Patch Tuesday Features FREAK Focus

Friday, March 13, 2015 @ 01:03 PM gHale


Microsoft issued 14 security bulletins to protect against 44 different CVE-listed security vulnerabilities in its monthly Patch Tuesday release.

The patch bundle includes Microsoft’s solution for the FREAK security vulnerability and some major fixes for Internet Explorer. Five of the patches are marked as “critical,” and the rest are all “important.”

RELATED STORIES
Big Patch Tuesday Update
Alter One Bit, Bypass Security
Microsoft: Control System Warning
IE Hole Allows Attackers to Phish

The complete list of the March bulletins is as follows:
MS15-018 A cumulative update for Internet Explorer 6-11. The package includes fixes for 12 CVE-classified vulnerabilities, including nine which could end up exploited for remote code execution attacks. One of the flaws ended up publicly disclosed, though no one posted exploit code.

The update is critical for all Windows client systems, while Windows Server installations are less of a risk as the browser rarely sees use. Researchers with HP’s Zero Day Initiative, Palo Alto Networks and several independent researchers earned credit for the bug discoveries.

MS15-019 A fix for a single remote code execution vulnerability in the Internet Explorer 6-7 VBScript component. The update rates as “critical” for Windows Vista installations and Internet Explorer versions 8 and later are not vulnerable to attack. Bo Qu of Palo Alto Networks discovered the issue.

MS15-020 Two remote code execution flaws in Windows which could allow remote code execution by directing the user to a malicious webpage or launching an infected DLL file.

The bulletin rates as “critical” for all client and Server versions of Windows from Vista and Server 2003 through Windows 8.1 and Server 2012 R2. Two of the discoveries were from Garage4Hackers and Michael Heerklotz of HP’s Zero Day Initiative while Francis Provencher or Protek Research labs found the third.

MS15-021 Eight flaws in the Adobe Font Driver components for Windows and Windows Server exploitable through a malicious website or file. The fix rates as “critical” for all supported versions of Windows and Windows Server due to the possibility of remote code execution. Mateusz Jurczyk of Google Project Zero spotted all eight vulnerabilities.

MS15-022 Five CVE-listed vulnerabilites in Office and Sharepoint Server. The Office flaws could allow remote code execution when the user launched a malicious file while another could allow elevation of privilege on SharePoint servers by exploiting a cross-site-scripting vulnerability.

Credit for spotting the problem goes to researcher Adi Ivascu as well as 3S Labs of the HP Zero Day Initiative, Ben Hawkes of the Google Security Team and Noam Rathaus of SecuriTeam Secure Disclosure.

MS15-023 Four vulnerabilities in the Windows Kernel-Mode driver allowing elevation of privilege and information disclosure attacks by way of launching a specially-crafted application.

This bulletin rates “important” for all supported versions of Windows and Windows Server. Researcher ‘KK’ discovered a flaw, as did Ashutosh Mehra of Adobe Systems, James Forshaw of Google Project Zero and WanderingGlitch with the HP Zero Day Initiative.

MS15-024 An information disclosure vulnerability in Windows exploited by launching a malformed PNG image. All versions of Windows and Windows Server suffer from the issue and have an aggregate security rating of “important.” Researcher Michael Zalewski of Google discovered the vulnerability.

MS15-025 Two vulnerabilities in the kernel all supported versions of Windows and Windows Server, exploitable via a malicious application. The vulnerabilities could end up targeted to gain elevation of privilege on a system. The bulletin rates as “important” and credit for discovery goes to James Forshaw of Google Project Zero.

MS15-026 Five vulnerabilities in Exchange Server 2013, including elevation of privilege and spoofing flaws. Other versions of Windows and Windows Server are not vulnerable. Adi Vascu, Nicolai Grodum and Darius Petrescu got credit for reporting the bugs.

MS15-027 One flaw in the Windows Server Netlogon component which could be exploited by an attacker to spoof another user on a local network. The flaw was rated “important” for Windows Server 2003, 2008 and 2012 with client versions of Windows not affected. Discovery was credited to Alberto Solino of Core Security.

MS15-028 An elevation of privilege vulnerability in Windows 7, RT, 8 and 8.1 as well as Windows Server 2008 through 2012 R2. The Task Scheduler flaw could be targeted by an attacker to raise system privileges. The bulletin is rated “important” with credit going to James Forshaw of Google Project Zero.

MS15-029 An information disclosure vulnerability in the Windows Photo Decoder for Windows Vista and later and Windows Server 2008 and later. The flaw could be exploited through a malformed JPG file and is classified as “important” by Microsoft. Michael Zalewski of Google was given credit.

MS15-030 A denial of service vulnerability in the Remote Desktop Protocol. The vulnerable component is present in Windows 7, 8 and 8.1 as well as Server 2012 and 2012 R2. The bulletin is rated as “important” with no acknowledgement given.

MS15-031 The aforementioned FREAK update. Microsoft has issued the fix for all supported versions of Windows and Windows Server running the vulnerable Schannel component. The company has labeled the fix as “important.”



Leave a Reply

You must be logged in to post a comment.