Hello everyone,

 

This is Greg Blaum with the Microsoft Patch Tuesday newsletter for September 2015.

 

Welcome to the September Patch Tuesday update. This month Microsoft released a total of twelve (12) new security bulletins. For this month, five (5) of these are rated Critical, which Microsoft terms as a vulnerability whose exploitation could allow code to execute without any user interaction. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The other seven (7) are rated Important.

 

Clarification of the Intel Security Coverage column in the table below

Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see a Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.

 

This month’s patches include the following:

 

Bulletin Number

KB Number

Title

Bulletin Rating

Vulnerability Impact

McAfee Labs Security Advisory Number

Intel Security Coverage

MS15-094

3089548

Cumulative Security Update for Internet Explorer

Critical

Remote Code Execution

MTIS15-139

Covered Products:

  • Vulnerability Mgr (Sep 8)
  • BOP
  • Host IPS
  • NSP
  • Application Control

 

Under Analysis:

  • Firewall Enterprise
  • DAT
  • Web Gateway

MS15-095

3089665

Cumulative Security Update for Microsoft Edge

Critical

Remote Code Execution

MTIS15-139

Covered Products:

  • Vulnerability Mgr (Sep 8)
  • BOP
  • Host IPS
  • NSP
  • Application Control

 

Under Analysis:

  • Firewall Enterprise
  • DAT
  • Web Gateway

MS15-096

3072595

Vulnerability in Active Directory Service Could Allow Denial of Service

Important

Denial of Service

MTIS15-139

Covered Products:

  • Vulnerability Mgr (Sep 8)

 

Under Analysis:

  • Firewall Enterprise

MS15-097

3089656

Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution

Critical

Remote Code Execution

MTIS15-140

Covered Products:

  • Vulnerability Mgr (Sep 8)
  • BOP
  • Host IPS
  • NSP
  • Application Control

 

Under Analysis:

  • Firewall Enterprise
  • DAT
  • Web Gateway

MS15-098

3089669

Vulnerabilities in Windows Journal Could Allow Remote Code Execution

Critical

Remote Code Execution

MTIS15-140

Covered Products:

  • Vulnerability Mgr (Sep 8)
  • BOP
  • Host IPS
  • NSP
  • Application Control

 

Under Analysis:

  • Firewall Enterprise

MS15-099

3089664

Vulnerabilities in Microsoft Office Could Allow Remote Code Execution

Critical

Remote Code Execution

MTIS15-140

Covered Products:

  • Vulnerability Mgr (Sep 8)
  • BOP
  • Host IPS
  • NSP
  • Application Control

 

Under Analysis:

  • Firewall Enterprise

MS15-100

3087918

Vulnerability in Windows Media Center Could Allow Remote Code Execution

Important

Remote Code Execution

MTIS15-140

Covered Products:

  • Vulnerability Mgr (Sep 8)
  • BOP
  • Host IPS
  • Application Control

 

Under Analysis:

  • Firewall Enterprise
  • DAT
  • Web Gateway

MS15-101

3089662

Vulnerabilities in .NET Framework Could Allow Elevation of Privilege

Important

Elevation of Privilege

MTIS15-140

Covered Products:

  • Vulnerability Mgr (Sep 8)
  • NSP

 

Under Analysis:

  • Firewall Enterprise

MS15-102

3089657

Vulnerabilities in Windows Task Management Could Allow Elevation of Privilege

Important

Elevation of Privilege

MTIS15-140

Covered Products:

  • Vulnerability Mgr (Sep 8)
  • NSP

 

Under Analysis:

  • Firewall Enterprise

MS15-103

3089250

Vulnerabilities in Microsoft Exchange Server Could Allow Information Disclosure

Important

Information Disclosure

MTIS15-141

Covered Products:

  • Vulnerability Mgr (Sep 8)

 

Under Analysis:

  • Firewall Enterprise

MS15-104

3089952

Vulnerabilities in Skype for Business Server and Lync Server Could Allow Elevation of Privilege

Important

Elevation of Privilege

MTIS15-141

Covered Products:

  • Vulnerability Mgr (Sep 8)

 

Under Analysis:

  • Firewall Enterprise

MS15-105

3091287

Vulnerability in Windows Hyper-V Could Allow Security Feature Bypass

Important

Security Feature Bypass

MTIS15-141

Covered Products:

  • Vulnerability Mgr (Sep 8)

 

Under Analysis:

  • Firewall Enterprise

 

Let’s take a closer look at each of the Microsoft Security Bulletins:

 

MS15-094 (CVE-2015-2483 to 2487, 2489 to 2494, 2498 to 2501, 2541 & 2542)

Here is the standard cumulative Internet Explorer Security Update. This Internet Explorer update addresses 17 vulnerabilities in multiple versions of Internet Explorer. The vulnerabilities in this update affect Internet Explorer 7 through Internet Explorer 11 on all currently supported versions of Windows. Because of the wide version numbers of Internet Explorer that have these vulnerabilities, this affects a very large installed base of Internet Explorer users. Let’s take a closer look at the vulnerabilities covered by this patch:

 

  • Fourteen (14) of these vulnerabilities are Internet Explorer Remote Code Execution vulnerabilities. An attacker could leverage any of these vulnerabilities to corrupt memory, gain the same rights as the currently logged in user, and then execute arbitrary code.
  • Two (2) of these vulnerabilities are Information Disclosure vulnerabilities. If exploited, an attacker could potentially read data that was not intended to be disclosed.
  • One (1) of these vulnerabilities is an Escalation of Privilege vulnerability. If exploited, this potentially allows a script to be run with elevated privileges.
  • As in the past with the Internet Explorer vulnerabilities, attackers have to convince users with affected versions of Internet Explorer to view specially crafted content that exploits these vulnerabilities. The content could be on a compromised website or a forum/blog site that allows users to post their own content. Users could be convinced to visit one of these sites by clicking on a link in an Internet search results screen, an email message, or opening an infected attachment. Having good email hygiene with anti-spam and anti-phishing techniques (such as McAfee Email Protection) in place will help mitigate the potential for users to stray to an affected website. Since we expect some of the known-bad sites on the Internet to be harbors for this type of attack, having good web browsing habits and using tools such as McAfee SiteAdvisor, McAfee SiteAdvisor Enterprise and McAfee Web Protection can also help.

