Microsoft Patches Zero Day Holes

Thursday, July 16, 2015 @ 05:07 PM gHale

Microsoft released 14 bulletins as part of the company’s July security updates.

The updates address vulnerabilities in Windows, Office, SQL Server and Internet Explorer, including two Zero Day vulnerabilities researchers found analyzing the Hacking Team leak.

Flash Zero Days Abound
Espionage Group Leverages Flash Zero Day
Adobe Patches Flash Zero Day
Adobe Fixes Flash Player Vulnerabilities

One of the Zero Day vulnerabilities is a Jscript9 memory corruption vulnerability (CVE-2015-2419) identified by researchers at Vectra Networks. The flaw affects Internet Explorer 11 and it can end up exploited to gain complete control of a vulnerable system.

The flaw does not require chaining with other vulnerabilities, but it’s not easy to exploit.

Microsoft said there are limited, targeted attacks working to take advantage of the issue.

The Hacking Team did not develop exploit code for this vulnerability. Vectra researchers found the vulnerability after finding an email in which an external researcher offered to sell the exploit to Hacking Team. The Italy-based spyware maker, whose systems ended up breached, had not acquired the exploit, but the leaked emails contained enough information to allow Vectra to find and analyze the bug.

Another vulnerability related to the Hacking Team breach is a memory corruption flaw (CVE-2015-2387) in the Adobe Type Manager Font Driver (ATMFD.DLL). The bug, which Trend Micro discovered shortly after the Hacking Team breach, can end up exploited to take complete control of vulnerable systems.

Like the other problem, Microsoft said attackers are taking advantage of this vulnerability in limited, targeted attacks.

One of the most serious vulnerabilities patched by Microsoft is a remote code execution bug (CVE-2015-2373) affecting the Remote Desktop Protocol (RDP).

Another important security update addresses two vulnerabilities in the Windows Hyper-V hypervisor that can end up exploited for remote code execution. The bugs are a buffer overflow (CVE-2015-2361) and an uninitialized memory issue (CVE-2015-2362).

Microsoft also released a patch for a remote code execution bug in SQL Server.

Microsoft has also resolved various Internet Explorer vulnerabilities, remote code execution bugs in Office, and privilege escalation issues in Netlogon, the Windows graphics component, the Windows kernel-mode driver, and the Windows installer.

Microsoft Security Essentials is no longer available for Windows XP, an operating system for which support ended on April 2014. Despite reaching end of life, Windows XP still has a marketshare of 12 percent.