July 2015 Patch Tuesday: Microsoft closes holes being exploited in the wild

For July 2015, Microsoft released 14 security bulletins, with four patches rated as “critical” remote code execution (RCE) fixes. At least one of the fixes rated “critical” and some rated as “important” are currently being exploited in the wild.

Patches rated Critical

MS15-065 resolves 28 flaws in Internet Explorer that could otherwise “modify how IE, VBScript and Jscript handle objects in memory.” Qualys CTO Wolfgang Kandek pointed out that three of these were previously known (CVE-2051-2413, CVE-2015-2419 and CVE-2015-2421 ). “CVE-2015-2425 seems to come from the data dump at Hacking Team as well and I am impressed by the fix speed that Microsoft showed here. Of the other vulnerabilities a full 19 are of type RCE and allow the attacker to take over the targeted machine simply by browsing to a malicious, or infected site.”

MS15-066 addresses a vulnerability in Windows VBScript scripting engine that an attacker could otherwise exploit for remote code execution.

MS15-067 resolves a hole in Windows that an attacker could exploit if the Remote Desktop Protocol server service is enabled.

MS15-068 is a fix for flaws in Windows Hyper-V, correcting “how Hyper-V initializes system data structures in guest virtual machines. The vulnerabilities could allow remote code execution in a host context if a specially crafted application is run by an authenticated and privileged user on a guest virtual machine hosted by Hyper-V. An attacker must have valid logon credentials for a guest virtual machine to exploit this vulnerability.”

Patches rated Important that could allow RCE

Microsoft skipped MS15-058 last month, but has finally addressed the vulnerabilities in SQL Server that could allow remote code execution. Although it closes an RCE hole, Microsoft rated it only as “important.”

MS15-069 also deals with vulnerabilities that could allow RCE, but in Windows this time. “The vulnerabilities could allow Remote Code Execution if an attacker first places a specially crafted dynamic link library (DLL) file in the target user’s current working directory and then convinces the user to open an RTF file or to launch a program that is designed to load a trusted DLL file but instead loads the attacker’s specially crafted DLL file. An attacker who successfully exploited the vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

MS15-070 patches eight RCE vulnerabilities in Microsoft Office; one (CVE-2015-2424) is currently being exploited.

Rated Important: Could allow Elevation of Privilege

MS15-071 resolves a hole in Netlogon that could allow elevation of privilege (EoP). “The vulnerability could allow EoP if an attacker with access to a primary domain controller (PDC) on a target network runs a specially crafted application to establish a secure channel to the PDC as a backup domain controller (BDC).”

MS15-072 fixes a vulnerability in Windows graphics component that could allow EoP if Windows “fails to properly process bitmap conversions” and an authenticated attacker exploits the bug.

MS15-073 resolves Windows Kernel-mode driver vulnerabilities which could result in EoP; the patch corrects how the Windows Kernel-mode driver handles objects in memory.

MS15-074 addresses a problem with Windows installer service that an attacker could exploit for EoP.

MS15-075 patches vulnerabilities in OLE. “The vulnerabilities could allow elevation of privilege if used in conjunction with another vulnerability that allows arbitrary code to be run through Internet Explorer. Once the other vulnerability has been exploited, an attacker could then exploit the vulnerabilities addressed in this bulletin to cause arbitrary code to run at a medium integrity level.”

MS15-076 should fix a hole in Windows Remote Procedure Call (RPC) authentication, which “could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application. An attacker who successfully exploited this vulnerability could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

MS15-077 addresses the publicly disclosed vulnerability CVE-205-2387 and a hole in Windows Adobe Type Manager font driver. Although Microsoft ranks it only as “important,” Qualys said it is “currently under active exploitation.”

If you are running Windows Server 2003, then this is the last month Microsoft will release patches for you.

Windows 10 updates

With tree-like terms of “branches” and “rings,” Microsoft has gotten weirder about how it will update Windows 10, so this may be the last time I can wish you, “Happy patching!” Microsoft’s Terry Myerson has stated, “We won’t be updating every Windows consumer device on the second Tuesday of the month. We’re going to let consumers opt into what we’re calling ‘rings’.”

There will be “fast” and “slow” rings, but Steve Kleynhans of Gartner said, “Once Windows 10 ships, rings won’t determine how many updates you get, but rather your place in the queue to get a new update. As such, rings will be more about controlling the rate at which the updates flood out into market.”

There are also branches such as Current Branch, Current Branch for Business, and Long-term Service Branch (LTSB) with fast and slow rings for CB and CBB. Computerworld’s Gregg Keizer added, “Customers who want to opt in to a ‘fast’ ring on the Current Branch — the Windows update track geared towards consumers running Windows 10 Home — will receive updates first, while those who adopt the ‘slow’ ring will get slightly more stable and reliable code later.”

Microsoft’s staggered releases among the branches and rings, and a 16-month active lifespan per build, may all run smoothly…or it may turn into a fragmented nightmare.

Time to kill Flash?

Mozilla is ready to kill off Flash, as Mark Schmidt, head of Firefox Support, announced in a tweet: “All versions of Flash are now blocked by default in Firefox.” He later added, “Nothing relies on Flash as much as malware.”

“It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day,” tweeted Facebook security chief Alex Stamos one day before Firefox blocked Flash.

The newest Flash Player release is 18.0.0.209. Go here to learn which version of Flash Player you are running; however, if you try that in Firefox you will not see the version installed information box as it is blocked. You can click to run it, but you will see “Firefox has prevented the unsafe plugin ‘Adobe Flash’ from running.” It will remain blocked while using Firefox until Adobe releases an updated version that addresses critical security vulnerabilities actively being exploited in the wild.

Today, Adobe released “security bulletins for Adobe Acrobat and Reader (APSB15-15), Adobe Shockwave Player (APSB15-17) and Adobe Flash Player (APSB15-18),” noting that unless updated, an attacker could exploit the critical vulnerabilities and potentially “take control of the affected system.” You should not delay updating Flash.

Adobe claims that “more than 500 million devices are addressable today with Flash technology, and it is projected there will be over 1 billion addressable devices by the end of 2015.” 20,000 apps in Apple and Google’s stores use Flash, as do 24 of the top 25 Facebook games. Supposedly most users, about 400 million, “update to the newest version of Flash Player within six weeks of release,” but dragging your heels instead of patching gives attackers plenty of time to pwn you.

Trend Micro compared using Flash to smoking, “We know it’s bad for us, but we can’t quit anyway.” Although “Flash is a security risk that rightly deserves to go away, it will hang around in the foreseeable future.”

At any rate, happy patching!