April’s Patch Tuesday continues the 2015 trend of high volume patches. This month we have a full set of 11 patches from Microsoft addressing 26 vulnerabilities.The vulnerabilities affect Windows and Office on both servers and workstations. In addition, Oracle is publishing their quarterly Critical Patch Update fixing 98 vulnerabilities in over 25 software categories, including Java, Oracle RDBMS and MySQL.
Add to that the fixes in Adobe, Mozilla and Google Chrome software that were initiated by the results of the PWN2OWN competition in Vancouver, and every defensive IT security professional will have their work doubled this month.
Number one is MS15-033, the Office bulletin. It addresses five Remote Code Execution (RCE) vulnerabilities, including a 0-day. CVE-2015-1641 is that 0-day and is currently under limited attacks in the wild on Word 2010. It applies equally to Word 2007, 2012 and even to Word 2011 on the Mac. Microsoft rates it only “important” because the exploit requires the user to open a malicious file. This is a very low security barrier at most organizations as it is part of the job for employees to open Word DOCX files and they have come to trust the format. The attacker will send an e-mail with the malicious file attached or linked. If the e-mail is worded well, click/opening rates over 10% are guaranteed.
In addition to the 0-day, the bulletin also addresses two “critical” vulnerabilities CVE-2015-1649 and 1651. Both are RCE type vulnerabilities that on Office 2007 and 2010 are triggered by just looking at an e-mail in the Outlook preview pane. The Outlook preview pane renders RTF files automatically and has been under attack before with a 0-day a year ago in March 2014. At the time Microsoft pointed out that EMET helped against the attacks, no information on the efficacy of EMET this time.
Our number two patch is MS15-034, an RCE type vulnerability for servers. The bulletin addresses vulnerability CVE-2015-1635 in the HTTP stack on Windows server 2008 and 2012, also affecting Windows 7 and 8. An attacker can use the vulnerability to run code on your IIS webserver under the IIS user account. The attacker would then use an exploit for second local vulnerability (EoP) to escalate privilege, become administrator and install permanent exploit code. The attack is simple to execute and needs to be addressed quickly, if you cannot patch immediately take a look at the suggested workaround in IIS caching. This is the top vulnerability for your server team if you run Windows based web servers on the Internet.
At number three we have APS15-06 for Adobe Flash. Adobe acknowledges that one of the vulnerabilities (CVE-2015-3043) is being abused in the wild. Give this fix a high priority unless you work with Google Chrome or newer versions of Internet Explorer that will update Flash for you automatically.
At number four we have MS15-032, the cumulative update for Internet Explorer. This month it addresses 10 vulnerabilities, nine rated critical. All version of Internet Explorer from IE6 on Windows 2003 to IE11 on the latest Windows 8.1 are affected. The attacker needs the user to open a malicious webpage. Common ways to do so are sending links through e-mail and gaining control of a website that the user habitually browses to. The second method has seen some pickup with the vulnerabilities in some of the common CMS system allowing to take control of 100,000s of webservers, for example in the SoakSoak campaign (https://blog.sucuri.net/2014/12/revslider-vulnerability-leads-to-massive-wordpress-soaksoak-compromise.html).
The last critical bulletin is a MS15-035, a vulnerability in the EMF graphics format. Again the attacker needs user help to execute the exploit, in this case rendering a graphics file. There are plenty of ways to do this, as browsing to a website, opening an e-mail or looking at a fileshare are all possible vectors. Nevertheless, this limits exploitation mostly to desktop/laptop machines. The vulnerability is also limited to older versions of Windows, such as Windows 7, Vista, Server 2003 and 2008. The latest desktop versions of Windows: 8 and 8.1 are not affected, similar for the Windows Server 2008R2 and 2012.
The remaining bulletins are of lower severity covering vulnerabilities in Windows, Sharepoint and .NET and Hyper-V. They should be addressed within your normal patch cycle.
Oracle has pre-announced a large patch set in their Critical Patch Update April 2014. If you are an Oracle customer there are 100 vulnerabilities being addressed with the updates. There is a critical update to Java on the desktop that you should take a look at immediately. There is also an update to Outside-In, which typically triggers an update to Microsoft’s OWA one month later, so prepare your server team for an update to their Exchange server.
Last month the Pwn2Own competition at CanSecWest was held, where security researchers try out their exploits against common browser and operating system combinations. This time all combinations (Chrome, Firefox, IE on Windows and Safari on OSX) were successfully attacked and Pwn2Own’s sponsor paid out over US $500,00 dollars to the winners, with the top earner taking over US $120,000. The vulnerabilities are now being addressed by their respective owners. Mozilla has published Firefox 36.0.4 that fixes both CVEs, and Google has published a new version of Chrome as well.
That is our first take for this month – standby as we take a closer look at Oracle’s patches. If you are coming to RSA Conference 2015 in San Francisco, drop by our booth and take a look at our new releases, you will like what we are coming out with.