Way to go! Congratulations on suffering through another year of deploying security patches. Microsoft released 12 security bulletins for the last Patch Tuesday of 2015, eight of which are rated as critical for remote code execution vulnerabilities. Hopefully none will result in exceedingly uncool changes like Microsoft snuck into Windows 10 last month to reset privacy settings and default programs.
Although Microsoft regards MS15-135 only as “important,” it would be wise to jump on this one as it is the fix for a zero-day vulnerability in the Windows kernel that attackers are exploiting to escalate privilege, according to Qualys CTO Wolfgang Kandek. You wouldn’t know it by its Microsoft-rated “important” status, as Redmond’s security team mentioned that it resolves flaws in Windows kernel-mode drivers. Nils Sommer of bytegeist, working with Google Project Zero, is credited with reporting three CVE’s associated with this patch.
MS15-124 is a cumulative security update to resolve Internet Explorer flaws tied to 30 CVEs. 22 deal with IE memory corruption and “Microsoft browser” memory corruption vulnerabilities. Two fix XSS filter bypass flaws, another addresses an ASLR (Address Space Layout Randomization) bypass, one closes a hole in “Microsoft browser” that could lead to elevation of privilege, and a separate CVE is earmarked as an Internet Explorer XSS filter bypass; there’s also a patch for an IE information disclosure bug, as well as for a scripting engine information disclosure vulnerability, and a scripting engine memory corruption to correct a multiple RCE flaw.
MS15-125 is the cumulative security update for Microsoft Edge, fixing a variety of security shortcomings which range from memory corruption flaws, XSS filter bypass, ASLR bypass, elevation of privilege and spoofing vulnerabilities.
While discussing the importance of keeping browsers as up-to-date as possible, since they are constantly used in attack scenarios like drive-by-downloads and spear phishing, Kandek noted, “Edge has ‘only’ 15 issues, with 11 duplicates from IE and four issues native to Edge itself.”
MS15-126 is a cumulative security patch for Windows VBScript scripting engine and Jscript; if left unpatched, an attacker could abuse the bugs for information disclosure or worse, to pull off remote code execution.
MS15-127 addresses a vulnerability in Microsoft Windows DNS that could allow RCE if an attacker sent maliciously crafted requests to a DNS server.
Regarding MS15-127, Bobby Kuzma, CISSP, systems engineer at Core Security, said:
“Microsoft has really given us a doozy of a Christmas present, with the ability for attackers to work a remote code execution with a DNS query! If your organization runs public facing DNS servers on Windows, you’ve got a problem. If you’ve got internal DNS servers running Windows, then you’ve got an easy escalation path for attackers who are able to phish end users.”
Kandek also remarked on MS15-127, writing, “Attackers that exploit MS15-127 in Microsoft’s DNS server would gain control over the server and execute code in the system context. The attack is remote and does not require authentication, no workarounds are available. Bring your Microsoft DNS servers up to date as soon as possible, with the required testing and soak time for such a fundamental service.”
MS15-128 patches Microsoft graphics component to resolve “vulnerabilities in Microsoft Windows, .NET Framework, Microsoft Office, Skype for Business, Microsoft Lync, and Silverlight. The vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a webpage that contains specially crafted embedded fonts.”
Core Security’s Kuzma was amusing in his font vulnerability frustration last month when he asked, “What genius decided that FONT HANDLING belonged in the most sensitive parts of the operating system kernel?” He suggested that “allowing untrusted fonts into an environment is bordering on negligence,” especially since this type of flaw happens again and again. After seeing MS15-128, Kuzma said, “Another font handling issue? Didn’t we have one of these LAST month?”
MS15-129 fixes several vulnerabilities in Microsoft Silverlight that could allow information disclosure up to more critical remote code execution attacks.
MS15-130 resolves a flaw in Microsoft Uniscribe that could be exploited for RCE. Core Security’s Kuzma remarked, “More fonts. If you love your users, block fonts at the firewall. PLEASE.”
MS15-131 addresses numerous vulnerabilities in Microsoft Office, with the most severe being RCE. The flaws are fixed, Microsoft explained, “by correcting how Office handles objects in memory.”
MS15-132 fixes vulnerabilities which could lead to remote code execution, but like the zero-day fix, Microsoft – in all its wisdom – rates this only as important.
MS15-133 is a security update for Windows PGM to resolve yet another monthly EoP problem. Microsoft wrote, “Microsoft Message Queuing (MSMQ) must be installed and the Windows Pragmatic General Multicast (PGM) protocol specifically enabled for a system to be vulnerable. MSMQ is not present in default configurations and, if it is installed, the PGM protocol is available but disabled by default.”
MS15-135: As mentioned above, Kandek said this should be your top priority as it addresses a zero-day currently in use by attackers for elevation of privilege. Jon Rudolph, principal software engineer at Core Security, also mentioned the patch rated as “important” being a zero-day which could allow an escalation of privilege.
“In addition to these updates,” Rudolph noted, “an increasing number of users are getting more curious about the techniques Microsoft is using to encourage users to upgrade to windows 10, and about some of the data collection practices enabled by default as well as the always-on data collection. It’s clear that there’s value in knowing what your users are up to and there are times where we don’t seem to care as users, but it’s one step closer to a market where all successful tools come with a string attached - data collection by default.”
Don’t forget Adobe security updated for the dreaded Flash
A wise person resigned to deploying patches, and who hasn’t sworn off Flash, might also hop on Adobe’s new version of Flash as Kandek said, “APSB15-32 addresses a record number of 78 vulnerabilities. All but three of the vulnerabilities could be used by an attacker to gain code execution running under the user in the browser. From there a second vulnerability would have to be used to become system on the machine (look at MS15-135 for an example), but then the attacker would have full control. Flash based attacks have been a favorite for attackers for the year with many exploit kits providing very up-to-date exploits – include this in your high priority items.”