Hello everyone,

 

This is Greg Blaum with the Microsoft Patch Tuesday newsletter for October 2015.

 

Welcome to the October Patch Tuesday update. This month Microsoft released a total of six (6) new security bulletins. For this month, three (3) of these are rated Critical, which Microsoft terms as a vulnerability whose exploitation could allow code to execute without any user interaction. These are the types of vulnerabilities that system administrators are usually the most concerned about and attempt to patch as quickly as possible. The other three (3) are rated Important.

 

Clarification of the Intel Security Coverage column in the table below

Some Microsoft bulletins include multiple vulnerabilities. The Covered Products and Under Analysis sections will list Intel Security products for *any* of the vulnerabilities included in the Microsoft bulletin. You may see an Intel Security product listed in both sections, which would indicate that it is Covered for one of the vulnerabilities in the bulletin and Under Analysis for one of the other vulnerabilities. The details for each individual vulnerability are provided in the McAfee Labs Security Advisory Number.

 

This month’s patches include the following:

 

Bulletin Number

KB Number

Title

Bulletin Rating

Vulnerability Impact

McAfee Labs Security Advisory Number

Intel Security Coverage

MS15-106

3096441

Cumulative Security Update for Internet Explorer

Critical

Remote Code Execution

MTIS15-158

Covered Products:

  • Vulnerability Mgr (Oct 13)
  • BOP
  • Host IPS
  • NSP
  • Application Control
  • Web Gateway
  • DAT

 

Under Analysis:

  • Firewall Enterprise

MS15-107

3096448

Cumulative Security Update for Microsoft Edge

Important

Information Disclosure

MTIS15-158

Covered Products:

  • Vulnerability Mgr (Oct 13)
  • DAT
  • NSP
  • Web Gateway

 

Under Analysis:

  • Firewall Enterprise
  • BOP
  • Host IPS
  • Application Control

MS15-108

3089659

Security Updates for JScript and VBScript to Address Remote Code Execution

Critical

Remote Code Execution

MTIS15-158

Covered Products:

  • Vulnerability Mgr (Oct 13)
  • NSP
  • BOP
  • Host IPS
  • NSP
  • Application Control

 

Under Analysis:

  • Firewall Enterprise

MS15-109

3096443

Security Update for Windows Shell to Address Remote Code Execution

Critical

Remote Code Execution

MTIS15-159

Covered Products:

  • Vulnerability Mgr (Oct 13)
  • BOP
  • Host IPS
  • NSP
  • Application Control

 

Under Analysis:

  • Firewall Enterprise

MS15-110

3096440

Security Updates for Microsoft Office to Address Remote Code Execution

Important

Remote Code Execution

MTIS15-159

Covered Products:

  • Vulnerability Mgr (Oct 13)
  • BOP
  • Host IPS
  • NSP
  • Application Control

 

Under Analysis:

  • Firewall Enterprise

MS15-111

3096447

Security Update for Windows Kernel to Address Elevation of Privilege

Important

Elevation of Privilege

MTIS15-159

Covered Products:

  • Vulnerability Mgr (Oct 13)
  • Host IPS
  • NSP

 

Under Analysis:

  • Firewall Enterprise

 

Let’s take a closer look at each of the Microsoft Security Bulletins:

 

MS15-106 (CVE-2015-2482, 6042, 6044 to 6053, 6055, 6056, & 6059)

Here is the standard cumulative Internet Explorer Security Update. This Internet Explorer update addresses 15 vulnerabilities in multiple versions of Internet Explorer. The vulnerabilities in this update affect Internet Explorer 7 through Internet Explorer 11 on all currently supported versions of Windows. Because of the wide version numbers of Internet Explorer that have these vulnerabilities, this affects a very large installed base of Internet Explorer users. Let’s take a closer look at the vulnerabilities covered by this patch:

 

  • Eight (8) of these vulnerabilities are Internet Explorer Remote Code Execution vulnerabilities. An attacker could leverage any of these vulnerabilities to corrupt memory, gain the same rights as the currently logged in user, and then execute arbitrary code.
  • Three (3) of these vulnerabilities are Elevation of Privilege vulnerabilities. If exploited, this potentially allows a script to be run with elevated privileges.
  • Three (3) of these vulnerabilities are Information Disclosure vulnerabilities. If exploited, an attacker could potentially read data that was not intended to be disclosed.
  • One (1) of these vulnerabilities is a Security Feature Bypass vulnerability. It bypasses the Address Space Layout Randomization (ASLR) feature in the VBScript and JScript engines, allowing an attacker to more reliably predict the memory offsets of specific instructions in a given call stack.
  • As in the past with the Internet Explorer vulnerabilities, attackers have to convince users with affected versions of Internet Explorer to view specially crafted content that exploits these vulnerabilities. The content could be on a compromised website or a forum/blog site that allows users to post their own content. Users could be convinced to visit one of these sites by clicking on a link in an Internet search results screen, an email message, or opening an infected attachment. Having good email hygiene with anti-spam and anti-phishing techniques (such as McAfee Email Protection) in place will help mitigate the potential for users to stray to an affected website. Since we expect some of the known-bad sites on the Internet to be harbors for this type of attack, having good web browsing habits and using tools such as McAfee SiteAdvisor, McAfee SiteAdvisor Enterprise and McAfee Web Protection can also help.

