Patch Tuesday July 2015Summer got off to a pretty nice start last month, with only eight Microsoft patches to deal with on Patch Tuesday. Maybe you thought they were taking it easy for the season over at MSRC (the Microsoft Security Response Center). Or perhaps some of us were hoping that the whole company was so focused on the impending release to manufacturing (RTM) of the Windows 10 that they would be going light on us again this month.

Well, no such luck; they’re back with a vengeance, with a total of 14 security updates released on July 14. The good news is that only four of them are rated Critical.

Remember the missing patch last time? We noted that June’s patch list skipped from MS15-057 to MS15-059. Well, July brings us MS15-058, which turned out to be an update for SQL Server.  Most of the rest (12, to be exact) are patches for the Windows operating system, including the ever-present Internet Explorer/Windows update that resolves multiple vulnerabilities. There is also one patch for Microsoft Office.

So here we go with this month’s changes. For more information from the proverbial horse’s mouth, see the Security Bulletin Summary on the TechNet web site at https://technet.microsoft.com/en-us/library/security/ms15-jul.aspx

Critical

MS15-065 (KB3076321)

This is the usual multi-vulnerability fix update for Internet Explorer. It affects versions 6, 7, 8, 9, 10 and 11 of IE, and is rated Critical on client operating systems and Moderate on server operating systems.

This update addresses a whopping 29 vulnerabilities, which includes 19 memory corruption issues and 5 information disclosure issues. There is also an ASLR Bypass, a JScript9 vulnerability, an escalation of privilege issue, an XSS Filter Bypass, and a VBScript vulnerability. Obviously it’s a good idea to install this one sooner rather than later, since the web browser is a favorite point of attack.

This update fixes a myriad of problems by modifying how Internet Explorer, VBScript, and JScript handle objects in memory, helping to ensure that affected versions of Internet Explorer properly implement the CFG security feature, preventing the XSS filter in Internet Explorer from incorrectly disabling HTML attributes, adding additional permission validations to Internet Explorer, helping to ensure that affected versions of Internet Explorer properly implement the ASLR security feature, helping to ensure cross-domain policies are properly enforced in Internet Explorer, helping to restrict what information is returned to external stylesheets, helping to ensure that file paths are properly validated before returning file data to the user and helping to ensure that requests for module resources are properly validated in Internet Explorer.

MS15-066 (KB3072604)

This is an update for a vulnerability in the VBScript scripting engine that affects Vista SP2, Windows Server 2003 SP2, Server 2008 and 2008 R2, including the server core installation on the latter. It is rated critical for all affected systems except server core installation, which has not been given a rating.

The vulnerability is of the memory corruption type and could be exploited in a web-based scenario where an attacker hosts a specially crafted malicious site or by embedding an ActiveX control in an application or Office document that hosts the IE rendering engine. A successful exploit would give the attacker the same rights as the logged on user and could thus result in remote code execution.

The update fixes the problem by changing the way the VBScript engine handles objects in memory. There are no mitigations but there is a workaround by which you can restrict access to VBScript.dll via a command line entry, but this could negatively impact web sites that use VBScript. The workaround is published at https://technet.microsoft.com/en-us/library/security/MS15-066

MS15-067 (KB3073094)

This is an update for a vulnerability in the Remote Desktop Protocol that is built into Windows. It affects Windows 7 and 8 32 bit systems and Server 2012, including the server core installation, but only if RDP is enabled on the system. Note that RDP is disabled by default and must be explicitly enabled for the system to be at risk. It is rated critical across all affected systems, including the server core installation.

This is a single vulnerability that occurs because of the way RDP handles packets and it could be exploited to accomplish either a denial of service (DoS) or remote code execution. An attacker would need to send a specially crafted sequence of packets to a system on which the RDP service is enabled. There are no mitigations and no workarounds published.

The update fixes the problem by changing the way RDP handles packets.

MS15-068 (KB3072000)

This is an update for a pair of vulnerabilities in Windows Hyper-V that is included in recent versions of Windows client and server. It affects Windows 8 and 8.1 and Server 2008, 2008 R2, 2012 and 2012 R2, including the server core installation. It is rated critical across all operating systems.

