April 2015 Microsoft Patch TuesdayLast month, IT pros were hit hard with a heavy Patch Tuesday slate of 14 security updates, the vast majority of them for Windows. This time it’s a little lighter, but not what you can call a real break: we still have 11 patches to deal with.

Once again, most of the updates are for Windows, with one for SharePoint and one for Office, along with the usually-present cumulative update for Internet Explorer. Four updates are rated critical and all of these are remote code execution issues.

For a more detailed information about these updates, please see the April Security Bulletin Summary on the Microsoft website.

Critical

MS15-032 (KB3038314)
This is a cumulative update for Internet Explorer that addresses 10 vulnerabilities in the web browser software. It affects all supported versions of IE, including IE 6 on Windows Server 2003 SP 2 (IE 6 on XP has reached end-of-life). There is no mention of Windows RT, but the Windows 10 technical preview and Windows Server technical preview are also affected.

Most of these vulnerabilities (nine of the ten) involve memory corruption issues. One is an ASLR bypass vulnerability. There are no published mitigations or workarounds for any of the vulnerabilities at this time.

The update fixes these problems by resolving the handling of objects in memory and ensuring proper implementation of the ASLR security mechanism.

MS15-033 (KB3048019)
This is an update for multiple vulnerabilities in Office. It affects Office 2007, 2010, 2013 and 2013 RT, as well as Office for Mac (Outlook for Mac for Office 365 and Office for Mac 2011), Word Viewer and the Office Compatibility Pack SP3. SharePoint Server 2010 and 2013 and Office Web Apps 2010 and 2013 are also included, so we’re looking at just about any and all supported versions of Office-related software.

The cumulative rating is critical for all of the Office versions for Windows except Office 2013 and 2013 RT, which is rated important. The rating is also important for Office programs for Mac. One vulnerability is a memory corruption issue, one (the Outlook App for Mac vulnerability) is related to elevation of privilege and there are three Use After Free vulnerabilities, two of which use the preview pane as an attack vector.

The update fixes these problems by changing the handling of files in memory, correcting the way Office parses specially crafted files and ensuring that SharePoint Server sanitizes user input properly.

MS15-034 (KB3042553)
This is an update for a vulnerability in the HTTP.sys component in Windows that could allow remote code execution. It affects Windows 7, 8, 8.1, Server 2008 R2, 2012 and 2012 R2, including the server core installations. It also affects the Windows Technical Preview (Windows 10) and the Windows Server Technical Preview.

The rating is critical for all affected operating systems. There are no published mitigations but there is a workaround that’s specific to IIS. It can cause performance issues so proceed with caution.

The problem is that HTTP.sys improperly parses specially crafted HTTP requests so an exploit could allow running of arbitrary code in the System context. The update fixes the problem by changing the way the HTTP stack handles such requests.

MS15-035 (KB3046306)
This is an update for a vulnerability in the Microsoft Graphic component that could allow remote code execution. It affects Windows Vista and Windows 7 as well as Windows Server 2003, 2008, and 2008 R2, including server core installations. It does not affect Windows 8 and above nor Server 2012 and above.

The rating is critical for all affected operating systems. There are no published mitigations but there are workarounds. These involve turning off metafile by either manually editing the registry or using managed deployment script to do so.

The problem is in the way Windows handles specially crafted EMF (Enhanced Metafile) image format files that could be exploited by an attacker to run arbitrary code in the context of the logged-on user, either through a web-based or email-based attack. The update fixes the problem by changing the way Windows processes EMF files.

Important

MS15-036 (KB3052044)
This is an update for two vulnerabilities in SharePoint Server that could allow an attacker to elevate privileges and read files without authorization or take other actions on the site spoofing the logged-on user’s identity, including running scripts, changing permissions, deleting content, etc. It affects SharePoint 2010 and 2013.

The rating for all affected software is important. There are no published mitigations or workarounds. The problem involves cross-site scripting (XSS) and occurs when an attack sends a specially crafted file to a SharePoint Server, which does not properly sanitize the request.

The update fixes the problem by changing the way SharePoint sanitizes user input.

MS15-0937 (KB304269)
This is an update for a vulnerability in Windows Task Scheduler that can be exploited to gain elevated privileges. It affects only Windows 7 and Server 2008 R2, including the server core installation. It does not affect Vista, Windows 8/8.1, Windows RT/RT 8.1 or Server 2003, 2008, 2012 and 2012R2, so impact is limited.

The rating is important for both the client and server operating systems.  There are no published mitigations or workarounds at this time.

