Microsoft today patched a vulnerability in its graphics component present in Windows, Office and Lync that has been publicly attacked, and is one of five vulnerabilities patched this month that have been publicly disclosed.
Microsoft released a dozen bulletins today, five of them it rates critical, including separate updates for Internet Explorer and the new Edge browser in Windows 10, the second month in a row Edge has been patched since it was released.
The Microsoft Graphics Component bulletin, MS15-097, patches 11 vulnerabilities. The highest priority should be CVE-2015-2546, a memory corruption bug that leads to elevation of privilege that is under attack. Microsoft rated the bug “Important”, likely because it said an attacker would have to be logged on to a vulnerable Windows machine and run code; it provided no further details on the attacks or where the vulnerability was disclosed. It was reported by FireEye researcher Wang Yu.
“An attacker who successfully exploited the vulnerabilities could run arbitrary code in kernel mode,” Microsoft said in its advisory.
A separate remote-code execution buffer-overflow vulnerability in the bulletin, CVE-2015-2510, was rated “Critical” and was found in Office and the Lync communications platform.
The bulletin also contains a number of patches for vulnerabilities in Windows and the Windows Adobe Type Manager Library, addressing how the software handles OpenType fonts and issues in the font driver that could lead to system crashes or elevation of privilege, Microsoft said.
MS15-094, meanwhile, patches 17 bugs in Internet Explorer, most of which allow for remote code execution if a user visits a compromised website hosting attack code with IE.
IE7-IE11 are affected by this bulletin and a range of vulnerabilities are patched in the browser, including information disclosure bugs, memory corruption issues and privilege escalation. Only one flaw, CVE-2015-2542, has been publicly disclosed; it affects only IE 10 and 11 and IE11 on Windows 10.
Microsoft also patched the new Edge browser for the second month running. Edge is the replacement for Internet Explorer on Windows 10 machines and the bulletin, MS15-095, patches four memory corruption vulnerabilities, all of which are rated critical. The same publicly disclosed vulnerability in Internet Explorer also is present in Edge, Microsoft said.
Critical vulnerabilities in Windows Journal also were patched in MS15-098; those bugs opened the door to remote code execution attacks as well if victims were tricked into opening a malicious Journal file from an email or the web. Five vulnerabilities were patched in Windows Journal, including a low-risk denial of service flaw.
Microsoft also released a critical bulletin for remote code execution vulnerabilities in Office. MS15-099 patches four memory corruption bugs in Office software going back to Office 2007 Service Pack 3, as well as a cross-site scripting spoofing vulnerability in Microsoft SharePoint Foundation 2013. None of the bugs have been publicly disclosed or exploited, Microsoft said.
The remainder of the bulletins were rated “Important” by Microsoft:
- MS15-096 patches a denial of service vulnerability in Active Directory that requires local access and
- MS15-100 patches a vulnerability in Windows Media Center that allows for remote code execution if a malicious Media Center link (.mcl) is opened.
- MS15-101 patches elevation privilege vulnerabilities in the .NET Framework if a victim runs a malicious application on a vulnerable system.
- MS15-102 patches elevation of privilege vulnerabilities in Windows Task Management that happen when Windows fails to validate and enforce impersonation levels or certain file system interactions.
- MS15-103 patches information disclosure vulnerabilities in Microsoft Exchange Server if exploited via Outlook Web Access.
- MS15-104 patches elevation of privilege vulnerabilities in Skype for Business Server and Microsoft Lync Server.
- MS15-105 patches a security feature bypass vulnerability in Windows Hyper-V where malicious code could force Hyper-V to incorrectly apply access control list configurations.