This month's Patch Tuesday is a bit on the lighter side with only 8 bulletins. In total, 45 distinct vulnerabilities are addressed with over half belonging to Internet Explorer. At the time of release, Microsoft seemed to skip the MS15-058 bulletin, so we'll be sure to keep an eye out for it.
MS15-056: Cumulative Security Update for Internet Explorer (3058515)
Right off the bat, Internet Explorer strikes again with a hefty 24 vulnerabilities spanning across all supported versions of IE. The majority are the result of memory corruption leading to remote code execution, however, there are 3 elevation of privilege and 1 information disclosure vulnerabilities as well. The information disclosure vulnerability does not have a huge impact but it is unique in the sense that it can allow remote attackers to view a victim's browsing history. As is usually the case, there is no way to force a victim to view malicious content. However, using social engineering, a user can be coerced into visiting specially crafted sites by clicking on URLs.
MS15-057: Vulnerability in Windows Media Player Could Allow Remote Code Execution (3033890)
Windows Media Player was patched this month for a single remote code execution vulnerability. The vulnerability is specifically in handling crafted ‘DataObject’ content, which a Google search will imply is a command-line switch to wmplayer.exe Read more here.
The given workaround for this bug is to remove wmplayer from the Internet Explorer ElevationPolicy, implying that this is actually a sandbox escape.
MS15-059: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3064949)
This month, Microsoft patches 3 remote code execution vulnerabilities within Office 2007, 2010, and 2013. Apart from what appear to be two fileformat parsing bugs which could be mitigated by blocking legacy converters, the workaround info for the third vulnerability seems to imply that the uninitialized memory used is related to an ActiveX component (specifically osf.Sandbox ActiveX control).
MS15-060: Vulnerability in Microsoft Common Controls Could Allow Remote Code (3059317)
This bulletin fixes a use-after-free vulnerability within the Common Controls engine on Windows Vista and above. If a user clicks a link leading to a specially crafted webpage and then invokes Developer Tools within Internet Explorer, remote code execution is possible.
MS15-061: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057839)
This bulletin describes 11 vulnerabilities existing within various Windows kernel-mode drivers. Affecting all versions of Windows, these vulnerabilities can allow information disclosure or elevation of privileges with full user rights, if a local attacker has valid logon credentials.
MS15-062: Vulnerability in Active Directory Federation Services Could Allow Elevation of Privilege (3062577)
Switching gears over to web application security, Active Directory Federation Services contains a cross-site scripting vulnerability allowing an attacker to run arbitrary scripts in the security context of the logged-on user. The issue lies in how ADFS handles URL parameters. Microsoft was kind enough to provide us with a PoC in the workarounds section:
MS15-063: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (3063858)
The Windows Kernel contains an elevation of privilege vulnerability within LoadLibrary which does not validate user input. The vulnerability occurs when a .dll file is placed in a local directory (or a file share) which a specially crafted program can utilize.
MS15-064: Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (3062157)
This bulletin addresses more web-based vulnerabilities, consisting of server-side and cross-site request forgeries, along with an HTML injection vulnerability. Successful exploitation depends on the victim being logged in and navigating to a malicious site whereby an attacker can then scan and attack systems behind a firewall that are normally inaccessible from the outside world, enumerate and attack services that are running on these host systems, and exploit host-based authentication services.