Microsoft's Patch Tuesday has arrived. Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release contains 12 bulletins addressing 53 vulnerabilities. Four bulletins are rated critical and address vulnerabilities in Edge, Internet Explorer, Windows Journal, and Windows. The remaining eight bulletins are rated important and address vulnerabilities in .NET, IPsec, Kerberos, Lync/Skype for Business, NDIS, Office, SChannel, and Winsock.
Bulletins Rated Critical Microsoft bulletins MS15-112 through MS15-115 are rated as critical in this month's release.
MS15-112 and MS15-113 are this month's Internet Explorer and Edge security bulletin respectively. In total, 25 vulnerabilities are addressed with four of them specifically affecting both IE and Edge. The remaining 21 vulnerabilities only affect Internet Explorer. The majority of the vulnerabilities that are resolved in this month's release are memory corruption defects. In addition, an ASLR bypass, an information disclosure vulnerability, and a couple of scripting engine flaws are also addressed.
MS15-114 addresses one privately reported vulnerability in Windows Journal. CVE-2015-6097 is an arbitrary code execution vulnerability that manifests as a flaw in how Windows Journal parses a Journal file. Exploitation of the vulnerability requires that a user open a maliciously crafted Journal file on a vulnerable system. One possible way a user might encounter a malicious Journal file is through an email attack where a message contains a malicious Journal file as an attachment. Microsoft has published workarounds to mitigate the risk of compromise.
MS15-115 addresses seven vulnerabilities in Windows with five vulnerabilities in the kernel and two vulnerabilities in the graphics component.
- Kernel Vulnerabilities
Two of the five vulnerabilities in the kernel (CVE-2015-6100, CVE-2015-6101) are privilege escalation flaws that could allow a user to perform actions in the context of an administrator. Another two vulnerabilities in the kernel (CVE-2015-6102, CVE-2015-6109) are information disclosure flaws that could allow an attacker to learn the location of kernel components in memory, leading to a ASLR bypass. The fifth vulnerability in the kernel (CVE-2015-6113) is a security feature bypass flaw that could allow an attacker to improperly interact with the filesystem in the context of a low integrity level application. - Graphics Component Vulnerabilities
Both vulnerabilities in the graphics component are remote code execution flaws in the Adobe Type Manager library. CVE-2015-6103 and CVE-2015-6104 manifest as flaws in how OpenType fonts are handled in memory. An adversary could exploit these flaws by convincing a user to open a maliciously crafted document or visiting an untrusted web page containing an embedded OpenType font.
Bulletins Rated Important Microsoft bulletins MS15-116 through MS15-123 are rated as important in this month's release.
MS15-116 is this month's Office security bulletin targeting Mac and Windows versions of Office 2007 through Office 2016. This month, seven vulnerabilities are addressed with five being memory corruption flaws, one privilege escalation flaw, and one spoofing vulnerability. Exploitation of the memory corruption flaws is possible if a user opens a malicious crafted document that exploits how Office parses certain types of documents. Exploitation of the privilege escalation flaw is possible if an adversary instantiates an affected Office application via a COM control in Internet Explorer. This could allow an adversary to escape the IE sandbox and execute code in the context of the current user. Exploitation of the spoofing vulnerability is possible if the user previews a maliciously crafted email message in Outlook for Mac 2011. An adversary could then redirect the victim to a malicious website via this vulnerability.
MS15-117 addresses a single, privately reported vulnerability in the Windows Network Driver Interface Specification (NDIS). CVE-2015-6098 is a privilege escalation vulnerability that could allow an authenticated adversary to gain administrator privileges via running a specifically crafted application that is designed to exploit the vulnerability. This vulnerability only affects Windows Vista, Windows 7, Windows Server 2008 R2 and Server 2008 Server Core installations.
MS15-118 addresses three vulnerabilities in .NET Framework versions 2.0 through 4.6. CVE-2015-6096 is an information disclosure vulnerability that manifests as a flaw in how the .NET Framework DTD parses certain XML files. Exploitation of this vulnerability is possible if a user executes a specifically crafted application that could then lead to an adversary gaining read access to the local filesystem. CVE-2015-6099 is a privilege escalation vulnerability that manifests as a flaw in how the .NET Framework validates the value of an HTTP request. Exploitation of this vulnerability could allow an attacker to inject a client-side script into the user's browser. CVE-2015-6115 is an ASLR bypass flaw would allow an adversary to potentially exploit other vulnerabilities that would normally be mitigated with ASLR.
MS15-119 addresses a single, privately reported vulnerability in Windows Winsock. CVE-2015-2478 is a privilege escalation vulnerability that manifests when Winsock makes a call to a memory address without verification that it is valid. Exploitation of this vulnerability could result in an adversary being able to execute code with higher permissions than allowed. An adversary could exploit this vulnerability by logging onto a vulnerable system and executing a maliciously crafted application that is designed to exploit this vulnerability.
MS15-120 addresses a single vulnerability in the Windows Internet Protocol Security (IPsec) service. CVE-2015-6111 is a denial of service vulnerability that manifests as a flaw in how the IPsec services handles encryption negotiation. An adversary could trigger this condition by connecting to a targeted system with a malicious application that is designed to exploit the flaw in the encryption negotiation, causing the system to become unresponsive. Exploitation of this vulnerability requires an adversary to have valid credentials.
MS15-121 addresses a single vulnerability in Windows SChannel. CVE-2015-6112 is a spoofing vulnerability in SChannel that manifests as a flaw in all supported versions of the TLS protocol. Exploitation of this vulnerability could result in an adversary impersonating a victim on any other services that uses the same credentials as those used between the victim and the server where the attack is initiated. Note that for this attack to be successful, an adversary would need to first conduct a man-in-the-middle (MITM) attack between a client and a legitimate server.
MS15-122 addresses one privately reported vulnerability in Windows Kerberos. CVE-2015-6095 is a security feature bypass vulnerability that manifests as a flaw in how Windows checks the password change of a user signing into a workstation. Exploitation of this vulnerability could result in an adversary gaining the ability to unlock a workstation and decrypt drives encrypted with BitLocker if BitLocker is enabled without a PIN or USB key. If an adversary has physical access to the target machine, they could exploit this vulnerability and bypass Kerberos authentication by connecting a workstation to a malicious Kerberos Key Distribution Center (KDC).
MS15-123 addresses one privately reported vulnerability in Lync 2010, 2013, and Skype for Business 2016. CVE-2015-6061 is a server input validation security feature bypass vulnerability that manifests as a flaw in how Lync sanitizes specifically crafted content. Exploitation of this vulnerability could result in an adversary being able to execute arbitrary HTML and JavaScript within the context of Lync. If an adversary were to invite a user to an instant message session and send the user a message containing maliciously crafted JavaScript, they could then use the vulnerability to open a webpage in a web browser, opening another IM session, or trigger other URI that are defined by other applications on the victim's system.
Coverage In response to these bulletin disclosures, Talos is releasing the following rules to address these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Defense Center, FireSIGHT Management Center or Snort.org.
Snort SIDs:36671-36754, 36759-36762, 36766-36767