Starting off the new year, Microsoft directs its focus more toward user rights and access. For the majority of bulletins, an attacker would need some form of authentication prior to elevating their privileges. Aside from these, the most notable vulnerability lies within an old friend named Telnet, which even the newer versions of windows are affected by. Also, Google’s security research team has offered up its fair share of findings this month with three vulnerabilities, two of which were publicly disclosed prior to this Patch Tuesday.
MS15-001 – First up, we see a vulnerability in Microsoft’s Application Compatibility Infrastructure. This vulnerability was publicly disclosed by Google’s security research team, Project Zero, prior to the bulletin’s release. The issue involves an improper authorization check against a caller’s impersonation token, which can be used to elevate the privileges of an application. Successful exploitation requires the attacker to be authenticated.
MS15-002 – Next, and certainly not least, Telnet makes a very interesting return which can allow remote code execution. An attacker can send specially crafted packets to the listening telnet server causing a buffer overflow. Telnet is not enabled by default, but this vulnerability serves as a reminder that it’s a good idea to enforce a GPO which does not allow a service such as this to run, as there are much more secure methods of remotely administering Windows systems.
MS15-003 – This vulnerability, involving the User Profile Service, was also publicly released by Google’s Project Zero, prior to the bulletin. Successful exploitation can allow an authenticated attacker to load registry hives associated with other user accounts, and subsequently running an arbitrary application with elevated privileges.
MS15-004 – Here we have another privilege elevation vulnerability, in which the victim must manually run a maliciously crafted application. Once exploited, an attacker can gain the same user rights as the victim. To prevent total system compromise, it’s good practice to avoid running as administrator as well as avoid running untrusted applications.
MS15-005 – This bulletin involves the Network Location Awareness Service which fails to properly validate an untrusted network. An attacker can spoof DNS and LDAP responses tricking the system into thinking a network is part of a trusted domain. One thing to note here is that Microsoft did not supply a patch for Server 2003 systems and as we continue to approach the system’s end-of-life date (July 2015), we can expect to see more of these types of occurrences.
MS15-006 - Windows Error Reporting (WER) contains a vulnerability that could allow an administrative user to view the memory of protected processes. This could allow the malicious user who already has administrative rights to possibly gain additional credentials which could be leveraged in lateral attacks against other systems. The update addresses this vulnerability by correcting the way in which the WER interacts with processes.
MS15-007 - Another privately reported vulnerability in this group could lead to a Denial of Service on an Internet Authentication Service or Network Policy Server if a user sends certain username strings to either, thereby preventing RADIUS authentication. The update changes the way in which Network Policy Servers parse the username queries when RADIUS is implemented.
MS15-008 - This single vulnerability update, also credited to Google’s Project Zero, addresses a WebDAV kernel-mode driver issue that allows an attacker with valid logon credentials to gain privilege elevation. The update, corrects the way in which impersonation levels are validated and enforced. As we have repeatedly pointed out in the past, a great method of reducing the attack surface is to disable the WebClient service, which is typically used to leverage attacks that utilize WebDav to transfer data. This is different as it is an issue with an underlying driver, so even if WebClient was disabled, you may still be vulnerable.
The following vulnerability audits have been released in audits revision 2868:
[MS15-001] - Vulnerability in Windows Application Compatibility Cache Could Allow Elevation of Privilege (3023266)
44404 - Microsoft Windows Application Compatibility Cache Privilege Elevation (3023266)
44406 - Microsoft Windows Application Compatibility Cache Privilege Elevation (3023266)
44412 - Microsoft Windows Application Compatibility Cache Privilege Elevation (3023266)
[MS15-002] - Vulnerability in Windows Telnet Service Could Allow Remote Code Execution (3020393)
44411 - Microsoft Windows Telnet Service Remote Code Execution (3020393)
[MS15-003] - Vulnerability in Windows User Profile Service Could Allow Elevation of Privilege (3021674)
44405 - Microsoft Profile Service Privilege Escalation (3021674) - 2003
44407 - Microsoft Profile Service Privilege Escalation (3021674)
[MS15-004] - Vulnerability in Windows Components Could Allow Elevation of Privilege (3025421)
44398 - Microsoft Windows Components Elevation of Privileges (3025421) KB3019978 7/20082
44400 - Microsoft Windows Components Elevation of Privileges (3025421) - KB3023299
44401 - Microsoft Windows Components Elevation of Privileges (3025421) - KB3020387
44403 - Microsoft Windows Components Elevation of Privileges (3025421) - KB3020388
44431 - Microsoft Windows Components Elevation of Privileges (3025421) KB3019978 8/2012
44432 - Microsoft Windows Components Elevation of Privileges (3025421) KB3019978 81/R2
[MS15-005] - Vulnerability in Network Location Awareness Service Could Allow Security Feature Bypass (3022777)
44399 - Microsoft Network Location Awareness Service Security Bypass (3022777)
44402 - Microsoft Network Location Awareness Service Security Bypass (3022777) - 2003
[MS15-006] - Vulnerability in Windows Error Reporting Could Allow Security Feature Bypass (3004365)
44396 - Microsoft Windows Error Reporting Security Bypass (3004365)
[MS15-007] - Vulnerability in Network Policy Server RADIUS Implementation Could Cause Denial of Service (3014029)
44397 - Microsoft Network Policy Server RADIUS Implementation DoS (3014029)
[MS15-008] - Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (3019215)
44410 - Microsoft Windows Kernel-Mode Driver Privilege Elevation (3019215)
