Microsoft patched 44 CVEs across 14 bulletins this month, with vulnerabilities in Internet Explorer and Adobe Font Driver necessitating the bulk of those fixes. With so many bulletins, it was only natural that a wide variety of security flaws were found: remote code execution, elevation of privilege, denial of service, information disclosure, cross-site scripting, spoofing and security feature bypass were all present and accounted for in this month's roundup.
fixes 12 flaws in Internet Explorer, including memory corruption that could lead to remote code execution and a couple of elevation of privilege vulnerabilities. Two CVEs in this batch are noteworthy due to the fact that they have been publicly disclosed. CVE-2015-0072
was apparently reported to Microsoft on Oct. 13, 2014, however David Leo disclosed the details of this vulnerability to the popular Full Disclosure
security mailing list on Jan. 31, 2015. Since then, a public exploit has surfaced in the well-respected Metasploit Framework
, making this vulnerability a bit more pressing to patch. Additionally, CVE-2015-1626 was also publicly disclosed according to Microsoft's bulletin. Given the potential for remote code execution in these vulnerabilities, Microsoft's Critical ranking of this bulletin for workstation systems seems justified. Due to the Enhanced Security Configuration mode that is enabled by default in server operating systems, servers are slightly more protected from some of these flaws, prompting Microsoft to reduce the severity ranking to Moderate for servers. Microsoft's EMET software, when installed and configured to work with IE, also offers additional protection from many of these vulnerabilities. One additional note is that users who are using IE11 on Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1, Windows Server 2012 R2, or Windows RT 8.1 will also automatically receive additional updates from Windows Update that change Transport Layer Security (TLS) protocol renegotiation and fallback behavior in order to help mitigate against the POODLE
adds a fix for a privately reported memory corruption flaw in the VBScript engine that could allow remote code execution. While it is ranked as Critical for workstations, it is ranked as Moderate for servers. Note that the CVE fixed in this bulletin is one of the same ones that was fixed in the MS15-018 IE Cumulative Update bulletin. Depending on which version of Internet Explorer is installed on your system, either MS15-018 or MS15-019 will be responsible for patching CVE-2015-0032. Specifically, only systems that have IE 8 or lower or don't have IE installed at all will be receiving this bulletin. Customers running IE 9 or higher should instead apply the MS15-018 IE Cumulative Update patch. In a web-based attack scenario, an attacker could exploit this vulnerability if he or she tricked a user into browsing to a specially crafted malicious website.
fixes two privately reported remote code execution vulnerabilities that affect all supported Microsoft operating systems. Rated as Critical, these vulnerabilities do require users to perform specific actions, such as browsing to a malicious website or opening a malicious file, in order to exploit them. As a workaround for CVE-2015-0096 in this advisory, users can disable the displaying of icons for shortcuts and disable the WebClient service to block the most likely remote attack vector through the WebDAV client service. Note, however, that these workarounds do have usability impacts on the system, so be sure to review and test those before deciding to implement the workaround.
was one of the larger patches this month, touting eight CVEs. This Critical advisory applies to all supported version of Windows and addresses denial of service, information disclosure, and remote code execution vulnerabilities within the Adobe Font Driver. It's important to note that while the information disclosure vulnerabilities found in this bulletin do not by themselves allow arbitrary code execution, an attacker could use these vulnerabilities in conjunction with another vulnerability in order to bypass security features such as Kernel Address Space Layout Randomization (KASLR). A mitigating factor is that, by default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone, which disables font download by default. However, if a user clicks a link in an email message, the user could still be vulnerable to exploitation of this vulnerability through the web-based attack scenario. The vulnerability could also be exploited if a user opens an attachment that is sent in an email message.
fixes three information disclosure and one elevation of privilege flaw in Kernel-Mode Driver. Rated Important by Microsoft, this vulnerability affects all supported Windows operating systems.
