determined - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

March 2015 Patch Tuesday: Microsoft offers quick FREAK fix

Microsoft's March 2015 Patch Tuesday bulletins include a fix for the FREAK vulnerability, as well as five critical fixes, but surprisingly, an expert says one of the fixes deemed non-critical actually demands immediate attention.

Microsoft released its March 2015 Patch Tuesday fixes today, which targeted remote code execution vulnerabilities in Windows, Microsoft Office, Internet Explorer and Adobe Font Driver, and also patched the highly publicized FREAK vulnerability.

The release, which Microsoft now refers to as Update Tuesday, included 14 total bulletins, five of which were marked as "critical," and included 10 vulnerabilities that Microsoft labeled as reliable attack vectors for remote code execution (RCE). However, Craig Young, security researcher for Tripwire Inc., based in Portland, Ore., said the most important bulletin for enterprises may not be any of those.

MS15-027 -- which describes a vulnerability in NETLOGON that affects Windows Server 2003, Windows Server 2008 and Windows Server 2012 -- may be the most serious of the bulletins. Microsoft said the vulnerability (CVE-2015-0005) could allow spoofing on a domain-joined system, as well as allow an attacker to observe network traffic.

Young said that the flaw could allow an attacker who has already breached a workstation with a separate attack to move deeper into an organization's network.

"For example, an intruder could use the Office defect to gain low-level access into a network and then use impersonation techniques leveraging CVE-2015-0005 to further penetrate the network," Young said. "The risk of APT and insider threats make it imperative that enterprises patch their domain controllers with MS15-027 immediately."

MS15-018 is this month's cumulative Internet Explorer bulletin, and according to Wolfgang Kandek, chief technology officer for Redwood Shores, Calif.-based cloud security vendor Qualys Inc., it should be treated as the most important bulletin of the month. It includes 12 total patches, 10 of which could lead to remote code execution attacks. The vulnerabilities affect IE versions ranging from IE 6 to IE 11, and mostly target Internet Explorer memory-corruption vulnerabilities.

There was also a VBScript memory-corruption vulnerability in the IE patches that was, according to Kandek, something of a "sister bulletin" to MS15-018. MS15-019 included a patch to the VBScripting engine in IE 6 and 7, where MS15-018 included patches for IE versions 8 and newer.

The risk of APT and insider threat make it imperative that enterprises patch their domain controllers with MS15-027 immediately.
Craig YoungSecurity Researcher, Tripwire Inc.

Kandek labeled MS15-022 as the second most important critical bulletin of the month, which targeted five total vulnerabilities in Microsoft Office, three of which could result in remote code execution by an attacker.

The most critical of these patches targets a vulnerability (CVE-2015-0086) that affects Microsoft Word 2007, Microsoft Office 2010, Microsoft Word 2013 and Microsoft Word Viewer. The flaw exists because Office software failed to properly handle Rich Text Format (RTF) files in memory, and could allow an attacker to use a specially crafted file to perform actions as the affected user. Microsoft did note that the permissions of the affected user could mitigate the potential actions of the attacker.

The MS15-021 bulletin fixes how the Adobe Font parser allocates memory and corrects how objects in memory are handled. These vulnerabilities in the Adobe Font Driver could allow remote code execution if a user viewed a specially crafted file or website. A successful exploit could even allow the attacker to take complete control of an affected system, including being able to install programs, view, change or  delete data, or create new accounts with full user rights.

The final critical bulletin, MS15-020, addresses an issue that affects all currently supported versions of Windows and Windows Server. The vulnerability could allow remote code execution if an attacker successfully convinced a user to browse to a specially crafted website, open a specially crafted file, or open a file in a working directory that contains a specially crafted DLL file.

Kandek said that while the most important patches included in the release were those involving Internet Explorer, Microsoft Office and Adobe Font Driver, organizations may also want to pay close attention to three other bulletins.

MS015-026 resolves a vulnerability in Microsoft Exchange Server that could allow elevation of privilege if a user is lured to a targeted Outlook Web App site.

MS015-030 addresses a flaw in the Remote Desktop Protocol (RDP), which could allow a denial-of-service attack.

Lastly, MS015-031 includes a patch for the Windows Schannel, the basis of the recently revealed FREAK vulnerability, and affects all supported versions of Windows, as well as Linux and Mac OS.

The FREAK vulnerability could lead to a man-in-the-middle attack by allowing an attacker to downgrade an encrypted SSL/TLS session, forcing client systems to use a weaker RSA export cipher, and then intercepting and decrypting this traffic.

The remaining five important bulletins dealt with vulnerabilities in various Windows components that could lead to is sues including elevation of privilege, security feature bypass or information disclosure.

Next Steps

Catch up on the February 2015 Patch Tuesday news here.

Dig Deeper on Microsoft Patch Tuesday and patch management