This update address two vulnerabilities in the Hyper-V virtual machine host context, one of which is a buffer overflow issue and one of which is a data structure vulnerability. Both can be exploited to accomplish remote code execution although the former cannot do this on Server 2008/2008 R2 and 2012 server core installation, but 2012 R2 server core installation is vulnerable.

The update fixes both problems by correcting the way Hyper-V initializes system data structures in guest VMs.

Important

MS15-058 (KB 3065718)

This is the missing update from last month, which addresses multiple vulnerabilities in SQL Server 2008, 2008 R2, 2012 and 2014. Although the two most severe of the three vulnerabilities could allow for remote code execution, it is only rated Important because the vulnerabilities are only exploitable within the context of a very specific configuration, database schema, data and queries.

The other vulnerability is an elevation of privilege issue that is caused by improper casting of pointers to an incorrect class by SQL Server. It is made less dangerous by the fact that the attacker would have to have permissions to create or modify a database in order to exploit it. There are workarounds for all of these vulnerabilities if you’re unable to install the patch; you can find the instructions for them at https://technet.microsoft.com/library/security/MS15-058 .

The update fixes these problems by correcting how SQL Server handles pointer casting and changing the way it handles internal function calls to uninitialized memory.

MS15-069 (KB3072631)

This is an update for two vulnerabilities in Windows that impacts Vista, Windows 7, Windows 8.1 and RT 8.1, and Server 2003, 2008, 2008 R2, and 2012 R2. It is rated Important across all affected operating systems.

The vulnerabilities are both related to the Windows dynamic link libraries. The first is a Windows DLL vulnerability and the second is a DLL Planting vulnerability. Both can be exploited to accomplish remote code execution. Both would require the attacker to place a specially crafted DDL file in the user’s current working directory and convince the user to launch or open the file. There are no identified mitigations for either. There is a workaround for the second vulnerability that consists of editing the registry to prevent Office documents from loading an ActiveX control. You can find the instructions here:
https://technet.microsoft.com/en-us/library/security/ms15-069.aspx

The update fixes the problems by changing the way Windows loads certain DLL files and how Windows Media Device Manager loads certain binaries.

MS15-070 (KB3072620)

This is an update for eight different vulnerabilities in Microsoft Office applications, servers and services. It affects Office 2007, 2010, 2013 and 2013 RT as well as Office for Mac 2011, Excel Veiwer 2007, Microsoft Word Viewer, the Office Compatibility Pack SP3, SharePoint Server 2007, 2010 and 2013. It is rated Important across all affected software and services.

The vulnerabilities consist of six memory corruption issues, an Excel ASLR bypass and an Excel DLL remote code execution vulnerability. Exploiting the memory corruption vulnerabilities requires the attacker to send a specially crafted file via email or hosting a web site that downloads such files to the user and convincing the user to open the file. The Excel ASLR bypass could be exploited the same way, with the file in question a specially crafted .xls file. To exploit the DLL vulnerability, the attacker would have to be able to put a specially crafted DLL file in the user’s working directory and convince the user to launch a program designed to load the DLL file.

The update fixes the problems by changing the way Office handles objects in memory, correcting the way Excel handles loading of binaries and changing the way memory information is disclosed.

MS15-071 (KB3068457)

This is an update for a vulnerability in the Netlogon service in Windows that affects currently supported Windows Server operating systems, including Server 2003, 2008, 2008 R2, 2012 and 2012 R2, including the server core installation, when configured as domain controllers.  It is rated Important across all affected operating systems.

This is a single vulnerability that can be exploited to obtain an elevation of privilege if an attacker who has access to a primary domain controller on the network runs a specially crafted application to establish a secure channel to the PDC as a backup domain controller. There are no identified mitigations or workarounds published.

The update fixes the problem by changing the way Netlogon creates secure channels.

MS15-072 (KB3069392)

This is an update for a vulnerability in the Windows Graphics Component that affects all supported versions of Windows, both client and server. This includes Vista, Windows 7, 8, 8.1, RT and RT 8.1, Server 2003, 2008, 2008 R2, 2012, and 2012 R2, including the server core installation.  It is rated Important across all of the affected operating systems.

