Microsoft gave everyone a breather in this month's Patch Tuesday, serving up fixes for a surprisingly modest 26 vulnerabilities. The fixes address various flaws including remote code execution, information disclosure, security feature bypass and cross-site scripting to name a few. Let's dive right in:
- Cumulative Security Update for Internet Explorer (3038314)
IE makes a somewhat predictable appearance again this month, but this time fixing only 10 vulnerabilities across all versions of IE from 6 through 11. Microsoft ranks this bulletin as Critical for workstations and Moderate for servers, indicating that servers are configured to run IE using Enhanced Security Configuration (ESC) settings by default, making them more difficult to successfully exploit. We always like to take a moment to point out that, if users are utilizing the Microsoft Enhanced Mitigation Experience Toolkit (EMET) software and have it configured to work with IE, they are inherently protected from a majority of these flaws even without patching. If that's not a good enough reason to get EMET deployed across your organization in the near future, we're not sure what is. An additional perk for users in this month's patch is that Microsoft has now disabled SSL 3.0 support by default in IE 11. Given the recent attacks against SSL such as POODLE, this is an excellent first step towards phasing it out in favor of TLS 1.2 and above. Microsoft also indicated that they shored up IE's protection by including defense-in-depth measures in this month's patch.
- Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3048019)
Boasting this month's only publicly disclosed CVE (CVE-2015-1641
), this Critical bulletin fixes various remote code execution and cross-site scripting flaws in Office 2007, 2010, 2013, Office for Mac, Word Viewer, Office Compatibility Pack, Word Automation Services, and Microsoft Web Apps Server 2010 and 2013. That seems like quite a few affected Office products, however when you consider how many features and components are shared across the various Office products, it makes a little more sense. The most severe of the Office vulnerabilities this month could allow remote code execution if a user opens a specially crafted MS Office file, so make sure your employees aren't running Office applications as users with administrative privileges in order to help reduce the damage that an attacker may cause. As with IE, Microsoft also slipped in some defense-in-depth measures here to help mitigate future attack vectors.
- Vulnerability in HTTP.sys Could Allow Remote Code Execution (3042553)
Probably this month's most significant bulletin, this Critical flaw could allow an unauthenticated attacker to remotely execute code in the context of the System account. We'll let that sink in for a moment...the SYSTEM account. Because this flaw exists in the HTTP.sys driver the code is executing at a higher privilege level, hence the System context. If you're going to patch anything today, patch this, because nobody can afford to leave an unauthenticated remote code execution flaw exposed to attackers for very long. Alternatively, if you can't patch right away, Microsoft suggests disabling IIS kernel caching as a workaround. As always, read up on any potential impact the workaround may have and weigh the risks accordingly.
- Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution (3046306)
Last month we saw two bulletins addressing flaws in image parsing (MS15-024 and MS15-029), and this month we're getting a patch to address a remote code execution vulnerability that exists when a user views an Enhanced Metafile (EMF) image file. Another Critical bulletin, this doesn't affect Windows 8/8.1 or Server 2012/2012 R2 but does impact Server 2003, Vista, Server 2008, 7, and Server 2008 R2. This vulnerability is another reminder to avoid working as an administrative user whenever possible, as the damage caused by an attacker who successfully exploits this flaw can be reduced. If you can't patch, one workaround is to turn off metafile processing, however be aware that this could result in side effects such as the inability to print, display Clipart images, and broken OLE rendering.
- Vulnerabilities in Microsoft SharePoint Server Could Allow Elevation of Privilege (3052044)
The SharePoint beast received a fix for two cross-site scripting vulnerabilities this month which Microsoft ranked as Important. They handle some problems related to SharePoint not sanitizing user input correctly. Attackers who successfully exploit these vulnerabilities could read content that the attacker isn't authorized to read, use the victim's identity to take actions on the SharePoint site on behalf of the victim, and inject malicious content in the browser of the victim. SharePoint 2010, 2013, and Foundation 2013 are affected.
- Vulnerability in Windows Task Scheduler Could Allow Elevation of Privilege (3046269)
This bulletin was somewhat interesting due to the fact that it only affected Windows 7 and 2008 R2. An Important Elevation of Privilege vulnerability, this flaw allows an attacker to run specially crafted applications in the context of the System account due to a known invalid task being present on certain systems. It appears that this task is actually related to Windows Defender, a security tool built in to some Windows operating systems. An attacker would first have to log on to the system and determine whether or not the invalid task was present.
- Vulnerabilities in Microsoft Windows Could Allow Elevation of Privilege (3049576)
This Important bulletin affects all supported Windows versions, patching two privately disclosed vulnerabilities. The vulnerability could allow an attacker to elevate their privilege level if they log on to the system and run a specially crafted application.
- Vulnerability in XML Core Services Could Allow Security Feature Bypass (3046482)
Affecting Microsoft XML Core Services 3.0 on Server 2003, Vista, Server 2008, 7, and Server 2008 R2, this Important patch fixes one privately reported security feature bypass vulnerability. The problem specifically allows a same-origin policy security feature bypass where cross-domain data access could be possible in a document type declaration (DTD) scenario. An attacker who exploited this vulnerability could access sensitive user information such as username or password. The most interesting part of this bulletin is actually in the FAQ, which states that this vulnerability does not affect Windows 8/Server 2012/8.1/2012 R2/RT 8.1 because those operating systems already contain the fix for this vulnerability. We have to ask...if these other operating systems were already fixed, what took Microsoft so long to apply it to the operating systems affected in this month's bulletin? We will probably never know.
- Vulnerability in Active Directory Federation Services Could Allow Information Disclosure (3045711)
This information disclosure vulnerability related a failed logoff process is ranked as Important by Microsoft and would allow an attacker to gain access to a user's information by reopening an application from which the user logged off. Since the logoff process fails, an attacker would not be prompted to enter a username or password and could then discover information that the user has access to.
- Vulnerability in .NET Framework Could Allow Information Disclosure (3048010)
This month brings us an Important bulletin that fixes a vulnerability in ASP.NET that would allow an attacker to read parts of a web application's web.config file when the site is configured to disable custom error messages. For all of you .NET web developers out there, you're familiar with the web.config file as a place to store your database connection string information as well as other application settings. While it's unclear which parts of the configuration file could be read, generally speaking we want to prevent anyone from accessing this file due to the potentially sensitive information it might contain. The good news is that, by default, custom errors are set to only display when a user is accessing the site locally. Best practices would dictate that, when configuring a production server, the customErrors mode should be set to "On" and a defaultRedirect page value should be set to capture any page response (404, 500, etc.) that would be classified as an "error." This limits the information an attacker would be able to view when they find a bug in a web application. A developer would have to explicitly change the customErrors mode value to "Off" in order to be affected by this flaw, however developers often configure applications this way while developing them in order to see errors more easily but forget to change it to a more secure setting when deploying the application. Always review web.config settings before deploying to production, and even better, encrypt their contents once deployed using instructions from Microsoft.
- Vulnerability in Windows Hyper-V Could Allow Denial of Service (3047234)
Rounding out the list is a denial-of-service vulnerability rated as Important. Affecting 64-bit Windows 8.1 and Server 2012 R2 systems, an authenticated attacker could potentially cause other VMs on the host to not be manageable in Virtual Machine Manager if they run a specially crafted application in a VM session. Microsoft addressed the flaw by correcting how Virtual Machine Manager validates user input.