 

MS15-107 (CVE-2015-6057 & 6058)

This cumulative security update affects only the Microsoft Edge browser on Windows 10. One of the vulnerabilities is an Information Disclosure vulnerability whereby Microsoft Edge improperly discloses certain contents of memory. The other vulnerability is a Security Feature Bypass vulnerability in the Microsoft Edge cross-site scripting (XSS) filter.

 

MS15-108 (CVE-2015-2482, 6052, 6055, & 6059)

This security updates resolves multiple vulnerabilities in the Microsoft VBScript and JScript engines. Two (2) of these are Remote Code Execution vulnerabilities, one (1) is an Information Disclosure vulnerability, and the other one (1) is a Security Feature Bypass vulnerability. The Remote Code Execution vulnerabilities are the result of Memory Corruptions that exist when the VBScript and JScript engines improperly handle object in memory. The Information Disclosure vulnerability is present when either of the scripting engines improperly disclose contents of memory. Lastly, the Security Feature Bypass vulnerability exists when the scripting engines fail to use the Address Space Layout Randomization (ASLR) security feature.

 

MS15-109 (CVE-2015-2515 & 2548)

This bulletin addresses two (2) Remote Code Execution vulnerabilities in Microsoft Windows. One of the vulnerabilities exists when the Windows Shell improperly handles objects in memory from a toolbar object. This would require a custom toolbar with exploit code to be loaded onto a target system. The other vulnerability is in the Microsoft Tablet Input Band, and is also due to improperly handling objects in memory.

 

MS15-110 (CVE-2015-2555 to 2558, 6037, & 6039)

Here we have multiple vulnerabilities in Microsoft Office, including SharePoint Server. Versions affected include 2007, 2010, 2013, 2016, 2011 for Mac, 2016 for Mac, Viewer & Compatibility Pack, as well as SharePoint 2007, 2010, and 2013. Depending on the product affected, these could be Remote Code Execution, Information Disclosure, Security Feature Bypass, or Spoofing vulnerabilities. Several Microsoft Office products are affected here, so pay close attention to the product listing.

 

MS15-111 (CVE-2015-2549, 2550, & 2552 to 2554)

Finally, this bulletin covers five (5) vulnerabilities in the Windows kernel. Four (4) of these Elevation of Privilege vulnerabilities and the other one is a Security Feature Bypass vulnerability. These vulnerabilities are present in both the currently supported desktop operating systems (Vista, Windows 7, Windows 8 & 8.1, Windows RT and RT 8.1, and Windows 10) as well as the currently supported server operating systems (Server 2008, Server 2008 R2, Server 2012, Server 2012 R2, and the Server Core installs).

 

 

NOTE: A bit of clarification might be in order here. Readers may wonder why we don’t often mention McAfee VirusScan or other technologies as mitigations for these vulnerabilities. The industry generally describes a security vulnerability as an unintentional coding or design flaw in software that may leave it potentially open to exploitation. While there may be some forms of defense against any given vulnerability being exploited, in some cases the only way to truly mitigate the issue is to patch the vulnerable software. Since our focus here is on Microsoft Security Bulletins, it might be useful to read the Microsoft Security Response Center’s definition of a security vulnerability.

 

Memory Corruption Vulnerabilities:

Intel Security is seeing many Memory Corruption Remote Code Execution vulnerabilities that affect a large number of products…not just those from Microsoft. This is an area where customers can see immediate value when using McAfee Host Intrusion Prevention. For example, by enabling protection and applying the Default IPS (Intrusion Prevention System) Rules policy, we have demonstrated that 90 percent or more of the Microsoft vulnerabilities listed in Patch Tuesday updates were shielded using this out-of-the-box basic protection level.

 

 

Further research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in.  As more details become available, you’ll find them on the McAfee Threat Center.  You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

 

The McAfee Labs Security Advisories can be found on the McAfee Labs Security Advisories Community site.

 

Finally, these briefings are archived on the McAfee Community site.

 

For additional useful security information, please make note of the following links:

 

You can also review the Microsoft Summary for October 2015 at the Microsoft site.

 

Until next month…stay safe!

-Greg