Microsoft Patch Tuesday April 2015 closes 0-day holes: 4 of 11 patches rated critical

For April 2015 Patch Tuesday, Microsoft released 11 security bulletins, four of which are rated as critical, to address 26 vulnerabilities.

Rated Critical

All four critical security updates resolve remote code execution (RCE) vulnerabilities.

MS15-033 should be your top priority, according to Qualys CTO Wolfgang Kandek, as it addresses a zero-day vulnerability in Microsoft Office, which is currently under limited attacks in the wild on Word 2010. Although Microsoft noted that to exploit the RCE vulnerability, an attacker must get a user to open a specially crafted Office file, Kandek added, “This is a very low security barrier at most organizations as it is part of the job for employees to open Word DOCX files and they have come to trust the format. The attacker will send an email with the malicious file attached or linked. If the e-mail is worded well, click/opening rates over 10% are guaranteed.”

This vulnerability is rated critical for Microsoft Word 2007, Microsoft Office 2010, Microsoft Word 2010, Microsoft Office Web Apps Server 2010, Microsoft Word Viewer, Microsoft Office Compatibility Pack and Word Automation Services on Microsoft SharePoint Server 2010.

MS15-033 also fixes two critical RCE flaws that could be exploited in Office 2007 and 2010 if the user simply looks at an email in the Outlook preview pane.

MS15-034 resolves a vulnerability in HTTP.sys; it’s rated critical for all supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2. Although Microsoft doesn’t add much more than that, Andrew Storms, security analyst for Tripwire, called the patch a “potentially catastrophic fix for a remote code execution hole in http.sys.”

Storms added, “Microsoft is provided very few details about the bug other than to say that anyone can send a malicious HTTP request to a Windows server and gain full remote control. Unfortunately, the work around advice provided in the bulletin is extremely sparse so everyone running a web server on a Windows server better be prepared to stay up late and get this patch out ASAP.”

“At first glance it appears that this flaw is related to IIS kernel caching support as it pertains to processing crafted HTTP request headers,” said Tripwire security researcher Craig Young. “It’s likely that we’ll see this bug being exploited in the wild in a very short timeframe.”

“Interestingly enough however, MS15-034 does not affect the older Windows Server 2003 IIS platform, indicating that this bug was introduced in the newer IIS releases,” Young added.

MS15-032 fixes 10 security holes in Internet Explorer, nine of which are rated critical. Basically, if IE is on your machine, then you need this patch as IE6 to IE11 are vulnerable without it.

MS15-035 closes an RCE flaw in Microsoft graphics component, specifically in the Enhanced Metafile (EMF) file format that could be exploited if an attacker convinces a user to browse a maliciously crafted site, file, “or browse to a working directory that contains a specially crafted EMF image file.” Kandek pointed out that exploitation would most likely be limited to desktop and laptop boxes; the “vulnerability is also limited to older versions of Windows, such as Windows 7, Vista, Server 2003 and 2008.”

Critical fix for Adobe Flash Player

APS15-06 is also critical to patch Adobe Flash Player as CVE-2015-3043 is currently being exploited in the wild.

Microsoft patches rated as Important

MS15-036 for Microsoft SharePoint Server, MS15-037 for Windows Task Scheduler and MS15-038 for Microsoft Windows are all rated as important fixes for Elevation of Privilege (EoP) flaws.

MS15-039 resolves a security feature bypass vulnerability in Microsoft XML Core Services 3.0 and all supported editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. Microsoft explained that the patch corrects “how Microsoft XML Core services enforces the same-origin policy in a document type declaration (DTD) scenario.”

The next two Microsoft security updates address information disclosure bugs. Microsoft said MS15-040 resolves a hole in “Active Directory Federation Services (AD FS). The vulnerability could allow information disclosure if a user leaves their browser open after logging off from an application and an attacker reopens the application in the browser immediately after the user has logged off.” MS15-041 patches a flaw in Microsoft .NET Framework.

MS15-042 provides the fix for Microsoft Windows Hyper-V that “could allow denial of service if an authenticated attacker runs a specially crafted application in a virtual machine (VM) session.” Microsoft noted that “the denial of service does not allow an attacker to execute code or elevate user rights on other VMs running on the Hyper-V host; however, it could cause other VMs on the host to not be manageable in Virtual Machine Manager.”

Oracle Patches

Lastly is Oracle. Shavlik product manager Chris Goettl said, “Oracle’s quarterly CPU is also occurring this month and happens to fall on Patch Tuesday. Oracle Java is resolving 15 vulnerabilities – all of which are remotely exploitable without authentication. The highest CVSS Base Score of these 15 vulnerabilities is a 10.0, which is the highest possible score. It goes without saying that Java should be a priority update this month. Three other Oracle products are resolving CVE’s with a 10.0 CVSS Base Score. So if you have Oracle Fusion Middleware, Oracle Sun Systems Products Suite or MySQL, they are all including vulnerabilities that are remotely exploitable without authentication and should be a priority to investigate for update this patch cycle.”

Happy patching!