J003-Content-PatchTue_SQFebruary is the shortest month of the year, and I was hoping perhaps it would bring us the lightest Patch Tuesday of the year as well especially since I’m working on a cruise ship somewhere in the middle of the Caribbean, in route today from Aruba to Cozumel. Unfortunately, that was not to be; last month’s slate of eight patches has grown to nine this month. Let’s just hope that pattern doesn’t hold for the rest of the year.

Of course, it could have been worse. Of the nine security updates that were issued today, there are four remote code execution vulnerabilities, two security feature bypasses, and one escalation of privilege and Information disclosure. Only three of the nine are classified as critical; the rest are rated important.

For more information about the updates and step-by-step instructions regarding any workarounds, please see the individual security bulletins, which are linked in this month’s Security Bulletin Summary. Now let’s take a look at each of the security bulletins individually.

Critical

MS15-009 (KB3034682) This update is for the Internet Explorer web browser and it addresses a whopping forty-one vulnerabilities, one of which had been publicly disclosed. It affects all currently supported version of IE (6 through 11) on all currently supported Windows operating systems (Vista and above clients, including Windows RT and RT 8.1, and Server 2003 SP2 and above server).

The vulnerabilities include a remote code execution issue that is responsible for the critical rating assigned to this update on client operating systems. Multiple memory corruption vulnerabilities can allow for remote code execution. The threat is rated as moderate on Windows servers. In addition to the remote code execution vulnerability, this update also addresses elevation of privilege, cross-domain information disclosure and security (ASLR) bypass vulnerabilities.

The update fixes these problems by making several changes, including modification of the way objects in memory are handled. Several additional permission validations are added.

MS15-010 (KB3036220) This update addresses six vulnerabilities in the Windows kernel mode driver, one of which had been publicly disclosed, and it is rated critical for all supported versions of Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. Windows Server 2003, Windows Vista, and Windows Server 2008 are also affected but the rating is important for those operating systems.

The vulnerabilities include elevation of privilege, security bypass, a cursor object double free vulnerability, a TrueType font parsing remote code execution vulnerability, and a Windows font driver vulnerability that could result in a denial of service attack. There are workarounds available for some of the vulnerabilities. One involves editing the registry but it’s for Windows 7 only. The other requires running command line commands. Instructions are included in the full bulletin published on TechNet.

The update fixes the problems by correcting the validating process by the Windows kernel-mode driver and changing the way objects in memory are handled.

MS15-011 (KB3000483) This update addresses a single vulnerability in Group Policy that could result in remote code execution and allow an attacker to take control of the system. It affects all currently supported versions of Windows client and server, including Windows RT and RT 8.1. Although that includes Windows Server 2003, there is no update being issued for it. The vulnerability is rated critical on all affected operating systems.

The problem is the way Group Policy receives and applies the policy data when a domain computer connect to the domain controller. No workarounds are available but the good news is that the attacker would have to convince the user to connect to a network that is controlled by the attacker in order to exploit the vulnerability.

The update fixes the problem by changing the way computers that belong to a domain connect to the DC before Group Policy information is received.

Important

MS15-012 (KB3032328) This update addresses three remote code execution vulnerabilities in Microsoft Office applications that were reported privately. It affects Microsoft Excel and Word in Office 2007, 2010 and 2013, both 32 and 64 bit editions, as well as Word and Excel Viewer software, the Office Compatibility Kit SP3, SharePoint Server 2010 and Office Web Apps 2010.

The three vulnerabilities include a memory corruption issue in Excel, a problem with the way Word parses specially crafted Office files, and a vulnerability in OneTableDocumentStream in Word. Exploits for any of these would require the opening of specially crafted Excel or Word files, through email attachments or drive-by web downloads.

The update fixes the problem by correcting the way Office applications parse these types of files.

MS15-013 (KB3033857) This update addresses a vulnerability in Microsoft Office that had been publicly disclosed. It affects all supported editions of Office 2007, 2010 and 2013, not including Office Web Apps. This is a use after free vulnerability that can result in a bypass of the ASLR security feature.

The vulnerability can be exploited by convincing a user to open a specially crafted malicious Office file in an Office application (Viewer software is not vulnerable). The mandatory ASLR mitigation in EMET can be used as a workaround if you’re unable to apply the update.

The update fixes the problem by changing the way Office applications parse these specially crafted files.

MS15-014 (KB3004361) This update addresses another Group Policy vulnerability that was reported privately. It affects all currently supported versions of the Windows operating system, both client and server, including Windows RT and RT 8.1 and also including the server core installation of Windows Server.

The vulnerability could be exploited to bypass security features through a man-in-the-middle attack that corrupts the Group Policy Security Configuration Engine file. This would cause Group Policy settings to revert to less secure default settings.

The update fixes the problem by changing the way Group Policy settings are applied if the Security Configuration Engine file does become corrupted.

MS15-015 (KB3031432) This update addresses an elevation of privilege vulnerability that was reported privately. It affects Windows 7 and later client operating systems and Windows Server 2008 R2 and above server operating systems, including Windows RT and RT 8.1 as well as the server core installations. It does not affect Windows Vista, Server 2003 and 2008.

The vulnerability can be exploited by an authenticated attacker who logs on and runs a specially crafted application. The problem is caused by the failure of Windows to properly validate and enforce impersonation levels.

The update fixes the problem by changing the way impersonation events are validated by Windows.

MS15-016 (KB3029944) This update addresses a vulnerability in the graphics component of Windows that was reported privately. It affects all supported versions of the Windows operating system, both client and server, including Windows RT and RT 8.1 as well as the server core installation.

This vulnerability can be exploited through a specially crafted TIFF graphics file to allow unauthorized disclosure of information that could be used to compromise the targeted system. The problem is caused by a failure of Windows to properly handle uninitialized memory in the process of parsing specially crafted TIFF images.

The update fixes the problem by changing the way Windows processes files in TIFF format.

MS15-017 (KB3035898) This update addresses a vulnerability in the Virtual Machine Manager (VMM) in Microsoft System Center 2012 R2 that was reported privately. It affects only SCVMM 2012 R2 Update Rollup 4, so the scope of impact is fairly limited.

The vulnerability could be exploited by an attacker who is able to log onto a VMM server. The attacker could then take over control of all the virtual machines managed by the VMM server. The good news is that the attacker must first have valid AD credentials to log on. The problem is the failure of the VMM to properly validate user roles.

The update fixes the problem by changing the way user roles are validated by the VMM server.