August brings with it another hefty Patch Tuesday containing 14 bulletins in total. As usual, Internet Explorer and Office patch their monthly dose of memory corruption vulnerabilities, while more atypical vulnerabilities present themselves in forms ranging from Cross-Site Scripting to command line parsing. Also, Windows Edge, the new Windows 10 browser, receives its first official update making this month’s set of bulletins as diverse as any.
MS15-079: Cumulative Security Update for Internet Explorer (3082442)
Right off the bat Internet Explorer is patched for 13 vulnerabilities with the majority being memory corruption leading to arbitrary code execution in the context of the current user. As usual, the typical way to exploit these is to host a malicious webpage and then socially engineer a victim to navigate to it. Two ASLR bypasses were also fixed, which can allow an attacker to obtain memory addresses to assist with exploit development. Lastly, Internet Explorer can be used as an attack vector to expose sensitive information by passing a crafted command line argument to Excel, Notepad, Visio, or Word. This, however, requires an attacker to leverage another vulnerability to execute arbitrary code beforehand.
MS15-080: Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (3078662)
This bulletin represents Microsoft’s attempt at hardening font parsing vulnerabilities, which seem to have come under heavy attack recently thanks in part to Mateusz Jurczyk of Google Project Zero. Six OpenType Font vulnerabilities are resolved along with five for TrueType Font parsing. These vulnerabilities can lead to remote code execution, giving an attacker complete control over the system. All versions of Windows are affected, including Windows 10. In addition, four other vulnerabilities involving various security bypasses (kernel ASLR, Shell, CSRSS, and KMD) can allow for elevated privileges on the system.
MS15-081: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution - Critical (3080790)
Office is back for its monthly round of fixes, this time offering up a total of 8 vulnerabilities. Five of these are due to Office improperly handling objects in memory, leading to memory corruption and code execution in the context of the current user. Additionally, various Office products can be used as an attack vector for exploiting CVE-2015-2423 by passing specially crafted command line parameters to the application.
MS15-082: Vulnerabilities in RDP Could Allow Remote Code Execution (3080348)
RDP strikes again with session host spoofing and DLL planting vulnerabilities. The spoofing vulnerability is caused by a Remote Desktop Session Host (RDSH) not validating certificates during the initial handshake. A man-in-the-middle attacker can subsequently generate an untrusted certificate and impersonate the client session. The DLL planting vulnerability is caused by the Remote Desktop Protocol Client improperly handling the loading of certain DLL files, which can lead to remote code execution with full user rights. In order to exploit this vulnerability an attacker would need to place a specially crafted DLL in the user’s current working directory and convince the user to open a malicious RDP file.
MS15-083: Vulnerability in Server Message Block Could Allow Remote Code Execution (3073921)
This bulletin addresses a remote code execution vulnerability within Server Message Block. This vulnerability occurs when SMB improperly handles certain logging activities. Successful exploitation requires an attacker to possess valid credentials in order to send a specially crafted string to the SMB server’s error log.
MS15-084: Vulnerabilities in XML Core Services Could Allow Information Disclosure (3080129)
For some reason, MSXML Core Services still allows the use of SSL 2.0, even though the protocol has been deprecated and vulnerable for years. A man-in-the-middle attacker can force the use of an SSL 2.0 session and decrypt network traffic exposing sensitive information. Microsoft has patched two vulnerabilities related to this by configuring MSXML to use more secure network protocols by default, instead of SSL 2.0. Another vulnerability within MSXML exposes memory addresses allowing a remote attacker to bypass ASLR on the target system by convincing a victim to visit a malicious website.
MS15-085: Vulnerability in Mount Manager Could Allow Elevation of Privilege (3082487)
Have you ever been worried about inserting a USB stick into your computer? If so, then this bulletin confirms your suspicions and proves that you’re not paranoid. This patch fixes a vulnerability within Mount Manager which can allow an attacker to write a malicious binary to disk and execute it, elevating their privileges.
MS15-086: Vulnerability in System Center Operations Manager Could Allow Elevation of Privilege (3075158)
Switching gears into web application security, Microsoft patches a cross-site scripting vulnerability within System Center Operations Manager. This vulnerability can allow a remote attacker to inject arbitrary scripting code into a victim’s browser allowing them to spoof content, disclose information, and perform an action in the context of the victim. The attack vector lies within the URL, leading to a vulnerable webpage, which an attacker would convince a victim to visit.
MS15-087: Vulnerability in UDDI Services Could Allow Elevation of Privilege (3082459)
Similar to MS15-086, this bulletin also addresses a cross-site scripting vulnerability. The Universal Description, Discovery, and Integration (UDDI) Services improperly validates the search parameter in a FRAME tag, which can allow an attacker to obtain authorization cookies or redirect to a malicious page.
MS15-088: Unsafe Command Line Parameter Passing Could Allow Information Disclosure (3082458)
The vulnerability responsible for this bulletin (CVE-2015-2423) affects other advisories from this month as well, however, this bulletin describes the root of the issue. When files at a medium integrity level become accessible to Internet Explorer running in Enhanced Protection Mode (EPM), it is possible to pass a specially crafted command line parameter to various products including Windows itself, Internet Explorer, and Microsoft Office. Successful exploitation requires an attacker to first leverage a separate code execution vulnerability within Internet Explorer running EPM, and then execute Excel, Notepad, Powerpoint, Visio, or Word using the crafted command line parameter, potentially disclosing sensitive information. The vulnerability itself was publically disclosed prior to this bulletin’s release, however there is no indication that it was being exploited in the wild.
MS15-089: Vulnerability in WebDAV Could Allow Information Disclosure (3076949)
This bulletin shares much similarities with MS15-084, in that WebDAV allows the use of SSL 2.0. Again, a man-in-the-middle attacker can force the use of this insecure protocol and decrypt portions of encrypted traffic. There is no acknowledgment given for the discoverer of this vulnerability so it seems as though Microsoft realized the issue from MS15-084 could affect other products and identified the issue within WebDAV.
MS15-090: Vulnerabilities in Microsoft Windows Could Allow Elevation of Privilege (3060716)
Three elevation of privilege vulnerabilities are patched by this update, affecting Window’s Object Manager, the Registry, and Filesystem. The Object Manager vector is caused due to it not properly validating impersonation levels, allowing an attacker to impersonate a higher privileged user. The Registry and Filesystem vectors allow certain interactions from within vulnerable sandboxed applications both triggered by opening specially crafted files.
MS15-091: Cumulative Security Update for Microsoft Edge (3084525)
Microsoft Edge receives its first official update this month fixing four vulnerabilities, three of which are memory corruption leading to remote code execution, while the other allows for ASLR bypassing. The question on everyone’s mind is – will Edge follow down the path of Internet Explorer containing vast amounts of vulnerabilities, or has Microsoft learned from past mistakes and has truly built a much more secure browser? Only time will tell.
MS15-092: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (3086251)
.Net is back again this month with three elevation of privilege vulnerabilities caused by the RyuJIT compiler. RyuJIT improperly optimizes certain parameters resulting in code generation errors, which an attacker can use to take complete control of an affected system.