Microsoft has released a total of 14 bulletins as part of the company’s July 2015 security updates. The updates address vulnerabilities in Windows, Office, SQL Server and Internet Explorer, including two zero-day bugs identified by researchers while analyzing the recent Hacking Team leak.
Vulnerabilities found during analysis of Hacking Team leak
One of the zero-day vulnerabilities is a Jscript9 memory corruption vulnerability (CVE-2015-2419) identified by researchers at Vectra Networks. The flaw affects Internet Explorer 11 and it can be exploited to gain complete control of a vulnerable system.
Vectra Networks representatives told SecurityWeek that the flaw does not require chaining with other vulnerabilities, but it’s not easy to exploit.
“It is fairly difficult to exploit in a meaningful way without crashing IE,” said Wade Williamson, Director of Product Marketing at Vectra Networks. “It is definitely doable, but requires some skill.”
Microsoft says it’s aware of limited, targeted attacks that attempt to exploit this vulnerability.
The exploit code for this vulnerability was not developed by Hacking Team. Instead, Vectra researchers discovered the bug after finding an email in which an external researcher offered to sell the exploit to Hacking Team. The Italy-based spyware maker, whose systems were recently breached, had not acquired the exploit, but the leaked emails contained enough information to allow Vectra to find and analyze the bug.
“After approaching Hacking Team, the researcher may have gone elsewhere to sell the bug, and if successful it may have been exploited in the wild,” Vectra noted.
Another vulnerability related to the Hacking Team breach is a memory corruption flaw (CVE-2015-2387) in the Adobe Type Manager Font Driver (ATMFD.DLL). The bug, whose existence was brought to light by Trend Micro shortly after the Hacking Team breach was revealed, can be exploited to take complete control of vulnerable systems.
Microsoft says this vulnerability has also been exploited in limited, targeted attacks.
These are not the only vulnerabilities found by experts who analyzed the Hacking Team leak. So far, researchers have uncovered three zero-day bugs in Flash Player, all of which have been patched by Adobe.
Security holes in Internet Explorer, Windows, Office and SQL Server
One of the most serious vulnerabilities patched by Microsoft with the July 2015 bulletins is a remote code execution bug (CVE-2015-2373) affecting the Remote Desktop Protocol (RDP).
“CVE-2015-2373 is the first code execution bug in RDP I can remember since 2012. This is very high impact because many businesses rely on remote desktop protocol and many advanced home users configure remote access for RDP into their home,” Tripwire researcher Craig Young told SecurityWeek. “This should definitely be on the top of everyone’s install list. Although Microsoft describes that code execution is tricky, there are a lot of smart people out there and I’m sure it won’t be long before proof-of-concept code starts floating around.”
Another important security update addresses two vulnerabilities in the Windows Hyper-V hypervisor that can be exploited for remote code execution. The bugs are a buffer overflow (CVE-2015-2361) and an uninitialized memory issue (CVE-2015-2362).
“The Hyper-V vulnerability could be especially painful in shared hosting environments given that privileged users on guest operating systems can run code on the host operating system, potentially compromising the security of all shared hosting,” Tyler Reguly, manager of security research at Tripwire, told SecurityWeek.
Microsoft also released a patch for a remote code execution bug in SQL Server. The patch should have been released last month.
“This issue will be particularly critical for database hosting providers allowing users access to create and manipulate database schema in a shared environment. Successful exploitation of this flaw would allow the attacker complete access to the SQL Server by leveraging a very specific edge case,” Young explained.
Microsoft has also resolved various Internet Explorer vulnerabilities, remote code execution bugs in Office, and privilege escalation issues in Netlogon, the Windows graphics component, the Windows kernel-mode driver, and the Windows installer.
Microsoft Security Essentials no longer available for Windows XP
Starting today, Microsoft Security Essentials is no longer available for Windows XP, an operating system for which support ended on April 2014. Despite reaching end of life, Windows XP still has a market share of roughly 12 percent.
“By making these antimalware tools obsolete for lack of support and updates, Windows XP users will become more susceptible to persistent malware attacks,” Heimdal Security explained in a blog post. “Starting today, Windows XP systems won’t be provided with updates antimalware signatures that are used to find and remove known malware families.”