Microsoft has patched a zero-day vulnerability in the Windows kernel uncovered and exploited by Hacking Team. The zero day was found among the 400 GB of data stolen from the Italian surveillance software maker and posted online July 5. A trio of Adobe Flash Player zero days were also uncovered among the stolen data, the last of which were also patched earlier today.
The vulnerability, CVE-2015-2387, in the Adobe Type Manager Font Driver (ATMFD), MS15-077, enables privilege escalation and code execution; it was reported by Google Project Zero and researcher Morgan Marquis-Boire.
“The security update addresses the vulnerability by correcting how Adobe Type Manager Font Driver (ATMFD) handles objects in memory,” Microsoft said in its advisory. It affects Windows Server implementations all the way back to Windows Server 2003. Microsoft rated the vulnerability “important” because it said an attacker would have to log into a target system and then run malicious code.
Microsoft said a number of workarounds—including the renaming ATMFD.dll for all affected versions except for Windows Server 2003—are available and listed in the advisory.
The Hacking Team zero days overshadowed what should have been today’s defining moment—the end of support for Windows Server 2003. Nine of today’s 14 security bulletins include patches for the end-of-life software. Of the 14 bulletins, four are rated critical and affect Internet Explorer, Windows Remote Desktop Protocol, VBScript Scripting Engine, and Windows Hyper-V; all four bulletins address remote code execution vulnerabilities.
The Internet Explorer bulletin, MS15-065, patches 29 vulnerabilities in the browser including four that have been publicly disclosed. One, a Jscript9 memory corruption bug, was part of the Hacking Team disclosures and was reported by Vectra Networks. An ASLR bypass, IE cross-site scripting filter bypass, and an information disclosure vulnerability have also been publicly disclosed, Microsoft said.
Another critical bulletin to prioritize is MS15-067, a remote code execution vulnerability in RDP. The bug affects Windows 7 and Windows 8 machines and in most instances will crash it; in some cases RCE is possible.
An attacker would need to send specially crafted sequences of packets to a system running RDP in order to exploit the flaw and install malicious programs, modify data or create accounts. Microsoft said the update addresses the vulnerability by modifying how the terminal service handles packets.
“This is very high impact because many businesses rely on remote desktop protocol and many advanced home users configure remote access for RDP into their home,” said Tripwire security researcher Craig Young. “This should definitely be on the top of everyone’s install list. Although Microsoft describes that code execution is tricky, there are a lot of smart people out there and I’m sure it won’t be long before proof-of-concept code starts floating around.”
The Hyper-V bulletin, MS15-068, could present problems in cloud-based hosting scenarios. It patches two RCE vulnerabilities if a malicious application is run by an authenticated and privileged user on a guest virtual machine hosted on Hyper-V, Microsoft said, adding that an attacker would need valid credentials to attack this bug.
“The Hyper-V vulnerability could be especially painful in shared hosting environments given that privileged users on guest operating systems can run code on the host operating system, potentially compromising the security of all shared hosting,” said Tyler Reguly, a researcher at Tripwire.
The final critical bulletin, MS15-066, patches one RCE vulnerability in the VBScript scripting engine and affects supported versions of Windows Server.
“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website,” Microsoft said in its advisory. “An attacker could also embed an ActiveX control marked ‘safe for initialization’ in an application or Microsoft Office document that hosts the IE rendering engine.”
Another bulletin worth calling out is a leftover from June, MS15-058, that addresses three RCE vulnerabilities in SQL Server. The bulletin is rated “important” because an attacker would require permissions to create or modify a database, Microsoft said.
“This issue will be particularly critical for database hosting providers allowing users access to create and manipulate database schema in a shared environment,” Tripwire’s Young said. “Successful exploitation of this flaw would allow the attacker complete access to the SQL Server by leveraging a very specific edge case.”