Sergey Nivens - Fotolia
Microsoft released its February 2015 Patch Tuesday fixes today, targeting remote code-execution vulnerabilities in Internet Explorer, Windows and Office, but not fixing a recently revealed IE zero-day flaw.
The software giant's Update Tuesday release included nine separate bulletins, three of which were marked as "critical," but four total that addressed remote code-execution vulnerabilities of which experts urge organizations to take notice.
Critical bulletin MS15-011 is a high priority for enterprise, according to Wolfgang Kandek, chief technology officer for cloud security vendor Qualys Inc., based in Redwood Shores, Calif. The patch addresses a vulnerability in the Microsoft Group Policy mechanism allowing an attacker to take complete control of an affected system by tricking a client machine into connecting to a malicious domain.
Craig Young, security researcher for Tripwire Inc., based in Portland, Ore., said this vulnerability could pose a risk to organizations, particularly those whose employees work remotely using unsecured wireless networks.
"The prevalence of workers using enterprise laptops to work remotely from coffee shops, hotels and airports with unauthenticated Wi-Fi makes it trivial for attackers to simply advertise common network names and get unsuspecting laptops connected," Young said. "A more aggressive attacker can even broadcast spoofed messages from a legitimate wireless network forcing clients to disconnect and then luring them into the attacker's control."
The vulnerability affects Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2 and Windows RT 8.1, but Microsoft is notably not issuing a patch for Windows Server 2003. Kandek posited that this is because of the upcoming end-of-life for Windows Server 2003 in July.
Tyler RegulyTripwire security manager
According to a fact sheet about the bug from Chicago-based JAS Global Advisors LLC, Microsoft was required to make extensive changes to core components in Windows and add several new features in order to fix the bug.
Because of these new features, Young said enterprises must be careful with this patch, warning that it isn't a simple installation. The patch provides three new settings pertaining to authentication, integrity and privacy that must be applied to a new Group Policy in order to successfully patch a workstation.
Other RCE patches
The Internet Explorer (IE) bulletin, MS15-009, is massive, holding fixes for 41 total vulnerabilities affecting versions from IE 6 to IE 11, and addressing various issues including remote code-execution, ASLR bypass, privilege elevation and information disclosure vulnerabilities.
Kandek noted that this is a much higher number than usual because Microsoft's January bulletins did not include any IE fixes.
Kandek also said that one of the vulnerabilities listed in this bulletin is not labeled as a remote code-execution flaw, but has been known to be used in conjunction with other vulnerabilities in order to remotely gain control over targeted machines.
One omission from this release that was noted by most experts was a fix for the recently revealed XSS flaw in IE. Young noted that the risk associated with this vulnerability is high enough that it is possible to see an out-of-band patch from Microsoft before the next scheduled Patch Tuesday release in March.
MS15-12 is the only patch that addresses a remote code-execution vulnerability that is not labeled as critical, but Kandek said it should still be high on enterprises' priority lists when installing patches. The patch fixes three vulnerabilities related to improperly parsing documents in Microsoft Excel 2007, Microsoft Word 2007, Microsoft Office 2010, Microsoft Excel 2010, Microsoft Word 2010, Microsoft Web Applications 2010, Microsoft Excel 2013, Microsoft Word Viewer, Microsoft Excel Viewer and the Microsoft Office Compatibility Pack.
Microsoft listed this vulnerability as "important" rather than "critical" because the risks can be mitigated based on the user rights of the account that is attacked, and users with fewer rights will be less impacted. Kandek stressed the other side of that equation, which is that users with administrative rights would be at risk of having his/her entire machine taken over.
MS15-010 is a critical patch targeting six vulnerabilities in the Windows kernel-mode driver, affecting Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2 and Windows RT 8.1.
That bulletin included a fix for an issue revealed by Google's Project Zero, CVE-2015-0010, after its 90-day automatic disclosure deadline passed. Despite Project Zero's disclosure, Microsoft noted in the bulletin that it had not received any indication that the vulnerability had been used to attack customers.
Tripwire security manager Tyler Reguly noted that just three bulletins accounted for 50 of the 56 total patches released by Microsoft. He questioned if this strategy is best for customers.
"Microsoft is less interested in ease of patching and more interested in decreased bulletin numbers," Reguly said. "They are continuing to wedge multiple patches into a single bulletin, increasing the potential for chaos and confusion for their customers."
The remaining five patches released all address local issues. MS15-013 is an ASLR flaw in Office that could allow for a security feature bypass; MS15-014 is a Group Policy flaw in Windows that could also allow for a security feature bypass; MS15-015 could lead to elevated privileges in Windows; MS15-016 could allow information disclosure in Windows through a specially crafted TIFF image; and MS15-017 is a flaw in the Virtual Machine Manager in Server 2012 that could allow for elevated privileges.
Catch up on the January 2015 Patch Tuesday news here.