The problem involves an invalid task that is present in Task Manager on some systems, which an attacker can use to run a specially crafted application in the context of the System account, thereby gaining the ability to install programs, view data without authorization and change or delete it or even create new accounts. The good news is that this will only work on those systems where the invalid task is present. The update fixes the problem by checking the system for this invalid task and removing it if it is present.

MS15-038 (KB3049576)
This is an update for two vulnerabilities in all supported versions of Windows that could allow elevation of privileges. It affects Vista, Windows 7, 8, 8.1, RT, RT 8.1 and Server 2003, 2008, 2008 R2, 2012, and 2012 R2, including the server core installations.

The rating is important for all operating systems. There are no published mitigations or workarounds for either of these vulnerabilities.

The first problem involves NtCreateTransactionManager type confusion that causes improper validation and enforcement of impersonation attacks, the exploit of which could allow attackers to bypass impersonation-level security checks. The good news is that the attacker has to beat authentication; the bad news is that a successful exploit could result in the attacker obtaining administrative privileges.

The second problem is the same type of vulnerability involving MS-DOS device name. Again, the attacker has to be able to log onto the system first in order to exploit it.

The update fixes both of these problems by changing the way Windows validates impersonation events.

MS15-039 (KB3046482)
This is an update for a vulnerability in the XML Core Services version 3.0 of Windows that can be exploited to accomplish a security bypass. It affects older supported Windows operating systems: Vista, Windows 7, Server 2003, 2008 and 2008 R2, including the server core installation of the latter.  It does not affect Windows 8 and later or Server 2012 and later.

The rating is important for the affected operating systems. There are no published mitigations or workarounds for this vulnerability at this time.

The problem involves a security feature called the MSXML3 Same Origin Policy that could be bypassed by an attacker through a document type declaration scenario, wherein the attacker sends a specially crafted link to the user via a web site, email or instant message. The attacker then could possibly access the user’s logon credentials as well as files stored on the hard drive.

The update fixes this problem by changing the way the XML Core Services enforces the Same Origin Policy in these types of situations.

MS15-040 (KB3045711)
This is an update for a vulnerability in the Active Directory Federation Services (ADFS) in Windows Server. It affects Windows Server 2012 R2, including the server core installation. The client operating systems are not affected and neither are the previous versions of Windows Server, and only those servers that have the ADFS role installed are affected, so the impact is limited.  However, if you are testing the Windows Server Technical Preview, be aware that it is affected as well, and an update is available for it.

The rating is important. There are no published mitigations or workarounds for this vulnerability at this time.

The problem comes about because ADFS can fail to log off a logged-on user, and that can result in unintentional disclosure of information if an attacker exploits it to reopen an application that the user was using. The attacker would not be asked to enter a username and password to access the information in this application.

The update fixes the problem by making sure that users are properly logged off.

MS15-041 (KB3048010)
This is an update for a vulnerability that exists in most versions of the Microsoft .NET Framework running on Windows client and server operating systems. It affects Microsoft Framework versions 1.1 through 3.5.2 on Vista, Windows 7, 8, 8.1, RT and RT 8.1 as well as Server 2003, 2008, 2008 R2, 2012 and 2012 R2. However, most systems are not vulnerable due to default settings (see below) so the impact is limited.

The rating is important for all affected operating systems. There are no published mitigations but there are workarounds that can be used if you aren’t able to install the update. These include configuring .NET in retail mode on web servers and enabling custom errors for all web sites.

The problem is that ASP.NET improperly handles certain requests on Windows systems that have custom error messages disabled. By default, systems would not be vulnerable but if detailed errors messages have been turned on, your system could be exposed to this vulnerability. In that case, an attacker can exploit the vulnerability by sending a specially crafted web request to the web server. This can result in disclosure of information that was not intended to be accessible.

The update fixes this problem by removing the file content details from the error messages.

MS15-042 (KB3047234)
This is an update for a vulnerability in the Hyper-V feature of some Windows operating systems that could allow for a denial of service (DoS) attack. It affects only Windows 8.1 and Server 2012 R2, including the server core installation. It also affects the Windows Technical Preview (Windows 10) and the Windows Server Technical Preview.

The rating for both operating systems is important. There are no published mitigations or workarounds at this time.

The problem has to do with the way that the Virtual Machine Manager (VMM) in Hyper-V validates user input. An attacker can exploit the vulnerability by running a specially crafted application in a virtual machine; this could result in the inability to manage other VMs on this Hyper-V host. It would not allow code execution or privilege elevation.

The update fixes the problem by correcting the way VMM validates input from users.

Update: Patch updates that were issued with Microsoft’s April Patch Tuesday batch are causing problems for some users. The troubles are not coming from the updates illustrated in this post but from some of the non-security patches that were released at the same time. Click here for more information