March 2015 Patch Tuesday: 5 of 14 rated Critical and Microsoft issues a fix for FREAK

For March 2015 Patch Tuesday, Microsoft released 14 security bulletins resolving a plethora of security problems, five of which are rated critical, to fix flaws in Windows, Office, Exchange and, of course, Internet Explorer. Yes, Microsoft issued a FREAK fix, MS15-031 (see advisory), but rated it only as important. Of the 43 vulnerabilities Microsoft addressed with the March 2015 patches, the company acknowledged that 10 of the vulnerabilities are reliable attack vectors for remote code execution.

“With 14 bulletins Microsoft seems eager to fix everything this month,” said Tripwire security researcher Tyler Reguly. “From Remote Desktop to Exchange, Netlogon to Sharepoint, and Office to VBScript, everything seems to be covered. I was surprised that I didn’t find a bulletin entitled, ‘Vulnerability in Kitchen Sink allows Faucet Leakage When Disabled’.”

Rated as Critical

MS15-018 is a cumulative security update for Internet Explorer 6, IE 7, IE 8, IE 9, IE 10 and IE 11; the patch addresses 12 CVEs and is considered critical for Windows clients and moderate for Windows servers. The worst-case scenario if left unpatched is that an attacker could successfully exploit the vulnerabilities and pull off remote code execution (RCE) to gain the same rights as the user. Qualys CTO Wolfgang Kandek said MS15-018 is the highest priority, followed by MS15-022, MS15-021 and then MS15-020.

MS15-019 addresses an RCE vulnerability in the VBScript scripting engine in Microsoft Windows. Microsoft said the patch is needed for “systems with Internet Explorer 7 or earlier installed” as well as Windows systems “without Internet Explorer installed.” If you run IE 8 or later, then skip this patch and instead apply MS15-018 described above, as it too can close the hole.

MS15-020 resolves two vulnerabilities in Windows that could allow remote code execution attacks if a user was tricked into opening a maliciously crafted website, or a specially crafted file, or a file in a working directory that contains a specially crafted DLL file.

MS15-021 addresses eight vulnerabilities in Adobe Font Driver that could lead to RCE; it’s rated critical for all supported released of Microsoft Windows.

MS15-022 is needed to fix five vulnerabilities in Microsoft Office and SharePoint that could lead to remote code execution. Microsoft noted, “This security update is rated Critical for all supported editions of Microsoft Office 2007, Microsoft Office 2010, and Microsoft Office 2013.” The patch is considered important for other versions of Excel, PowerPoint and Word, as well as SharePoint Servers and services.

Rated as Important by Microsoft

While MS15-023 addresses security holes in Windows kernel-mode driver, MS15-025 patches vulnerabilities in Windows kernel; both could allow elevation of privilege.

The next two close doors that attackers could exploit for information disclosure. MS15-024 resolves a flaw in Windows PNG processing and MS15-029 addresses the security flaw in Windows Photo Decoder.

MS15-026 “is a XSS vulnerability in OWA enabling a privilege escalation attack and affects all editions of Exchange Server 2013; its severity is listed as ‘Important’ and doesn’t require a system restart,” said David Picotte, manager of security engineering at Rapid7. “Hopefully this will translate to a quick win for administrators as this patch contains only fixes for the issue being addressed and doesn’t bundle in additional enhancements.”

MS15-027 fixes a vulnerability in NETLOGON that could allow spoofing.

While Microsoft’s fix to nix the FREAK attack seems to be getting all the love, “enterprises should know by now the importance of patching critical Office and Explorer vulnerabilities; MS15-027, a NETLOGON spoofing vulnerability, could be just as important to an enterprise,” added Tripwire security researcher Craig Young. “The underlying vulnerability, CVE-2015-0005, could enable a successful attacker to move deeper into a network after breaching a workstation through a separate attack. For example an intruder could use the Office defect to gain low-level access into a network and then use impersonation techniques leveraging CVE-2015-0005 to further penetrate the network. The risk of APT and insider threat make it imperative that enterprises patch their domain controllers with MS15-027 immediately.”

MS15-028 is the solution for a security feature bypass vulnerability in Windows Task Scheduler.

MS15-030 resolves a hole in Microsoft Windows Remote Desktop Protocol that could allow a denial-of-service attack if left unpatched.

FREAK fix: MS15-031 (see ‘advisory’ below)

Security advisories

Additionally, Microsoft released one new security advisory (3033929) and revised two more. The newest advisory deals with an old problem as it is a “reissuance of an update for all supported editions of Windows 7 and Windows Server 2008 R2 to add support for SHA-2 signing and verification functionality.” Microsoft said 3033929 “supersedes the 2949927 update that was rescinded on October 17, 2014 to address issues that some customers experienced after installation. As with the original release, Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT, and Windows RT 8.1 do not require this update because SHA-2 signing and verification functionality is already included in these operating systems.”

Two revised security advisories: 2755801 is an update for vulnerabilities in Adobe Flash Player in IE; for 3046015, a vulnerability in Schannel, Microsoft released MS15-031 to address the issue.

The fix for FREAK is rated as important, yet Microsoft made sure to point out that Windows in not the only OS affected. In fact, Microsoft didn’t publicly touch FREAK until March 5 when it released the 3046015 advisory. Close that security feature bypass hole that could allow a “man-in-the-middle attacker to force the downgrading of the key length of an RSA key to EXPORT-grade length in a TLS connection. Any Windows system using Schannel to connect to a remote TLS server with an insecure cipher suite is affected.” In other words, if you use Windows then you need it.

“This month you can take your pick from a whole menu of fancy security patch specials: Stuxnet, Superfish or FREAK,” said Tripwire security analyst Andrew Storms. Other than fixing the FREAK crypto problem, “the other big news is of course that Stuxnet has reared its ugly head five years after it became public. Almost everyone thought Microsoft had patched the LNK vulnerability used in Stuxnet, but today we are finding that it wasn’t entirely patched. Five years later is a long time — you have to wonder if it has been completely patched this time, and if there may be other older vulnerabilities that have been only partially patched.”

Eight of Microsoft’s security bulletins say restart is required, five suggest restart may be required, and only one is marked as does not require restart. Happy patching!