Microsoft released 11 security bulletins today to address vulnerabilities in a number of products, including a critical Office bug being exploited in the wild.
That issue is CVE-2015-1641 (MS15-033), a remote code execution vulnerability that exists due to the Office software failing to properly handle rich text format files in memory. According to Microsoft, the vulnerability is being exploited in limited, targeted attacks.
“Exploitation of this vulnerability requires that a user open a specially crafted malicious office file, which grants the user the same permissions as the currently running user,” said David Picotte, manager of security engineering at Rapid7. “As we’re all well aware, users are extremely susceptible to phishing attacks, now might be a good time to remind your users to be vigilant and focus your patching efforts on this actively exploited vulnerability.”
MS15-033 is just one of four security bulletins released this month that are classified by Microsoft as ‘critical.’ The others include a massive update for Internet Explorer (MS15-032) that fixes several vulnerabilities. The most severe of the bugs allow remote code execution if a user views a specially-crafted webpage using IE.
“An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user,” according to Microsoft. “Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.”
The last two critical updates are MS15-034 and MS15-035, and are both for Microsoft Windows. MS15-034 deals with a remote code execution vulnerability that exists in the HTTP protocol stack (HTTP.sys) and occurs when HTTP.sys improperly parses specially-crafted HTTP requests. An attacker could exploit the issue to execute arbitrary code in the context of the system account.
MS15-035 addresses a remote code execution bug that can be exploited if an attacker gets a user to browse to a specially-crafted website, open a malicious file or browse to a working directory containing a malicious Enhanced Metafile (EMF) image file.
“The remaining bulletins are rated as important and include privilege elevation, security feature bypass and denial of service vulnerabilities affecting SharePoint, AD federation services, all versions of .Net and Hyper-V,” Picotte said. “The Hyper-V bulletin (MS15-042 – CVE-2015-1647) in particular could pose a challenge to administrators as it requires a restart, the downstream affects being that hosted VMs will need to be migrated or brought offline for this patching to occur. Administrators might want to hold off until a scheduled maintenance window for MS15-042, as the exploit only results in a denial of service (DoS) and exploitation is rated as ‘less likely’ by Microsoft.”
In addition to the Microsoft patches, Adobe Systems released patches today to cover 22 security holes in Flash Player for Windows, Macs and Linux. One of the vulnerabilities, CVE-2015-3043, is known to be getting targeted in the wild by attackers. Adobe also issued a fix for Cold Fusion as well.