February 2015 Patch Tuesday

Microsoft patched a fairly hefty 58 CVEs across 9 bulletins this month, with Internet Explorer taking the lion's share of those fixes. Among the offending flaws are remote code execution, security bypass, elevation of privilege, and information disclosure vulnerabilities. MS15-009 fixes 41 assorted flaws in Internet Explorer including remote code execution, ASLR bypass, privilege elevation and information disclosure vulnerabilities. Among these, CVE-2014-8967 was publicly disclosed after Microsoft failed to meet the ZDI 180-day mitigation timeline. Workstations that frequently browse the internet are most at risk from these vulnerabilities. Due to the Enhanced Security Configuration mode that is enabled by default in server operating systems, servers are slightly more protected from some of these flaws. Microsoft's EMET software, when installed and configured to work with IE, also offers additional protection from many of these vulnerabilities. One additional note is that this update will also provide IE 11 users with additional security measures by disabling SSL 3.0 fallback attempts by default. Thanks POODLE! MS15-010 targets Kernel Mode Driver. Ranked as Critical by Microsoft, this bulletin delivers fixes for 6 vulnerabilities including remote code execution and elevation of privilege flaws. One of these vulnerabilities was publicly disclosed as CVE-2015-0010. Note that one of these flaws can be exploited and result in remote code execution by simply convincing a user to visit a malicious website that contains embedded TrueType fonts. MS15-011 is the first of two Group Policy patches released by Microsoft this month. This one is interesting for administrators who operate Windows Server 2003 systems in the sense that Microsoft, despite flagging the operating system as being affected, has decided not to issue a fix for it. This is primarily due to the fact that the architectural changes that would have to be done to the operating system in order to fix it properly are prohibitively complex. Given that the vulnerability requires that a user connects their system to an untrusted network controlled by an attacker, it is fairly unlikely that Windows Server 2003 operating systems would find themselves in this scenario. Laptop computers are more at risk since they often connect to untrusted networks such as WiFi hotspots at airports and coffee shops. MS15-012 is one of two Office patches released this month that fixes some remote code execution flaws found in Office due to improperly parsing documents. Rated as Important by Microsoft, the damage caused by these flaws can be somewhat reduced by running Office applications as users with non-administrative privileges. To successfully exploit this flaw, the attacker would need to convince a user to open a malicious Office file. MS15-013 is the other Office bulletin released this month that patches a publicly disclosed vulnerability (CVE-2014-6362) affecting Office 2007, 2010, and 2013. This particular flaw allows attackers to bypass ASLR protection, which when combined with another remote code execution vulnerability could be used to achieve code execution by an attacker. The vulnerability relies on convincing a user to open a malicious file, so proper employee training on the safe handling of Office documents from external sources may help avoid triggering this vulnerability. Additionally, administrators who have deployed Microsoft's EMET software and configured it to work with Office are protected from this issue. MS15-014 marks the second of the Group Policy patches issued this month. This flaw involves an attacker's ability to perform a man-in-the-middle attack that can potentially cause a system's Group Policy settings to be reverted back to their default values. Workstations and servers that are configured to use Group Policy are primarily at risk from this vulnerability. Given that this attack would require a man-in-the-middle scenario, and presumably an attacker would need to be in a privileged spot on the network, this vulnerability seems more difficult to practically exploit unless an attacker has already infiltrated a network. MS15-015 patches an elevation of privilege vulnerability found in Windows 7 and later operating systems. To exploit this, an attacker would already need to have authenticated access to a system. MS15-016 addresses a TIFF processing vulnerability found in all supported versions of Windows that could result in information disclosure. A user browsing to a website that contains a crafted TIFF file can potentially trigger this vulnerability, however an attacker would have no way of forcing a user to visit a malicious website. They would need to convince a user to do so. MS15-017 patches an elevation of privilege flaw found in the slightly lesser-known System Center Virtual Machine Manager. This vulnerability relies on an attacker having valid active directory logon credentials in order to exploit, however if successful, could result in the attacker's ability to take complete control of the virtual machines controlled by the server. Audits for these bulletins will be available in release 2877: [MS15-009] Security Update for Internet Explorer (3034682) 44988 - Microsoft Cumulative Security Update for Internet Explorer (3034682) [MS15-010] Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (3036220) 44981 - Microsoft Windows Kernel-Mode Driver Remote Code Execution (3036220) - win32k 44993 - Microsoft Windows Kernel-Mode Driver Remote Code Execution (3036220) - cng 44994 - Microsoft Windows Kernel-Mode Driver Remote Code Execution (3036220) - ksecdd [MS15-011] Vulnerability in Group Policy Could Allow Remote Code Execution (3000483) 44954 - Microsoft Group Policy Remote Code Execution (3000483) [MS15-012] Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3032328) 44962 - Microsoft Office Remote Code Execution (3032328) - Excel 2007 44963 - Microsoft Office Remote Code Execution (3032328) - Word 2007 44964 - Microsoft Office Remote Code Execution (3032328) - Proofing Tools 2010 44966 - Microsoft Office Remote Code Execution (3032328) - Office 2010 44967 - Microsoft Office Remote Code Execution (3032328) - Excel 2010 44969 - Microsoft Office Remote Code Execution (3032328) - Word 2010 44972 - Microsoft Office Remote Code Execution (3032328) - Excel 2013 44973 - Microsoft Office Remote Code Execution (3032328) - Excel Compatibility Pack SP3 44974 - Microsoft Office Remote Code Execution (3032328) - Word Viewer 44975 - Microsoft Office Remote Code Execution (3032328) - Excel Viewer 44976 - Microsoft Office Remote Code Execution (3032328) - Word Compatibility Pack SP3 45001 - Microsoft Office Remote Code Execution (3032328) - Word Automation 45002 - Microsoft Office Remote Code Execution (3032328) - Web Apps 2010 [MS15-013] Vulnerability in Microsoft Office Could Allow Security Feature Bypass (3033857) 44955 - Microsoft Office Security Feature Bypass (3033857) - KB2920795 - Office 2007 44956 - Microsoft Office Security Feature Bypass (3033857) - KB2920795 - Office 2007 x64 44957 - Microsoft Office Security Feature Bypass (3033857) - KB2920748 - Office 2010 44958 - Microsoft Office Security Feature Bypass (3033857) - KB2920748 - Office 2010 x64 44959 - Microsoft Office Security Feature Bypass (3033857) - KB2910941 - Office 2013 44960 - Microsoft Office Security Feature Bypass (3033857) - KB2910941 - Office 2013 x64 [MS15-014] Vulnerability in Group Policy Could Allow Security Feature Bypass (3004361) 44965 - Microsoft Group Policy Security Feature Bypass (3004361) [MS15-015] Vulnerability in Microsoft Windows Could Allow Elevation of Privilege (3031432) 44961 - Microsoft Windows Elevation of Privilege (3031432) [MS15-016] Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure (3029944) 44968 - Microsoft Graphics Component Information Disclosure (3029944) [MS15-017] Vulnerability in Virtual Machine Manager Could Allow Elevation of Privilege (3035898) 44987 - Microsoft Virtual Machine Manager Elevation of Privilege (3035898)