Avatar

Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products.  This month’s release sees a total of 11 bulletins being released which address 26 CVEs.  The first 4 bulletins are rated Critical and address vulnerabilities within Internet Explorer, Office, IIS, and Graphics Component. The remaining 7 bulletins are rated Important and cover vulnerabilities within SharePoint, Task Scheduler, Windows, XML Core Services, Active Directory, .NET, and Hyper-V.

Bulletins Rated Critical

MS15-032, MS15-033, MS15-034, and MS15-035 are rated Critical.

MS15-032 is this month’s Internet Explorer security bulletin with vulnerabilities in versions 6 through 11 being addressed. This month, 10 CVEs were addressed with the majority of those CVEs being use-after-free vulnerabilities that could result in remote code execution.  A couple of information disclosure vulnerabilities were also addressed this month.

MS15-033 addresses 5 vulnerabilities within Microsoft Office, including CVE-2015-1641, which has been publicly disclosed and is currently being exploited.  Three of these vulnerabilities (CVE-2015-1649, CVE-2015-1650, CVE-2015-1651) are use-after-free conditions that have been addressed.  The other two vulnerabilities (CVE-2015-1639, CVE-2015-1641) are cross-site scripting and memory corruption vulnerabilities that were also addressed.

MS15-034 addresses 1 privately reported vulnerability within Windows IIS.  CVE-2015-1635 is a remote code execution vulnerability within the HTTP protocol stack in HTTP.sys, caused by improperly parsing a crafted HTTP request.  In order to exploit this vulnerability, an attacker would need to send a maliciously crafted packet containing a malformed HTTP request to the vulnerable server.

MS15-035 addresses CVE-2015-1645, a privately reported vulnerability within the Microsoft Graphics Component affecting Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.  This vulnerability is a remote code execution vulnerability due to Windows failing to parse Enhanced Metafile (EMF) image format files.  An attacker can exploit this vulnerability by crafting a malicious web page which includes the maliciously crafted image file or by socially engineering the user to open the crafted image file via some other means, such as email.

Bulletins Rated Important

MS15-036, MS15-037, MS15-038, MS15-039, MS15-040, MS15-041, and MS15-042 are rated Important.

MS15-036 addresses 2 privately reported vulnerabilities within Microsoft Sharepoint Server 2010 SP2 and Microsoft Sharepoint Server 2013 SP1.  CVE-2015-1640 and CVE-2015-1653 are cross-site scripting (XSS) vulnerabilities due to SharePoint failing to properly sanitize a specific crafted request to a vulnerable SharePoint server.  An attacker could exploit these vulnerabilities by sending a maliciously crafted request to a vulnerable server and perform a XSS attack.  An attacker would then be able to have their scripts run in the context of any other user currently logged into the SharePoint site.

MS15-037 addresses CVE-2015-0098, a privately reported vulnerability within the Windows Task Scheduler component affecting Windows 7 and Windows Server 2008 R2.  This vulnerability is a privilege escalation vulnerability that is due to a known invalid system task being present on certain systems.  An authenticated attacker would be able to exploit this vulnerability by checking to see if the invalid task is present on the target system, and then reconfiguring the task to launch an application of the user’s choice.  The application that would then be launch would run in the context of the SYSTEM user.

MS15-038 addresses 2 privately reported vulnerabilities affecting all supported versions of Windows.  CVE-2015-1643 and CVE-2015-1644 are privilege escalation vulnerabilities where Windows fails to properly enforce impersonation levels.  This could allow a user to gain administrator access and perform arbitrary administrative functions, such as adding users and installing applications.  An authenticated attacker would be able to exploit these vulnerabilities by crafting and executing an application that would bypass the impersonation level security checks.

MS15-039 addresses CVE-2015-1646, a privately reported vulnerability in Microsoft XML Core Services in Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows 2008 R2. This vulnerability is a same-origin policy violation where cross-domain data access is possible in certain scenarios with a specially crafted XML file.  Exploitation of this vulnerability would require a user to open a maliciously crafted XML file via a link to the file on a site or via an email attachment.

MS15-040 addresses CVE-2015-1638, a privately reported vulnerability in Active Directory Federation Services (ADFS). This vulnerability is a information disclosure vulnerability where ADFS fails to properly logout a user.  An attacker can potentially exploit this vulnerability by reopening a browser window after it has been closed, and view another user’s information.  This vulnerability is only present in Windows Server 2012 R2 and Windows Server 2012 R2 Server Core.

MS15-041 addresses CVE-2015-1648, a privately reported vulnerability within the .NET framework. This vulnerability is a information disclosure vulnerability that can potentially be exploited if an attacker sends a maliciously crafted web request to a vulnerable server.  An attacker who is able to successfully exploit this vulnerability would be able to view parts of the web configuration file, which could expose sensitive information.

MS15-042 addresses CVE-2015-1647, a privately reported vulnerability within Windows Hyper-V.  This vulnerability is a denial of service vulnerability that can potentially be exploited by an authenticated attacker who runs a maliciously crafted application within a virtual machine on a Hyper-V host.  As a result, this can potentially cause other virtual machines running on the same host to not be manageable via the Virtual Machine Manager.  Remote code execution or privilege escalation are not possible with this vulnerability.

Coverage

In response to these bulletin disclosures, Talos is releasing the following rules to address these vulnerabilities.  Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information.  For the most current rule information, please refer to your Defense Center, FireSIGHT Management Center or Snort.org.

Snort SIDs: 34059-34099

Related Links: Event Response Page