Microsoft issued nine security bulletins today for this month’s Patch Tuesday.
Three of the bulletins are rated ‘critical’ and impact Internet Explorer and Microsoft Windows. The IE bulletin (MS15-009) will be the focus for many organizations, and fixes a total of 41 vulnerabilities – one of which was disclosed publicly (CVE-2014-8967) and another of which is known to be under attack (CVE-2015-0071). Despite the large number of fixes, the bulletin does not however address the recently reported universal cross-site scripting vulnerability impacting IE.
“The almost ubiquitous critical cumulative patch for all supported versions of Internet Explorer is back (MS15-009) after a one month hiatus, clearly Microsoft was saving up from last month because this advisory addresses 41 CVEs including CVE-2014-8967 which has been publically disclosed and CVE-2015-0071which is under limited targeted attack,” said Ross Barrett, senior manager of security engineering at Rapid7.
The critical Windows bulletins are MS15-010 and MS15-011. According to Microsoft, MS15-010 addresses one publicly-disclosed and five privately-disclosed issues. The most severe of these can be exploited if an attacker convinces a user to open a specially-crafted document or visit an untrusted website that contains embedded TrueType fonts. MS15-011 meanwhile is aimed at one privately reported issue in Windows that could allow remote code execution if an attacker convinces a user with a domain-configured system to connect to an attacker-controlled network.
“A remote code execution vulnerability exists in how Group Policy receives and applies policy data when a domain-joined system connects to a domain controller,” Microsoft explained in its advisory. “To exploit this vulnerability, an attacker would have to convince a victim with a domain-configured system to connect to an attacker-controlled network.”
The bug, CVE-2015-0008, was discovered by JAS Global Advisors and simMachines. According to JAS, all computers and devices that are members of a corporate Active Directory may be at risk.
“The vulnerability is remotely exploitable and may grant the attacker administrator level privileges on the target machine/device,” according to a JAS advisory. “Roaming machines — Active Directory member devices that connect to corporate networks via the public Internet (possibly over a Virtual Private Network (VPN)) — are at heightened risk.”
“The IE CVE free-for-all is paired up with two critical remote code execution issues affecting all supported versions of Windows, except Server Core variants,” said Barrett. “For MS15-010 this includes CVE-2015-0010 which has been publically disclosed and is the probably reason for the critical designation here, even though over all Microsoft deems this vulnerability as less likely to be exploited. MS15-011 relates to how group policy is applied and is deemed as likely to be exploitable.”
The remaining bulletins are all classified as ‘Important’, and cover issues affecting Microsoft Office, Windows and Microsoft Server Software. One of these is MS15-016, which Core Security Principal Software Engineer Jon Rudolph called interesting but less urgent than the other bulletins.
“It appears that the Microsoft library that draws .tiff images might be exposing your computer’s data to attackers,” he said. “This kind of vulnerability could be used on a malicious website, and the attacker might be able to see personal information about the user that had not intended to disclose. The good news is that they probably don’t get to pick what they see, and there is not a way to take control of the user’s system directly. However, as the information on our desktops and laptops becomes more vital over time, I think we’re more sensitive to information leaks like this and Heartbleed where attackers eavesdropping for long enough periods are bound to find the keys to our kingdoms and use them to fund and build castles of their own.”