Microsoft released its July 2015 Patch Tuesday fixes today, which were broken down into 14 bulletins -- five of...
those critical -- addressing a total of 59 CVEs, including two zero-day flaws revealed as part of the Hacking Team data breach.
According to Craig Young, computer security researcher with Tripwire Inc.'s Vulnerability and Exposures Research Team, the first thought of everyone this month was whether or not Microsoft would release a patch for the kernel zero-day revealed as part of the Hacking Team breach data, especially in the wake of Adobe announcing patches for two more zero-days in its software exposed in the same data.
"With MS15-077, Microsoft has answered the tough question of what happens when a zero-day is publicly disclosed just days before a scheduled patch release," Young said. "The answer in this case was that Microsoft addressed the elevation of privilege bug used by Hacking Team to covertly give their surveillance software privileged access to affected Windows systems."
MS15-077 is a patch for a vulnerability in the Adobe Type Manager Font Driver, which affects Windows Server 2003, Server 2008, Server 2012, Windows Vista, Windows 7, 8, 8.1, RT and RT 8.1. The Hacking Team detailed a proof-of-concept exploit using this vulnerability which Microsoft said would allow an attacker to install programs; view, change, or delete data; or create new accounts with full user rights.
One of those patches, CVE-2015-2425, addresses a zero-day flaw affecting IE 11, which was exposed in the Hacking Team data. Threat management firm Vectra Networks said it reported the vulnerability to Microsoft on July 9th. Vectra said the flaw occurs within a custom heap in JSCRIPT9, meaning it may allow an attacker to bypass protections found in standard memory.
MS15-067 is the patch Young described as the "prize hog of this month" because it addresses a rare RCE vulnerability in the Windows Remote Desktop Protocol (RDP) affecting Windows 7, Windows 8, and Windows Server 2012.
"CVE-2015-2373 is the first code execution bug in RDP I can remember since 2012," Young said. "This is very high impact as many businesses rely on remote desktop protocol. This should be on the top of everyone's install list for sure. Although Microsoft describes that code execution as tricky, there are a lot of smart people out there and I'm sure it won't be long before proof-of-concept code starts floating around."
MS15-068 is a bulletin that could be important for those using shared hosting providers and virtualization. The patch is for Microsoft's Hyper-V virtualization platform on Windows Server 2008, Windows Server 2008 R2, Windows 8 and Windows Server 2012, and Windows 8.1 and Windows Server 2012 R2. Microsoft notes that the bug could allow privileged users remote code execution in a host context from a guest machine, but the attacker would need valid logon credentials for the guest machine.
MS15-070 includes a number of patches for Microsoft Office, including a number of memory corruption vulnerabilities, an ASLR bypass flaw and a DLL RCE vulnerability. One of the patches (CVE-2015-2424) addresses a memory corruption vulnerability in PowerPoint that has been actively exploited in the wild.
MS15-058 is the patch for a Microsoft SQL Server remote code execution bug which had been scheduled to be part of the June Patch Tuesday release. Experts assume that quality control issues forced the patch to be delayed until this month.
"This issue will be particularly critical for database hosting providers allowing users access to create and manipulate database schema in a shared environment," said Young. "Successful exploitation of this flaw would allow the attacker complete access to the SQL Server by leveraging a very specific edge case."
Of the rest of the patches, MS15-066 and MS15-069 address RCE vulnerabilities in the VBScript scripting engine and in how Windows loads DLLs, while the rest take on elevation of privilege flaws in Netlogon, Windows Graphics Component, Windows Kernel-Mode Driver, Windows Installer Service, Windows OLE, and Windows Remote Call Procedure.
This is also the last month of patches for Windows Server 2003, which has hit its end-of-life deadline; nine of the 14 bulletins affected this system.
"That is a clear indication that attackers will continue to find issues in Windows 2003 at roughly that rate," said Wolfgang Kandek, CTO of Qualys, Inc. "There are only two things to do to avoid that threat, migrate away from Server 2003 or pay Microsoft for the necessary patches through a special support contract."
Adobe and Java
Microsoft wasn't the only one hit by zero-day flaws in the wake of the Hacking Team data release. Last week, Adobe released an out-of-band update for one Flash Player zero-day revealed as part of the Hacking Team breach, and today Adobe has released patches for the other two Flash Player zero-day flaws exposed by the Hacking Team.
Somewhat of a surprise was that the Hacking Team data also included a zero-day vulnerability affecting Java (CVE-2015-2590), which hadn't had a zero-day flaw in two years. The vulnerability has been found in attacks targeting a the military of a NATO country as well as a U.S. defense organization, according to Trend Micro. Oracle has released its July 2015 Critical Patch Update today and the 25 patches for Java includes the fix for this zero-day.
Catch up on the June 2015 Patch Tuesday news here