IT administrators today were granted a relatively light month of security bulletins from Microsoft, which is likely to be welcomed given that Windows Server 2003 security support ends in little more than a month.
Microsoft today released eight bulletins, two of them rated critical, including a now-customary beefy Internet Explorer update.
Two-dozen vulnerabilities were addressed in the latest cumulative update for IE, MS15-056, a good chunk of those flaws rated critical in later versions of the browser. Most of the vulnerabilities enable remote code execution; one information disclosure bug has been publicly disclosed, but Microsoft said it is not aware of exploits in the wild.
Microsoft said the publicly disclosed bug allows an attacker to access a user’s browser history; the update prevents browser histories from being accessed by a malicious site. The flaw does not impact Windows Server installations since those run by default in Enhanced Security Configuration, which is a restricted mode that reduces the chances of web content being executed on the server.
“Although an attacker could almost certainly read the browsing history after exploiting any of the other dozens of vulnerabilities plugged this month, it seems likely to me that the information disclosure is going to be more easily exploited than any memory corruption bug,” said Craig Young, security researcher at Tripwire.
Young also calls out one of the memory flaws, CVE-2015-1756, which is rated important by Microsoft in MS15-060. The bug is a use-after-free vulnerability in Microsoft Common Controls subsystem, which could allow remote code execution if the user interacts with malicious content through IE and then invokes F12 Developer Tools in IE.
“This flaw presents an interesting attack vector for going after researchers using the Internet Explorer ‘Developer Tools’ to analyze a malicious of malfunctioning web site,” Young said.
The IE bulletin also addresses three elevation of privilege flaws and a long list of memory corruption vulnerabilities that enable an attacker to run code on a victim’s machine.
The other critical bulletin, MS15-057, patches a remote code execution bug in Windows Media Player. Malicious media content executed by the vulnerable media player could give an attacker complete control over the user’s computer, Microsoft said. The bulletin is rated critical for Windows Media Player 10 on Windows Server 2003, Windows Media Player 11 on Vista or Windows Server 2008, and Windows Media Player 12 on Windows 7 or Server 2008 R2. Microsoft said it addressed how the player handles DataObjects to correct the vulnerability. Microsoft did provide one workaround that involves removing wmplayer.exe from the IE ElevationPolicy.
The Windows Media Player vulnerability was reported through coordinated vulnerability disclosure, Microsoft said, adding that it is not aware of public attacks exploiting this bug.
The remaining bulletins are rated important by Microsoft:
- MS15-059 patches three memory-related remote code execution vulnerabilities in Microsoft Office, none of which have been publicly exploited.
- MS15-061 patches 11 elevation of privilege vulnerabilities in Windows Kernel-Mode Drivers.
- MS15-062 patches one elevation of privilege vulnerability in Active Directory Federation Services that could lead to cross-site scripting attacks.
- MS15-063 patches one elevation of privilege vulnerability in the Windows kernel. An attacker would need to drop a malicious .dll file in a local directory that would be executed by a program loading the library.
- MS15-064 patches three elevation of privilege vulnerabilities in Microsoft Exchange Server 2013. One of the bugs is a server-side request forgery flaw, while another is a cross-site request forgery issue. The final bug is a HTML injection vulnerability resulting in information disclosure.
Microsoft also released two separate security advisories, one updating Flash Player in Internet Explorer, addressing security vulnerabilities already patched by Adobe earlier in the day, while the other updates the Juniper Networks Windows In-Box Junos Pulse Client for Windows 8.1 and RT 8.1. Junos Pulse is a VPN shipped with Windows 8.1 and later.
The update patches the so-called FREAK vulnerability and other OpenSSL issues in Junos Pulse.