February Patch Tuesday 2015 comes after a quite turbulent month for information security professionals. Not so much Microsoft, but Adobe has been keeping us busy with multiple disclosed 0-day vulnerabilities their Flash software. All of the known issues have been very quickly addressed by Adobe (APSB15-02, 03 and 04), typically turning around a fix in less than a week. Still, it is worrisome to see the amount of problems that cyber criminals are able to find in software that we all have installed and use in our daily lives.
Microsoft itself posted nine bulletins this month, four that fix remote code execution (RCE) type vulnerabilities, and five that are rated important addressing a number of of local vulnerabilities such as elevation of privilege and information disclosures.
The most important Microsoft bulletin, after installing Adobe’s APSB14-04 is MS15-009, is the fix for Internet Explorer (IE). All versions of IE are affected and the patch contains the patches for 41 vulnerabilities, a very high count, but do not forget that last month there was no IE release, which explains this elevated number. While one of the vulnerabilities, CVE-2014-8967 has been publicly disclosed due to a 120 day fix embargo that Microsoft did not meet, it is not being used in the wild.
Next on our list is MS15-012, which addresses three vulnerabilities, including a RCE type that can be used to gain control over the user’s machine. An attacker could trick the user into opening a specially formatted document, frequently aided through the use of social engineering, i.e. sending an email with an attachment that is of interest. Since this type of attack is quite frequent we believe this bulletin should be high on your list.
MS15-010 is a critical bulletin for the Windows Operating system addressing six vulnerabilities that are present in all versions of the operating system starting with Server 2003 through Windows 8.1 and Server 2008 R2. One of the vulnerabilities, CVE-2015-0010 has been disclosed publicly through the Project Zero from Google because its 90-day embargo period expired, but Microsoft indicates that they are unaware of any exploitation attempts.
MS15-011 is an interesting vulnerability in Microsoft Group Policy mechanism. The flaw provides remote code execution. The attacker has to trick a user to connect their client machine to the attacker’s malicious domain, which places the attack squarely into the enterprise realm, with the attacker controlling the domain controller or able to pose as domain controller. Interestingly enough Microsoft is not addressing the vulnerability in Windows Server 2003, but states that the fix would be too invasive to guarantee 2003 continued functioning. One more reason to get off the Server 2003 platform as soon as possible, in addition to the coming end-of-life of the platform in July of this year.
The remaining bulletins address local problems in Office (MS15-013) with an ASLR issue, Group Policy (MS15-014), Windows (MS15-015 and MS15-016) and the Virtual Machine Manager in Server 2012 (MS15-017). There is a bit more information about MS15-016 in the blog post by Michal Zalewski, where he details that it was found through his afl-fuzz program a fuzzing tool that he has been honing for the last year or so. afl-fuzz finds some astonishing bugs, but in this case he is just pointing out the Microsoft addressed the problem quite rapidly in exactly 60 days from disclosure to patch.
Overall a pretty normal Patch Tuesday from Microsoft, with a larger than normal Internet Explorer Patch.