Microsoft Delivers Nine Security Bulletins for February

As the second Tuesday of the month, it’s time for Microsoft administrators to get patchin’. You can find this month’s Patch Day details at Microsoft’s February Patch Day Summary page, but I’ll summarize some of the highlights below.

By the Numbers:

Today, Microsoft released nine security bulletins, fixing a total of 60 security vulnerabilities in many of their products. The affected products include:

• all current versions of Windows,
• Internet Explorer (IE),
• Office,
• and Microsoft System Center Virtual Machine Manager (VMM).

They rate three bulletins as Critical, six as Important.

Patch Day Highlights:

The most interesting vulnerability this month is probably Microsoft’s Group Policy remote code execution flaw. This is a rather complex flaw that requires an attacker successfully pull off a man-in-the-middle (MitM) attack on a computer that is configured to connect to an Active Directory domain. Once the attacker can intercept your traffic, he can trick it into running a malicious login script, which allows him to run anything he wants. Since the flaw relies on a domain login, it primarily affects corporate Windows users. Check out this article to learn more.

Internet Explorer (IE) also got a rather beefy patch, which fixes 41 security flaws. The update mostly fixes memory corruption vulnerabilities that bad guys can leverage in drive-by download attacks. However, this update also includes updates to IE’s SSLv3 handling to mitigate the POODLE flaw. Finally, this update does NOT fix the recent IE11 cross-site scripting (XSS) flaw that Google disclosed. That said, I’d recommend you install the IE update first, as web drive-by download attacks are much more popular and targeted than the Group Policy attack mentioned above.

Quick Bulletin Summary:

We summarize February’s security bulletins below in order of severity. We recommend you apply the updates in the same order of priority, assuming you use the affected products.

• MS15-009 – Critical – Cumulative Internet Explorer update fixes 41 vulnerabilities – The Internet Explorer (IE) update primarily fixes a bunch of memory corruption flaws remote attackers could leverage to execute code. These are the types of flaws typically used in drive-by download attacks. If an attacker can get you to visit a site with malicious code, he could exploit these flaws to run code on your machine. If you have local administrator privileges, the attacker gains full control of your PC.
• MS15-010 – Critical- Kernel-mode Driver RCE flaw – The kernel-mode driver that ships with Windows suffers from various elevation of privilege flaws that could allow unprivileged users to execute code with full privileges. However, the attacker needs local system access and credentials to carry out the attack.
• MS15-011 – Critical – Group Policy Remote Code Execution Flaw – The Windows Active Directory Group Policy Component suffers from complex code execution vulnerability. If an attacker can successfully intercept all the traffic of a Windows computer that connects to a domain, she can exploit this flaw to run arbitrary code on that computer. However, the attacker would most likely have to be on the same network as the victim in order for such a man-in-the-middle attack to succeed.
• MS15-012 – Important – Office Code Execution Flaws – Various Office components, like Word and Excel, suffer from document handling code execution flaws. If an attacker can get you to open a maliciously crafted document, he could exploit these to gain control of your computer.
• MS15-013 – Important – Office Security Bypass Flaw – Office doesn’t properly leverage Windows’ Address Space Layout Randomization (ASLR) feature. Since ASLR makes it harder for bad guys to exploit memory corruption issues, this bypass flaw makes it easier for attackers.
• MS15-014 – Important – Group Policy Security Bypass Flaw – Using a man-in-the-middle attack, an attacker can trick Group Policy into reverting to its less secure, default state. This attack only works against Windows machines that connect to a domain. This flaw can be used in conjunction with MS15-011 to execute code.
• MS15-015 – Important – Windows Elevation of Privilege Flaw – In short, if a unprivileged user can run code on a Windows machine, he can leverage this flaw to gain system privileges. However, he needs valid credentials and enough access to log in to the computer in the first place.
• MS15-016 – Important – Windows Graphic Component Information Disclosure Flaw – The Graphics component of Windows suffers from a minor flaw that attackers could leverage to learn about the current memory state of your computer. This flaw serves little purpose alone, but could help attackers exploit other memory corruption vulnerabilities easier. Also, the attacker would have to entice you into viewing a TIFF image in order to exploit this flaw.
• MS15-017 – Important – VMM Elevation of Privilege Flaw – If an attacker has credentials to login to your Microsoft Virtual Machine Manager (VMM), even as an under-privileged role, that attacker could leverage this flaw to gain full access to VMM and all your virtual machines.

