July 2015 Patch Tuesday

July’s Patch Tuesday is a hefty one, clocking in with 14 bulletins, including the typical misfits - Internet Explorer and Office. Last month’s missing bulletin (MS15-058) is now included, patching important-rated vulnerabilities within SQL Server. Also, it should be mentioned that the official Windows 10 release is right around the corner, set to release on July 29^th. With that said, let’s dive into the action.

MS15-058: Vulnerabilities in SQL Server Could Allow Remote Code Execution (3065718) Starting off this month’s Patch Tuesday, we have three vulnerabilities within Microsoft SQL Server, two of which can lead to remote code execution (CVE-2015-1762 and CVE-2015-1763), while the other offers elevation of privileges (CVE-2015-1761). The good news is that all of these vulnerabilities require special permissions to create/modify databases and schema on the server, which limits the potential attack surface of the application. MS15-065: Security Update for Internet Explorer (3076321) And what kind of Patch Tuesday would it be without our old friend Internet Explorer? This month, IE rears its head with a whopping 29 vulnerabilities encompassing remote code execution, ASLR bypass, cross-site scripting bypass and elevation of privilege vulnerabilities. With Windows 10 peeking around the corner, this makes Window’s new Edge browser look more and more appealing. MS15-066: Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (3072604) VBScript is back again this month with a remote code execution vulnerability which Microsoft has labeled as critical for clients and moderate for servers. This vulnerability ties into the Internet Explorer update because IE integrates the VBScripting engine, so the real threat (attack vector) is introduced when visiting malicious websites with IE. That being said, the vulnerability is limited, however, to the context of the current user so once again, running as Administrator should be on your list of things to NOT do while browsing the internet (or in general, unless absolutely necessary). MS15-067: Vulnerability in RDP Could Allow Remote Code Execution (3073094) You’d think that after 25+ years of service, the Remote Desktop Protocol (RDP) would be a rock solid, well-oiled machine, right? Well Microsoft is here to tell you that this isn’t the case. RDP strikes again with a critical remote code execution vulnerability affecting 32-bit versions of Windows 7 and 8. The issue exists due to the improper handling of specially crafted packets sent to the RDP server service. Once exploited, this vulnerability has full user rights, giving an attacker full-reign over the entire system. MS15-068: Vulnerabilities in Windows Hyper-V Could Allow Remote Code Execution (3072000) This bulletin patches two vulnerabilities within Hyper-V which can lead to remote code execution within the host context. The vulnerabilities require that an authenticated and privileged attacker have valid credentials within a guest virtual machine, while running a specially crafted application. MS15-069: Vulnerabilities in Windows Could Allow Remote Code Execution (3072631) Two remote code execution vulnerabilities are addressed by this bulletin, affecting all systems ranging from Windows Vista and up. The issue involves DLL hijacking, in which a malicious DLL can be loaded with a particular application by placing it in the same directory that it was launched from. In this case, Windows Media Device Manager improperly handles DLL loading when opening specially crafted .RTF files. Successful exploitation can lead to full system compromise to install programs; view, change, or delete data; or create new accounts with full user rights. Scary stuff for such a seemingly trivial attack vector. MS15-070: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3072620) Eight vulnerabilities in Office are patched this month, affecting multiple Office products including Excel, Word, Powerpoint, and Sharepoint server. Most of these vulnerabilities result in remote code execution, however, one is an ASLR bypass and another is a DLL hijacking vulnerability (CVE-2015-2375) within Excel, similar to the issues presented in the MS15-069 bulletin. For the remote code execution vulnerabilities, the attacker is limited to the context of the current user and will typically be exploited through some sort of social engineering or phishing scheme to open a specially crafted file or to visit a malicious website where the file is hosted. In contrast, CVE-2015-2375 allows an attacker to run with full user rights, which make this class of vulnerability especially dangerous. MS15-071: Vulnerability in Netlogon Could Allow Elevation of Privilege (3068457) This bulletin addresses an issue within Netlogon, affecting all versions of Windows, which can allow an attacker to establish a secure communication channel belonging to a different machine with a spoofed computer name. The attacker can then use this communication channel to obtain session-related information for the actual secure channel. Successful exploitation requires that the attacker be logged on to a domain-joined system and be able to observe network traffic. MS15-072: Vulnerability in Windows Graphics Component Could Allow Elevation of Privilege (3069392) Windows graphics component is patched for an elevation of privilege vulnerability that exists when processing bitmap conversions. Successful exploitation requires that an attacker be logged into the system to run a specially crafted application. MS15-073: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (3070102) This month offers up another round of kernel-mode driver vulnerabilities, this time without remote code execution, which is obviously good thing. This bulletin addresses three elevation of privilege and three information disclosure vulnerabilities within the win32k.sys driver, all of which can be used in conjunction with other exploits to obtain complete system compromise. MS15-074: Vulnerability in Windows Installer Service Could Allow Elevation of Privilege (3072630) The Windows Installer service is updated this month to address an elevation of privilege vulnerability. The issue occurs when the service attempts to run custom action scripts. In order for this to happen, an attacker must first compromise a user account, locate an installed vulnerable .msi package, and place a specially crafted script on the target system that the .msi package can execute. MS15-075: Vulnerabilities in OLE Could Allow Elevation of Privilege (3072633) This bulletin patches two vulnerabilities within OLE which occur when opening files containing specially crafted OLE objects. To exploit these, an attacker would have to convince the user to open the malicious file or visit a malicious site. Nicholas Joly is credited with finding these vulnerabilities which were reported through coordinated disclosure and there was no evidence of them being actively exploited in the wild, prior to this bulletins release. MS15-076: Vulnerability in Windows Remote Procedure Call Could Allow Elevation of Privilege (3067505) Windows RPC is patched this month to fix an elevation of privilege vulnerability, caused when Windows RPC inadvertently allows DCE/RPC connection reflection. Successful exploitation requires that an attacker run a specially crafted application, once logged into the system. This vulnerability was reported through coordinated disclosure, although there is no mention of who is credited with its discovery. MS15-077: Vulnerability in ATM Font Driver Could Allow Elevation of Privilege (3077657) This bulletin addresses a vulnerability within the Adobe Type Manager Font Driver, which can lead to elevation of privileges and possibly arbitrary code execution on the affected system. Prior to this bulletin’s release, the vulnerability had been publically disclosed with reports of it being actively exploited in the wild.