Microsoft Patches Vulnerability Under Attack and Google-Disclosed Zero Day

Microsoft issued eight Patch Tuesday security bulletins, including a fix for a vulnerability disclosed by Google and another under active attack.

For the first time in more than a decade, the majority of Windows IT shops walked blindly into Patch Tuesday.

After announcing last week that it would no longer provide its Advanced Notification Service of upcoming security bulletins to the public, Microsoft today ladeled eight bulletins upon admins’ plates, including a patch for a vulnerability publicly disclosed by Google after expiration of its self-imposed 90-day disclosure deadline. One of the bulletins was rated critical by Microsoft, but another set of patches rated important by the company may merit more priority.

Microsoft said that MS15-004 which patches a directory traversal vulnerability in the TS WebProxy Windows component, is being used in limited attacks. The lesser severity rating is likely because the vulnerability, CVE-2015-0016, would have to be combined with another security flaw to enable remote code execution.

“For example, an attacker could exploit another vulnerability to run arbitrary code through Internet Explorer, but due to the context in which processes are launched by Internet Explorer, the code might be restricted to run at a low integrity level (very limited permissions),” Microsoft said in its advisory. “However, an attacker could, in turn, exploit this vulnerability to cause the arbitrary code to run at a medium integrity level (permissions of the current user).”

The vulnerability is present because Windows fails to properly sanitize file paths, Microsoft said. Successful exploits could allow an attacker to remotely install malware, manipulate data, or create new accounts, all with the user’s privileges. An attacker would have to entice a user to download a malicious application designed to exploit the vulnerability, or host a malicious website that would exploit the bug.

A temporary workaround, Microsoft said, would be to remove TSWbPrxy from the IE Elevation Policy. The flaw is found in Windows systems starting with Vista.

The only critical bulletin, MS15-002, affects Windows Servers with Telnet enabled; it is not installed by default and Vista and later versions of Windows, Microsoft said.

The vulnerability, CVE-2015-0014, is a buffer overflow in Windows Telnet service that leads to remote code execution. Microsoft said there are no reports of public exploits.

“The vulnerability is caused when the Telnet service improperly validates user input. An attacker could attempt to exploit this vulnerability by sending specially crafted telnet packets to a Windows server, and if successful, could then run arbitrary code on the server,” Microsoft said in its advisory. “The update addresses the vulnerability by correcting how Telnet validates user input.”

Telnet is installed on Windows Server 2003 machines, but not enabled; it is not installed on later versions of Windows. Users would have to turn Telnet on or install it in the respective systems.

For the first time in many months, Patch Tuesday does not include an Internet Explorer cumulative update. Microsoft, did, however, re-release MS14-080, which was the December 2014 IE rollup. Microsoft also revised Security Advisory 2755801, a 2012 update for vulnerabilities in Adobe Flash Player running in IE. The update adds patches for the same remote code execution vulnerabilities in Internet Explorer 10 on Windows 8, Windows Server 2012, Windows RT, and for Internet Explorer 11 on Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, Windows Technical Preview, and Windows Server Technical Preview.

The remaining bulletins released today include three addressing elevation of privilege vulnerabilities in Windows, two others addressing security feature bypasses in Windows, and one patching a denial of service flaw.

  • MS15-001 patches a publicly disclosed elevation of privilege vulnerability in Windows Application Compatibility component, which could also lead to remote code execution.
  • MS15-003 patches a publicly disclosed elevation of privilege vulnerability in Windows User Profile Service; an attacker would need local access and valid credentials to exploit this vulnerability. This bug was disclosed by Google 90 days after it reported it to Microsoft.
  • MS15-005 patches a security feature bypass vulnerability in Network Location Awareness Service in Windows. Exploits could relax firewall policies or certain configurations if an attacker is able to spoof DNS responses and the victim’s LDAP traffic.
  • MS15-006 patches a security feature bypass vulnerability in Windows Error Reporting, giving an attacker access to memory of a running process.
  • MS15-007 patches a denial-of-service vulnerability in Network Policy Server RADIUM implementations in Windows. An attacker would have to send a specially crafted user name string to NPS or an Internet Authentication Service (IAS) to exploit this flaw. Microsoft said there is not risk of remote code execution with this bug.
  • MS15-008 patches an elevation of privilege vulnerability in Windows Kernel-Mode Driver. An attacker would need valid credentials and local access to exploit this flaw.

Suggested articles