Microsoft’s monthly release of security bulletins today is a relatively light load of patches to be tested and deployed. The real news, however, could be in a separate advisory in which it continues to deprecate the outdated RC4 encryption algorithm.
Following its initial advisory in May that applied to the .NET framework, today’s move extends RC4 deprecation to Windows 10 systems that are running .NET Framework 3.5 applications and systems with .NET Framework 4.6 installed that are running .NET Framework 4.5/4.5.1/4.5.2 applications.
The advisory also updates the default transport encryption in Windows to TLS 1.2.
The move is timely as the industry continues to move away from weakened encryption. For example, a recent academic paper projects that the time to arrive at a practical SHA-1 collision attack can now be measured in months, not years. Continuous improvements to processing speeds and availability and tweaks to existing attacks put weak encryption within reach of well funded criminal or state-sponsored operations.
As for today’s half-dozen security bulletins, Microsoft has rated three of them as critical, including the ubiquitous Internet Explorer rollup and patches for remote code execution vulnerabilities in the VBScript and Jscript engines in Windows.
Four vulnerabilities are addressed in MS15-108, none of which have been publicly disclosed; Microsoft said it also not aware of public exploits.
Microsoft said attackers could host an exploit online or phish users with a malicious ActiveX control embedded in an Office document that uses the Internet Explorer rendering engine to redirect users to the malicious website.
The vulnerabilities affect Vista, Windows Server 2008 and Server Core installations of Windows Server 2008 R2. Today’s update patches two separate scripting enginer memory corruption vulnerabilities, an information disclosure flaw and an ASLR bypass.
“The update addresses the vulnerabilities by modifying how the VBScript and JScript scripting engines handle objects in memory, and helping to ensure that affected versions of VBScript properly implement the ASLR security feature,” Microsoft said in its advisory.
“With the number of JScript and VBscript related vulnerabilities addressed this month, Microsoft needs to adopt a disabled by default strategy with those technologies until they can be removed entirely,” said Core Security systems engineer Bobby Kuzma. “Unfortunately that will never happen, due to the huge legacy application technical debt held by large organizations and governments worldwide.”
Microsoft also patched 14 vulnerabilities in Internet Explorer and two more in Microsoft Edge browser for Windows 10 systems.
Most of the IE update addresses memory corruption vulnerabilities in MS15-106 along with a handful of privilege elevation and information disclosure flaws. There is also some overlap with the VBScript and Jscript bulletin, since IE is the principal attack vector there. One of the IE bugs, reported by researchers at FireEye, has been publicly disclosed, but none of the flaws have been exploited in the wild, Microsoft said.
The Microsoft Edge bulletin, MS15-107, is rated moderate and takes care of a vulnerability that enables bypass of the browser’s cross-site scripting filter, and a separate information disclosure vulnerability.
The remaining critical bulletin patches a remote code execution vulnerability in Windows Shell.
“The vulnerabilities could allow remote code execution if a user opens a specially crafted toolbar object in Windows or an attacker convinces a user to view specially crafted content online,” Microsoft said in advisory MS15-109.
The remaining bulletins are rated important by Microsoft.
MS15-110 patches three remote code execution vulnerabilities in Microsoft Office, all of which are memory corruption flaws, while MS15-111 is a Windows kernel update that patches five vulnerabilities, including three different privilege elevation flaws, a memory corruption issue, and a Trusted Boot bypass.