Solution Path:

If you use any of the software mentioned above, you should apply the corresponding updates as soon as you can. I recommend you apply the Critical updates immediately, try to get to the Important ones as a soon as possible, and leave the moderate ones for last.

IMPORTANT NOTE: We have already read rumors about problems with some of today’s Microsoft updates. We highly recommend you test the patches before applying them to production servers.

You can get the updates three ways:

1. Let Windows Automatic Update do it for you – While patches sometimes introduce new problems, these occasional issues don’t seem to affect clients as often as they do servers. To keep your network secure, I recommend you set Windows clients to update automatically so they get patches as soon as possible.
2. Manually download and install patches – That said, most businesses strongly rely on production servers and server software. For that reason, I recommend you always test new server updates before applying them manually to production servers. Virtualization can help you build a test environment that mimics your production one for testing.  You can find links to download the various updates in the individual bulletins I’ve linked above.
3. Download February’s full Security Update ISO –  Finally, Microsoft eventually posts an ISO image that consolidates all the security updates. This ISO conveniently packages the updates in one place for administrators. You’ll eventually find a link to the monthly security ISOs here, but Microsoft may not post it until a few days after Patch Day

For WatchGuard Customers:

Good News! WatchGuard’s Gateway Antivirus (GAV), Intrusion Prevention (IPS), and APT Blocker services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block many of the attacks described in Microsoft’s alerts:

• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-8967)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0017)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0018)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0019)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0020)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0021)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0022)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0023)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0025)
•  WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0026)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0029)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0030)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0031)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0035)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0036)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0037)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0038)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0039)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0040)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0041)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0042)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0043)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0071)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0070)
• WEB-CLIENT Microsoft Internet Explorer Information Disclosure Vulnerability (CVE-2015-0069)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0068)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0067)
• FILE Microsoft Office Word OneTableDocumentStream Remote Code Execution Vulnerability (CVE-2015-0065)
• FILE Microsoft Office Word Remote Code Execution Vulnerability (CVE-2015-0064)
• FILE Microsoft Office Excel Remote Code Execution Vulnerability (CVE-2015-0063)
• FILE Microsoft Office TTF TrueType Font Parsing Remote Code Execution Vulnerability (CVE-2015-0059)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0053)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0052)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0051)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0050)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0049)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0048)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0046)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0045)
• WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-0044)
• FILE Adobe Flash Player BitmapFilter Invalid Object Corruption Remote Code Execution (CVE-2015-0314)
• FILE Adobe Flash Player Video Event Dispatch Use After Free (CVE-2015-0315)
• FILE Adobe Flash Player OP_ANYBYTE PCRE Library Memory Corruption (CVE-2015-0316)
• FILE Adobe Flash Player XMLSocket.connect Type Confusion (CVE-2015-0317)
• FILE Adobe Flash Player PCRE Regex Compilation Memory Corruption (CVE-2015-0318)
• FILE Adobe Flash Player Multiple Type Confusion (CVE-2015-0319
• FILE Adobe Flash Player MessageChannel.send() Use After Free (CVE-2015-0320)
• FILE Adobe Flash Player Parsing Malformed mp4 Video Memory Corruption (CVE-2015-0321)
• FILE Adobe Flash Player ActionScript Pushscope Opcode Memory Corruption (CVE-2015-0322)
• FILE Adobe Flash Player Special Regex Character Sets Heap Overflow (CVE-2015-0323)
• FILE Adobe Flash Player JSON.stringify Integer Heap Overflow (CVE-2015-0324)
• FILE Adobe Flash Player RemoveFromDeviceGroup() Use After Free (CVE-2015-0325)
• FILE Adobe Flash Player ActionScript URLRequest.requestHeaders Type Confusion (CVE-2015-0326)
• FILE Adobe Flash Player Stringifying Proxy Objects Heap Overflow (CVE-2015-0327)
• FILE Adobe Flash Player NetConnection Request Null Dereference (CVE-2015-0328)
• FILE Adobe Flash Player Multibyte UTF-8 Characters Regular Expressions Memory Corruption (CVE-2015-0329)
• FILE Adobe Flash Player PCRE Regex Heap Overflow (CVE-2015-0330)

Your Firebox or XTM appliance should get this new IPS signature update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nevertheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws. — Corey Nachreiner, CISSP (@SecAdept)