May 2015 Patch Tuesday

BeyondTrust Research Team
May 13th, 2015

patch_tuesdayThis month’s Patch Tuesday is massive, to say the least, with a total of 13 bulletins, affecting many products and all versions of Windows. Earlier this month, Microsoft announced that the upcoming Windows 10 will not follow the typical Patch Tuesday cycle and updates will be provided when they become available. That said, let’s dive into the systems which Patch Tuesday still apply to.

MS15-043: Cumulative Security Update for Internet Explorer (3049563)

As expected, IE delivers its monthly round of fixes, this time offering up 22 patched vulnerabilities. Successful exploitation of which can lead to a myriad of compromises including remote code execution, elevation of privilege, information disclosure, and security feature bypasses. The most worrisome of these being the mass of remote code execution vulnerabilities, 14 in all. What’s worse is that, typically, an attacker would have a tough time getting past address space layout randomization (ASLR), but thanks to the multiple vulnerabilities discovered in the VBScript and JScript engine, ASLR bypassing can be achieved. It’s important to also note that these ASLR bypasses are not limited to aiding IE exploitation, they can be utilized in conjunction with other attack vectors as well. The good news is that in all cases, an attacker would have to persuade the victim to view malicious content. So if you make it a habit to no click on random links in emails, then give yourself a pat on the back for not making the bad guys’ job easier.

MS15-044: Vulnerabilities in GDI+ Could Allow Remote Code Execution (3057110)

Next up, Open-Type and True-Type Fonts make an ugly return by allowing remote code execution. Font vulnerabilities such as these are particularly nasty because so many applications utilize them. In this case, components within Windows, .NET Framework, Office, Lync, and Silverlight can all be affected. This should serve as a reminder to be extra careful when opening documents as they could have malicious true-type fonts embedded within them.

MS15-045: Vulnerability in Windows Journal Could Allow Remote Code Execution (3046002)

Next, Windows Journal is patched for a remote code execution vulnerability, discovered by one of our own researchers here at BeyondTrust. This vulnerability affects all versions of Windows from 7 onward. Exploitation occurs when opening a specially crafted Journal (.jnt) file, however limited users are impacted far less than administrative accounts.

MS15-046: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3057181)

This bulletin addresses two memory corruption vulnerabilities which affect multiple office products including (but not limited to) Word, Excel, and Powerpoint. Again, successful exploitation depends on the victim being coerced into opening a specially crafted file or by visiting a malicious webpage.

MS15-047: Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (3058083)

This Important rated bulletin addresses a single vulnerability within Sharepoint Server. Remote code execution is possible due to a sanitization error when Sharepoint Server processes specially crafted page content. Exploitation requires authentication therefore exposure is limited.

MS15-048: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (3057134)

Two vulnerabilities were discovered in .NET which can lead to a denial of service and elevation of privilege. The denial of service vulnerability exists due to xml data decryption and occurs when a remote attacker sends specially crafted xml data to a .NET application. The elevation of privilege vulnerability exists within Windows Forms when handling objects in memory and will typically be exploited in conjunction with a remote code execution vulnerability in order to run arbitrary code with full user rights.

MS15-049: Vulnerability in Silverlight Could Allow Elevation of Privilege (3058985)

Silverlight makes an appearance this month, this time addressing a single vulnerability which could allow remote code execution and elevation of privileges. Successful exploitation requires a logged on user to open a specially crafted Silverlight application.

MS15-050: Vulnerability in Service Control Manager Could Allow Elevation of Privilege (3055642)

This privately reported vulnerability exists within the Service Control Manager (SCM) affecting all versions of Windows. SCM improperly verifies impersonation levels which can allow a local, logged-on user make calls to SCM for which they lack sufficient privilege.

MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191)

Multiple vulnerabilities, reported by WanderingGlitch of HP’s Zero Day Initiative, were discovered in Windows’ Kernel-Mode Drivers. Five of these vulnerabilities can lead to kernel memory disclosure, potentially leaking sensitive information about the system. An elevation of privilege vulnerability was also discovered although successful exploitation requires a local attacker to be logged on to the system. Additionally, it should be noted that a publicly available exploit has been released for CVE-2015-1701. More information, including a detailed write-up, can be found at Github.

MS15-052: Vulnerability in Windows Kernel Could Allow Security Feature Bypass (3050514)

This bulletin addresses another ALSR bypass vulnerability, however, what makes this one a little more interesting is that it utilizes kernel memory. This is possible due to an error within the cng.sys driver which allows an attacker to determine the base address of the driver, which can be used to determine other module addresses based on a specific offset. Again, this successful exploitation requires a local attacker to be logged on to the system.

MS15-053: Vulnerabilities in JScript and VBScript Scripting Engines Could Allow Security Feature Bypass (3057263)

Two more ALSR bypass vulnerabilities, one of which discovered a BeyondTrust researcher, were reported within the JScript and VBScript engines. Attackers can exploit these vulnerabilities by serving up a malicious website and having the victim browse to it while using an affected version Internet Explorer (6-11).

MS15-054: Vulnerability in Microsoft Management Console File Format Could Allow Denial of Service (3051768)

This bulletin addresses a vulnerability, discovered by Michael Heerklotz with HP’s Zero Day Initiative, within .msc files when Windows attempts to process icon information. Due to improperly validating the icon destination buffer, a crash occurs resulting in a denial of service. Successful exploitation requires the victim to open a specially crafted .msc file.

MS15-055: Vulnerability in Schannel Could Allow Information Disclosure (3061518)

Lastly, our good friend Schannel receives an update addressing an information disclosure vulnerability. It was discovered that Schannel allows the use of a weak Diffie-Hellman ephemeral key length of 512 bits during an encrypted TLS session, resulting in various attacks. This vulnerability affects all versions of windows and is rated as Important by Microsoft.

BeyondTrust Research Team

The BeyondTrust Research Team is known for identifying new trends in enterprise security, including some of the very first critical Microsoft security vulnerabilities. By providing in-depth research analysis of the latest and cutting-edge vulnerabilities, the team’s goal is to educate our customers on the evolving threat landscape while shaping the future of BeyondTrust’s privilege and vulnerability management solutions.