Tuesday, December 8, 2015

Microsoft Patch Tuesday - December 2015

Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 12 bulletins released which address 71 vulnerabilities. Eight bulletins are rated "Critical" this month and address vulnerabilities in Graphics Component, Edge, Internet Explorer, Office, Silverlight, Uniscribe, and VBScript. The other four bulletins are rated "Important" and address vulnerabilities in Kernel Mode Drivers, Media Center, Windows, and Windows PGM.

Bulletins Rated Critical

MS15-124, MS15-125, MS15-126, MS15-127, MS15-128, MS15-129, MS15-130, and MS15-131 are rated as Critical.

MS15-124 and MS15-125 are this month's Edge and Internet Explorer security bulletin respectively. In total, 34 vulnerabilities were addressed this month between the two browsers with 11 vulnerabilities affecting both Edge and IE. The vast majority of the vulnerabilities addressed this month are memory corruption vulnerabilities along with a couple ASLR and XSS filter bypasses. One special note with this bulletin is that CVE-2015-6135 and CVE-2015-6136 are VBScript engine flaws that affect all supported versions of Internet Explorer. However, this bulletin only addresses these vulnerabilities for IE 8 through 11. Users and organizations who use IE 7, or that do not have IE installed will need to install MS15-126 to address these two vulnerabilities.


MS15-126 addresses CVE-2015-6135 and CVE-2015-6136, which are vulnerabilities in the VBScript engine. CVE-2015-6135 is a an information disclosure vulnerability that could be used to discover the location of system objects in memory which could lead to further exploitation. CVE-2015-6136 is an remote code execution vulnerability that manifests as a failure in the VBScript engine to properly handle objects. While both of these vulnerabilities affect IE 7 through 11, this bulletin is only designed to address users and organizations who have IE 7 installed or who do not have IE installed. Users and organizations who use IE 8 and later should refer to MS15-124.

MS15-127 addresses CVE-2015-6125, a use-after-free vulnerability in Windows DNS that could lead to remote code execution. Windows Servers that are configured as DNS servers are at risk of compromise due to a flaw in how Windows DNS servers parse certain requests. An attacker who transmits specifically crafted requests could exploit this vulnerability and execute arbitrary code on the server.

MS15-128 addresses three memory corruption vulnerabilities (CVE-2015-6106, CVE-2015-6107, CVE-2015-6108) in the Graphics component. These vulnerabilities manifest as a flaw in how the Windows font library handles specifically crafted embedded fonts. Exploitation of this vulnerability could allow remote code execution via a malicious crafted document or via a user who navigates to a webpage containing these specially crafted embedded fonts.

MS15-129 addresses three vulnerabilities (CVE-2015-6114, CVE-2015-6165, CVE-2015-6166) in Silverlight this month. CVE-2015-6166 is the most severe of the three vulnerabilities and could allow remote code execution if a user navigates to a website that contains a maliciously crafted Silverlight application that exploits this vulnerability. The other two vulnerabilities, one of which was discovered by Marcin Noga of Cisco Talos (CVE-2015-6114), are information disclosure vulnerabilities that could be used to degrade the effectiveness of ASLR.

MS15-130 addresses one vulnerability in Microsoft Uniscribe. CVE-2015-6130 is an integer underflow vulnerability that can lead to remote code execution due to Uniscribe failing to properly parse specifically crafted fonts. If a user visits a webpage that contains specially crafted fonts or opens a specially crafted document, the vulnerability could be exploited. Note that this vulnerability impacts Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1 only.

MS15-131 is this month's Office security bulletin addressing six vulnerabilities that impact Office 2007 through Office 2016. Five of the vulnerabilities are memory corruption flaws that manifest as a failure in Office application to parse document files correctly. The remaining vulnerability is a remote code execution flaw that manifests as a flaw in how Outlook parses specifically crafted email messages.

Bulletins Rated Important

MS15-132, MS15-133, MS15-134, and MS15-135 are rated as Important.

MS15-132 addresses three elevation of privilege vulnerabilities (CVE-2015-6128, CVE-2015-6132, & CVE-2015-6133) in the Windows library loading functionality. The affected versions include supported versions of Windows. Executing a specially crafted application on the system that exploits these vulnerabilities could allow an attacker to gain complete control of the system.

MS15-133 addresses CVE-2015-6126. This issue allows an authenticated user who exploits this Windows PGM UAF vulnerability to execute code with elevated privileges that would allow them to install programs. The affected versions include supported versions of Windows.

MS15-134 is this month’s Windows Media Center bulletin and addresses two vulnerabilities (CVE-2015-612 & CVE-2015-6131). The affected versions include WIndows Vista Service Pack 2, Windows 7 Service Pack 1, and Windows 8 & 8.1. If an Attacker can entice a user open a specially crafted Media Center link (.mcl) file that references malicious code, then the attacker could gain control of the system. Workstations present the highest risk of exploitation.

MS15-135 is this month’s Windows Kernel Mode Driver bulletin. This bulletin addresses four vulnerabilities all related to elevation of privilege vulnerabilities. An authenticated user can exploit these vulnerabilities to run arbitrary code in kernel mode that would allow them to install programs; view, change, or delete data; or create new accounts with full user rights.


Coverage

In response to these bulletin disclosures, Talos is releasing the following rules to address these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Defense Center, FireSIGHT Management Center or Snort.org.

Snort Rules: 36917, 36988, 35149-35150, 36673-36674, 36918-36953, 36956-36977, 36980-36987, 36989-37004, 37009-37013

No comments:

Post a Comment