Well, well, Patch Tuesday is not yet dead as Microsoft released 14 security bulletins, four of which are rated critical for remote code execution vulnerabilities; the August 2015 security updates are aimed at Windows, Microsoft Office, Internet Explorer, Edge, Microsoft Lync, Microsoft Silverlight and .Net Framework. One of the patches rated critical (MS15-081) and one rated important (MS15-085) are fixes for exploits detected in the wild.
It is the first Patch Tuesday since Windows 10 officially launched. Shavlik product manager Chris Goettl noted that we are seeing the “fallout from the Black Hat conference last week, as security researchers showed off their skills with live exploits.” Qualys CTO Wolfgang Kandek noted that 40% of Microsoft’s security updates are for Windows 10 and one patch is aimed at Microsoft’s new Edge browser.
The MSRC Team released perhaps the world's shortest summary of security bulletins, writing, "Today we released security updates to provide protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released." MSRC had a lot more to say when it enthusiastically announced that Microsoft raised its Bounty Program from $50,000 to $100,000.
Patches rated as Critical for RCE holes
MS15-079 closes 13 vulnerabilities in Internet Explorer; 10 of which address remote code execution. All supported versions of Windows and IE are affected. Windows Server 2003 was axed last month, but the end-of-life server should still be counted as affected. Kandek said, “It is now only a question of time before an exploit for Internet Explorer comes out that cannot be patched under Windows 2003.”
MS15-080 resolves 16 vulnerabilities in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Microsoft Lync, and Microsoft Silverlight. “The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded TrueType or OpenType fonts.” Kandek added, the vulnerabilities “can be triggered through any application that accesses fonts: web browsers, e-mail and documents. All versions of Windows, including 10 are affected.” The patch covered several security problems, but regarding CVE-2015-2433, a Kernel ASLR Bypass Vulnerability, Microsoft noted, “This vulnerability has been publicly disclosed.” There is no notification that it is being exploited in the wild.
MS15-081 for Microsoft Office is the patch with the highest priority, according to Kandek, as it resolves a bug being exploited in the wild. Kandek added, “It is rated critical which is rare for an Office bulletin, as Microsoft typically downgrades a vulnerability when user interaction is required, such as opening a DOCX file. But CVE-2015-2466 is rated critical on Office 2007, Office 2010 and Office 2013 indicating that the vulnerability can be triggered automatically, possibly through the Outlook e-mail preview pane, and provide Remote Code Execution (RCE), giving the attacker control over the targeted machine. MS15-081 also addresses a vulnerability that is being exploited in the wild, CVE-2015-1642 - so if you run Microsoft Office 2007, 2010 or 2013 you are a potential target.
MS15-091 is for Microsoft Edge, but the Windows 10 update is cumulative. It fixes RCE vulnerabilities that exist when Edge “improperly accesses objects in memory” and a security feature bypass vulnerability that “exists when Microsoft Edge fails to use the Address Space Layout Randomization (ASLR) security feature.” Microsoft wrote, “In addition to containing non-security updates, it also contains all of the security fixes for all of the Windows 10-affected vulnerabilities shipping with this month’s security release.”
“Microsoft has changed the game up with its Windows 10 patches,” noted Goettl. “Instead of releasing patches individually, it is now releasing patches in bundles. This makes it easy to patch systems, but it also means that users can no longer test patches individually before integrating them, which could be problematic if one patch causes issues.”
Patches rated as Important
MS15-082 is rated as important yet addresses RCE and spoofing vulnerabilities. “The most severe of the vulnerabilities could allow remote code execution if an attacker first places a specially crafted dynamic link library (DLL) file in the target user’s current working directory and then convinces the user to open a Remote Desktop Protocol (RDP) file or to launch a program that is designed to load a trusted DLL file but instead loads the attacker’s specially crafted DLL file. An attacker who successfully exploited the vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. This security update is rated Important for all supported releases of Microsoft Window except Windows 10, which is not affected.”
MS15-083 resolves another RCE vulnerability in Windows Server Message Block. “The vulnerability could allow remote code execution if an attacker sends a specially crafted string to the SMB server error logging.”
MS15-084 resolves vulnerabilities in Windows and Microsoft Office. The holes in XML Core Services could allow information disclosure “by either exposing memory addresses if a user clicks a specially crafted link or by explicitly allowing the use of Secure Sockets Layer (SSL) 2.0.” To exploit this, an attacker would need to social engineer a victim into opening a maliciously crafted link.
Zero-day alert: MS15-085 patches an elevation of privilege vulnerability in Windows Mount Manager that could be exploited if an attacker had physical access to the Windows machine. Microsoft wrote, “An attacker who successfully exploited this vulnerability could write a malicious binary to disk and execute it. To exploit the vulnerability, an attacker would have to insert a malicious USB device into a target system.” While rated only as “important,” Microsoft “received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft has reason to believe that this vulnerability has been used in targeted attacks against customers.”
MS15-086 patches a flaw in Microsoft System Center Operations Manager that could allow elevation of privilege (EoP) if an attacker tricked a victim into visiting a malicious website. It’s rated important for “affected versions of Microsoft System Center 2012 Operations Manager and Microsoft System Center 2012 Operations Manager R2.”
MS15-087 is for another vulnerability that could lead to EoP. It patches a bug in Windows UDDI Services that an attacker could exploit by engineering “a cross-site scripting (XSS) scenario by inserting a malicious script into a webpage search parameter.”
MS15-088 addresses an unsafe command line parameter passing that could allow information disclosure in Microsoft Office, Microsoft Windows and Internet Explorer. “To exploit the vulnerability an attacker would first have to use another vulnerability in Internet Explorer to execute code in the sandboxed process. The attacker could then execute Notepad, Visio, PowerPoint, Excel, or Word with an unsafe command line parameter to effect information disclosure. To be protected from the vulnerability, customers must apply the updates provided in this bulletin, as well as the update for Internet Explorer provided in MS15-079. Likewise, customers running an affected Microsoft Office product must also install the applicable updates provided in MS15-081.”
MS15-089 is a security update for Microsoft Windows to address a vulnerability in WebDAV that could allow information disclosure “if an attacker forces an encrypted Secure Socket Layer (SSL) 2.0 session with a WebDAV server that has SSL 2.0 enabled and uses a man-in-the-middle (MiTM) attack to decrypt portions of the encrypted traffic. This security update is rated Important for all supported releases of Microsoft Windows except Itanium servers and Windows 10, which are not affected.”
MS15-090 resolves flaws in Microsoft Windows that could allow elevation of privilege “if an attacker logs on to an affected system and runs a specially crafted application or convinces a user to open a specially crafted file that invokes a vulnerable sandboxed application, allowing an attacker to escape the sandbox. This security update is rated Important for all supported releases of Microsoft Windows except Windows 10, which is not affected.”
MS15-092 fixes vulnerabilities in Microsoft .NET framework that could allow elevation of privilege if an attacker convinces a user to run a specially crafted .NET application. The patch is rated “important for Microsoft .NET Framework 4.6 on all supported releases of Microsoft Windows except Itanium editions.”
Whew! As always, happy patching!