controlled location.

MS15-101 addresses two vulnerabilities in the Microsoft .NET Framework. CVE-2015-2504 is one of the two CVEs and is a privilege escalation vulnerability that manifests through the way the .NET Framework validates the number of objects in memory before copying those objects into an array. Exploitation of this vulnerability could allow an attacker to perform administrative functions on the targeted machine, such as creating user accounts or installing applications.  Both local and web-based vectors are viable attack vectors. A user who views a specifically crafted website containing a malicious XAML browser application could exploit this vulnerability. Alternatively, if a user were to execute an untrusted .NET application that exploits this vulnerability, the user could then be subject to this vulnerability.

CVE-2015-2526 is the other CVE and is a MVC denial of service vulnerability that manifests through .NET improperly handling certain specifically crafted requests. An attacker who sends a maliciously crafted request to an ASP.NET server could cause performance to degrade. This can effectively create a denial of service condition and disrupt the availablity of sites that use the  ASP.NET framework. External facing website using ASP.NET are primarily at risk of exploitation from this vulnerability.

MS15-102 addresses three privilege escalation vulnerabilities in Windows Task Management. CVE-2015-2524 and CVE-2015-2528 are vulnerabilities that manifest through Task Management failing to validate and enforce impersonation levels. CVE-2015-2525 manifests itself through Task Scheduler failing to properly verify certain file system interactions. These vulnerabilities are exploitable via an authenticated user running a specifically crafted application that leverages one of the flaws. Once exploitation has occurred, the authenticated user would then able to perform arbitrary administration functions such as add users and install applications on the targeted machine.

MS15-103 addresses three vulnerabilities in Exchange 2013. One vulnerability is CVE-2015-2505, an information disclosure vulnerability that manifests when Outlook Web Access fails to properly handle web requests. An attacker who sends a specifically crafted web request to the application could learn senstive stack trace details. The other two vulnerabilities (CVE-2015-2543, CVE-2015-2544) are spoofing vulnerabilities that manifest when Outlook Web Access fails to sanitize a specifically crafted email. An attacker who sends a specifically crafted email to the user could perform an HTML injection attack to attempt to socially engineer the targeted user to disclose sensitive information.

MS15-104 addresses three vulnerabilities in Lync Server 2013 and Skype for Business Server 2015. CVE-2015-2531 is an cross-site scripting (XSS) information disclosure vulnerability while CVE-2015-2536 is a XSS privilege escalation vulnerability. Both vulnerabilities are present in Lync Server and Skype for Business server. CVE-2015-2532 is an information disclosure vulnerability that only affects Lync Server. All three vulnerabilities manifests as a result of Lync Server/Skype for Business Server failing to properly sanitize specifically crafted content and are exploitable via an attacker crafting a specifically formatted, malicious URL that a user would then have to click on in order to trigger the vulnerable code.

MS15-105 addresses CVE-2015-2534, a Hyper-V security feature bypass vulnerability that manifests itself when access control list (ACL) configuration settings are not applied correctly. An attacker who creates a specifically crafted an application and executes it could cause Hyper-V to permit unintended network traffic. Note that users who do not have Hyper-V enabled are not affected but will be offered the update anyway as a defense-in-depth measure should Hyper-V be enabled in the future.


In response to these bulletin disclosures, Talos is releasing the following rules to address these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Defense Center, FireSIGHT Management Center or Snort.org.

Snort SIDs: 35719-35720, 33765-33766, 35955-35960, 35963-36021


Talos Group

Talos Security Intelligence & Research Group