The single vulnerability creates an elevation of privilege issue when the Windows Graphic Component fails to properly process bitmap conversions. An attacker cannot exploit the vulnerability without logging onto the system with valid credentials, but could then run a specially crafted application to elevate privileges and gain full control of the system.  There are no identified mitigations or workarounds published.

The update fixes the problem by changing the way Windows processes bitmap conversions.

MS15-073 (KB3070102)

This is an update for a vulnerability in the Windows kernel-mode driver that affects all currently supported versions of Windows, including Vista, Windows 7, Windows8/8.1 and RT/RT 8.1, and Server 2003, 2008, 2008 R2, and 2012 R2, including the server core installation. It is rated Important across all affected operating systems.

This is a single vulnerability caused by the Windows Application Compatibility Infrastructure (AppCompat) improperly checking authorization of a caller’s impersonation token. It would be exploited by an attacker to elevate privileges and run a privileged application. There are no identified mitigations or workarounds published.

The update fixes the problem by changing the way AppCompat processes the impersonation token usage.

MS15-074 (KB3072630)

This is an update for a vulnerability in the Windows Installer Service that’s built into Windows. It affects all supported versions of Windows, both client and server. This includes Vista, Windows 7, 8, 8.1, RT and RT 8.1, Server 2003, 2008, 2008 R2, 2012, and 2012 R2, including the server core installation.  It is rated Important across all of the affected operating systems.

This is a single vulnerability that occurs when the Windows Installer service improperly runs custom action scripts. In order to exploit the vulnerability, the attacker would need to be able to do several things: compromise a logged-on user, find a vulnerable .msi package installed on the system, and put specially crafted code on the system to be run by the .msi package. The attacker could then elevate privileges and potentially gain admin rights on the system. There are no mitigations or workarounds published.

The update fixes the problem by changing the way custom action scripts are executed.

MS15-075 (KB3072633)

This is an update for a pair of vulnerabilities in OLE, the Object Linking and Embedding component in Windows. It affects all supported versions of Windows, both client and server. This includes Vista, Windows 7, 8, 8.1, RT and RT 8.1, Server 2003, 2008, 2008 R2, 2012, and 2012 R2, including the server core installation.  It is rated Important across all of the affected operating systems.

These vulnerabilities are both escalation of privilege issues that occur when OLE fails to properly validate user input. An attacker might be able to combine these vulnerabilities with other exploits to run arbitrary code, although this cannot be done with these vulnerabilities alone. These vulnerabilities could, however, enable the attacker to escalate the privileges with which the code is run. There are no identified mitigations or workarounds published.

The update fixes the problem by changing the way the user input is validated by OLE.

MS15-076 (KB3067505)

This is an update for a vulnerability in the Windows Remote Procedure Call (RPC) in all supported versions of Windows. It affects Vista, Windows 7, 8, 8.1, RT and RT 8.1, Server 2003, 2008, 2008 R2, 2012, and 2012 R2, including the server core installation.  It is rated Important across all of the affected operating systems.

This is a single vulnerability that could be exploited by an attacker to escalate privileges and take complete control of the system, but in order to exploit it, the attacker would have to be able to first log onto the system with valid user credentials. There are no mitigations or workarounds published.

The problem is caused by Windows RPC inadvertently allowing DCE/RPC connection reflection and the update fixes the problem by improving the way Windows RPC handles authentication checks to preclude redirection.

MS15-077 (KB3077657)

This is an update for a vulnerability in the ATM font driver in Windows. It affects all supported versions of Windows, both client and server. This includes Vista, Windows 7, 8, 8.1, RT and RT 8.1, Server 2003, 2008, 2008 R2, 2012, and 2012 R2, including the server core installation.  It is rated Important across all of the affected operating systems.

This is a single memory corruption vulnerability in the Adobe Type Manager Font Driver (ATMRD.DLL) that an attacker could exploit to run arbitrary code and take complete control of a system, but the attacker would have to be able to first log onto the system with valid credentials and then run a specially crafted application.

The update fixes the problem by changing the way ATMFD handles objects in memory.

UPDATE: On July 20 Microsoft released an out-of-band patch to address a critical vulnerability in the Microsoft font driver that could allow for remote code execution. Click here to learn more about this