   

MS15-095 (CVE-2015-2485 and 2486, 2494, and 2542)

This cumulative security update affects only the Microsoft Edge browser on Windows 10. All four (4) included vulnerabilities that are patched by this bulletin are Memory Corruption vulnerabilities that result in the potential for Remote Code Execution. Similarly to the cumulative Internet Explorer vulnerabilities in MS15-094, attackers would have to convince users with an affected version of Microsoft Edge to view specially crafted content that exploits these vulnerabilities.

 

MS15-096 (CVE-2015-2535)

This security updates resolves a Denial of Service vulnerability in Active Directory. In this case, an authenticated attacker could create multiple machine accounts and this could cause the Active Directory service to become non-responsive. Note that the attacker much have valid credentials in order to exploit this vulnerability.

 

MS15-097 (CVE-2015-2506 to 2508, 2510 to 2512, 2517 & 2518, 2527, 2529, & 2546)

This bulletin addresses multiple security vulnerabilities in Microsoft graphics components in Microsoft Windows, Microsoft Office, and Microsoft Lync. These are Elevation of Privilege and Remote Code Execution vulnerabilities. This update replaces updates in MS14-036, MS15-078 and MS15-080. There are multiple update packages offered for each affected software, so be sure to get all updates.

 

MS15-098 (CVE-2015-2513 & 2514, 2516, 2519, & 2530)

Here we have multiple Remote Code Execution vulnerabilities in the Windows Journal. They exist when a specially crafted Journal file is opened and could cause arbitrary code to be executed in the context of the current user.

 

MS15-099 (CVE-2015-2520 through 2523, & 2545)

This bulletin covers five (5) vulnerabilities in Microsoft Office and Microsoft SharePoint. For the Microsoft Office vulnerabilities, three (3) of them are Memory Corruption vulnerabilities where Microsoft Office software fails to properly handle objects in memory. The other vulnerability in Microsoft Office is a Remote Code Execution vulnerability when opening a corrupted graphics image file or inserting a corrupted graphics image into a Microsoft Office file. The final update in this bulletin addresses a cross-site scripting (XSS) vulnerability in Microsoft SharePoint. SharePoint fails to properly sanitize user-supplied web requests, which could result in spoofing. Note that the SharePoint update contains additional security-related changes to functionality and replaces previous SharePoint updates.

 

MS15-100 (CVE-2015-2509)

This security update resolves an Remote Code Execution vulnerability in Windows Media Center. This vulnerability could allow the execution of arbitrary code if Windows Media Center opens a specially crafted Media Center link (.mcl) file that references malicious code.

 

MS15-101 (CVE-2015-2504, 2526)

Here we have a Denial of Service vulnerability and an Elevation of Privilege vulnerability in the Microsoft .NET Framework. This update affects multiple versions of the Microsoft .NET Framework, so users may have to install multiple packages to patch the vulnerability in each version that is installed. The Elevation of Privilege vulnerability has web browsing as an attack scenario, so it is very important to get this update deployed.

 

MS15-102 (CVE-2015-2524, 2525, & 2528)

This update resolves a trio of Elevation of Privilege vulnerabilities in Windows Task Management. It affects current Windows client and Windows server operating systems.

 

MS15-103 (CVE-2015-2505, 2543, & 2544)

This bulletin addresses an Information Disclosure vulnerability and two (2) Spoofing vulnerabilities in Microsoft Exchange Server 2013. All three (3) of these vulnerabilities affect Outlook Web Access, so companies utilizing OWA should investigate and schedule the installation of this update.

 

MS15-104 (CVE-2015-2531, 2532, & 2536)

This security update resolves three (3) cross-site scripting (XSS) vulnerabilities in Skype for Business Server and Microsoft Lync Server. Two (2) of these are Information Disclosure vulnerabilities and the other one is an Elevation of Privilege vulnerability. These only affect the server versions of Skype for Business and Microsoft Lync.

 

MS15-105 (CVE-2015-2534)

Finally, here we’ve got a Security Feature Bypass vulnerability in Windows Hyper-V. It exists when Windows Hyper-V access control list (ACL) configuration settings are not applied correctly. An attacker can run a specially crafted application that could cause Hyper-V to allow unintended network traffic..

 

 

NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.

 

Memory Corruption Vulnerabilities:

Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.

 

 

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in.  As more details become available, you’ll find them on the McAfee Threat Center.  You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

 

The McAfee Labs Security Advisories can be found on the McAfee Labs Security Advisories Community site.

 

Finally, these briefings are archived on the McAfee Community site.

 

For additional useful security information, please make note of the following links:

 

You can also review the Microsoft Summary for September 2015 at the Microsoft site.

 

Until next month…stay safe!

-Greg