Warakorn - Fotolia
Microsoft's August 2015 Patch Tuesday fixes today included 14 bulletins, four of which are rated critical and six of which could ultimately lead to remote code execution.
According to Qualys, Inc. CTO Wolfgang Kandek, the most important bulletin this month is MS15-081, which addresses vulnerabilities in Microsoft Office 2007, 2010 and 2013. Microsoft says the most severe of these vulnerabilities could allow remote code execution (RCE) if a user opens a specially crafted Microsoft Office file.
Kandek noted in a blog post that an Office bulletin garnering a "critical" rating is rare, and exploits for this bug have been seen in the wild.
"It is rated critical which is rare for an Office bulletin, as Microsoft typically downgrades a vulnerability when user interaction is required, such as opening a DOCX file," Kandek said. "But CVE-2015-2466 is rated critical on Office 2007, Office 2010 and Office 2013 indicating that the vulnerability can be triggered automatically, possibly through the Outlook email preview pane, and provide remote code execution, giving the attacker control over the targeted machine."
Craig Young, computer security researcher with Tripwire Inc.'s Vulnerability and Exposures Research Team, said this is a serious issue, and one that is far too common.
"Handling documents from untrusted sources always has been and always will be a very risky endeavor," Young said. "Users should be cautious in general about downloading and opening documents when connected through a public Wi-Fi or other untrusted network due to the risk that a network level attacker can insert malicious content into files in transit."
MS15-080 addresses critical vulnerabilities in the Microsoft Graphics Component, which could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded TrueType or OpenType fonts. This bulletin was noted as one to watch by experts because of the breadth of software affected, including Microsoft Lync, Spotlight, Office 2007 and 2010, as well as all actively supported versions of Windows.
MS15-079 is this month's bulletin for Internet Explorer and it addresses 13 vulnerabilties, 10 of which are rated as critical and could allow for remote code execution.
The last critical bulletin of the month, MS15-091, is also the first bulletin ever for Microsoft's new Edge browser found in Windows 10; experts note that while this is a critical bulletin, the impact is lessened by the fact that Windows 10 was released just two weeks ago. Kandek also noted that the three critical RCE vulnerabilities listed for the Edge browser are also listed as affecting IE in its bulletin.
Important for a reason
Young noted that while there are two more bulletins listed as potentially allowing remote code execution, they aren't quite as scary as they sound.
MS15-085 covers a vulnerability in the Mount Manager of all supported versions of Windows, which could allow elevation of privilege if an attacker inserts a malicious USB device into a target system, and then write a malicious binary to disk and execute it.
Expert opinion is split on the severity of this vulnerability, which is labeled as "important" by Microsoft, which often means a vulnerability is more difficult to exploit than for a "critical" vulnerability. This vulnerability has been exploited publicly leading some experts to list this as a standout patch from this month's release. But, Young said it isn't as easy to exploit as it may seem at first.
"My first reaction was that this might be another plug and pwn bug like the LNK exploit used in the Stuxnet attacks against Iran's nuclear program. On closer inspection, however, it becomes clear that this is not even in the same ballpark," Young said. "This can easily be used by a physically local attacker to perform DLL or binary hijacking attacks in order to get code executing with system permissions, but it does not appear to offer an attack vector for a system to be automatically compromised when mounting the USB stick. Furthermore, it does not appear that an attacker could use this vulnerability to gain permissions on a locked system since there is no automatic code execution."
Young also noted that while MS15-082 resolves vulnerabilities in Remote Desktop Protocol, which could allow for remote code execution, there is a reason Microsoft rated this bulletin as "important" rather than "critical."
"With MS15-082, 'remote' code execution is only possible if the attacker already has some degree of access to get a DLL file loaded into the victim's current working directory and then load an .RDP file," Young said. "While this could certainly be exploited in the wild, it will require some level of user interaction for a successful attack."
Of the remaining bulletins all rated as "important," one could allow remote code execution through a vulnerability in the Windows Server Message Block (MS15-083); three bulletins could allow for information disclosure through vulnerabilities in XML Core Services (MS15-084), WebDAV (MS15-089), and how Windows, IE and Office pass command line parameters (MS15-088); and the final four bulletins could allow for elevation of privilege through vulnerabilities in Microsoft System Center Operations Manager (MS15-086), UDDI Services (MS15-087), Windows (MS15-090), and the .NET Framework (MS15-092).
Catch up on the July 2015 Patch Tuesday news here