addresses an information disclosure vulnerability discovered in the way that Microsoft parses specially crafted PNG files. This advisory is rated Important and affects all supported Windows operating systems. An attacker could host a malicious website, leverage a compromised website, or use a website that hosts user-provided content and then convince a user to visit the website. An attacker who successfully exploited this vulnerability would be able to read data which was not intended to be disclosed. While this vulnerability wouldn't allow an attacker to execute code or elevate their user rights directly, it could be used to obtain information that could be used to try to further compromise the affected system.
closes two security holes in the Windows Kernel that could allow elevation of privilege. Since these are elevation of privilege vulnerabilities, an attacker would already have to be able to logon to a system in order to execute the attack. As a workaround, Microsoft suggests disabling registry virtualization using Group Policy or registry settings since only processes that utilize registry virtualization are affected. Given the potential impact this may have to a system, it seems like patching could be the better option here.
is an Important bulletin for Exchange 2013 that corrects four XSS vulnerabilities that could lead to privilege escalation, as well as a spoofing vulnerability. In a move fairly atypical for Microsoft, they provided some detailed information in their proposed workarounds regarding the XSS vulnerabilities by listing specific URLs and parameters that are affected. This is extremely helpful to customers who are unable to patch their servers immediately since they will potentially be able to create web-application firewall rules that can block or at least detect the malicious requests.
patches a spoofing vulnerability in NETLOGON that is rated Important by Microsoft. This advisory only affects server operating systems, so workstations can rest easy. In order to exploit this vulnerability, an attacker would need to be logged in to a domain-joined system and be able to observe network traffic.
addresses a flaw in Windows Task Scheduler that could result in a security feature bypass. This could potentially allow an attacker who has logged in to a machine with limited privileges to leverage Task Scheduler to execute files that they do not have permissions to run. This could result in bypassing ACL checks and running privileged executables. Older operating systems before Windows 7/2008R2 are unaffected here. Disabling the task scheduler service is one potential workaround for this flaw, however this will impact the system if it currently runs scheduled tasks for anything since they would no longer execute.
is ranked as Important by Microsoft and fixes a problem in the Windows Photo Decoder Component that could allow information disclosure. If a user was tricked into browsing to a malicious website containing a specially crafted JPEG XR (.JXR) image, an attacker could potentially read data that was not intended to be disclosed. Like most information disclosure vulnerabilities, even though code execution isn't possible with this vulnerability alone, it's important to remember that attackers can utilize the gathered information and potentially combine it with other attacks that may ultimately result in the ability to execute arbitrary code on a system.
patches a denial of service vulnerability that was discovered in the Remote Desktop Protocol running on Windows 7, Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. By creating multiple RDP sessions that fail to properly free objects in memory, an attacker could potential exhaust system resources to create a denial of service condition on the target. This won't result in an attacker being able to execute any code on the system, however it could impact normal business operation by denying legitimate users the ability to logon to the targeted system. By default, RDP is not enabled on Windows systems, so this vulnerability is only limited to systems that have enabled it for administrative purposes.
patches the infamous FREAK
vulnerability discovered earlier this month. After the initial announcement, it was later discovered that this vulnerability also applied to the Windows Schannel implementation. The vulnerability could potentially allow a man-in-the-middle attacker to force the downgrading of the key length of an RSA key to EXPORT-grade length in a TLS connection. A couple important things to note here. In order for an attack to be successful, the server that the client is connecting to must support RSA key exchange EXPORT ciphers. Most servers that have been reviewed for security will typically disable insecure cipher suites as part of their TLS/SSL hardening process, in which case these EXPORT suites would likely be disabled. To further that point, the affected ciphers are disabled by default in Windows Vista/2008 and later operating systems. Additionally, when applying the patch to a Windows Server 2003 system, the EXPORT suites are not disabled but are moved further down the cipher priority list. Despite still being enabled, Microsoft indicates that Windows client systems with this patch installed will no longer downgrade the key length of an RSA key in a TLS connection to a Windows server.