Patch Tuesday March 2015March definitely came in like a lion here in north central Texas, where we got a rare four inches of snowfall the first week of what, for us, is usually a time when the swallows return and the flowers start budding. But aside from the weather, this month is also looking fierce when it comes to Microsoft patching. If you were hoping for a light load this time, I hate to be the bearer of bad news but we’re looking at a whopping fourteen security updates on this Patch Tuesday.

Five of those are rated critical, with the rest designated as important. We have the whole range of usual vulnerability types: remote code execution, elevation of privilege, information disclosure, denial of service and security feature bypass, along with one we haven’t seen much recently: a spoofing vulnerability.  Most affect Microsoft Windows, but we also have one for Office and SharePoint and one for Exchange. And yes, Microsoft did issue a patch for the Schannel vulnerability that got so much publicity last week (FREAK).

For more information about the updates and step-by-step instructions regarding any workarounds, please see the individual security bulletins, which are linked in this month’s Security Bulletin Summary.

Critical

MS15-018 (KB3032359) This is a cumulative update for Internet Explorer that addresses twelve vulnerabilities in the web browser software. It affects all supported versions of IE, including IE 6 on Windows Server 2003 SP 2 (IE 6 on XP has reached end-of-life). IE 11 on Windows RT is also included, as is the Windows 10 technical preview and Windows Server technical preview. In a nutshell, if you’re using Internet Explorer, you need this update.

The various vulnerabilities include remote code execution, elevation of privilege, information disclosure and security feature bypass. Most of them (nine of the twelve) involve memory corruption issues. There are no published mitigations or workarounds for any of the vulnerabilities at this time.

The update fixes these problems by resolving the handling of objects in memory, enforcing cross-domain policies properly and adding more permissions validations.

MS15-019 (KB3040297) This update is for a vulnerability in the VBScript scripting engine in Windows. It affects Windows Server 2003, Vista, and Windows Server 2008. The server core installations of Server 2008 and 2008 R2 are also affected. Later versions of the Windows client and server operating systems are not affected. The rating is critical on Windows Vista but only moderate on the server operating systems.

This vulnerability is caused by a memory corruption issue and an exploit could allow the attacker to gain the same rights as the currently logged-on user.  It could be exploited through a web site or an embedded ActiveX control in an application or Office document. There are no published mitigations or workarounds at this time.

The update fixes the problem by changing the way the VBScript engine handles objects in memory.

MS15-020 (KB3041836) This update is for a vulnerability in Windows Text Services that can lead to remote code execution. It affects all currently supported versions of Windows, both client and server operating systems, including Windows RT/RT 8.1 and also including the server core installations of Windows Server 2008, 2008 R2, 2012 and 2012 R2.

The vulnerability is due to the way Windows Text Services handles objects in memory and an exploit could allow the attacker to run arbitrary code with the permissions of the currently logged-on user. The exploit would require that the user visit a malicious web site or open a maliciously crafted file. There are no published mitigations or workarounds at this time.

The update fixes the problem by changing the way Windows Text Services handles objects in memory.

MS15-021 (KB3032323) This update is for vulnerabilities in the Adobe font driver that could, as a worst case scenario, result in remote code execution. It affects all currently supported versions of the Windows client and server operating systems, including Windows RT/RT 8.1 and including the server core installations of Windows Server 2008, 2008 R2, 2012 and 2012 R2.

These seven vulnerabilities include five remote code execution vulnerabilities caused by the way Adobe font driver overwrites objects in memory, as well as two information disclosure vulnerabilities that can be used in conjunction with other vulnerabilities to bypass security features. There are no published mitigations or workarounds at this time.

The update fixes the problems by correcting the way objects in memory are handled.

MS15-022 (KB3038999) This update is for vulnerabilities in Microsoft Office, the most serious of which can lead to remote code execution. It affects Office 2007, 2010, 2013 and 2013 RT, as well as the Word and Excel viewer software and the Office Compatibility Pack SP3. It also affects SharePoint Server 2010 and 2013, and Office Web Apps 2010 and 2013.

These five vulnerabilities have aggregate severity ratings ranging from important to critical, depending on the particular Office software and version. Most are caused by the way objects in memory are handled, with the two SharePoint vulnerabilities due to SharePoint XSS’s failure to properly sanitize requests. There is a published workaround for one of the vulnerabilities, which you can find in the security bulletin at https://technet.microsoft.com/library/security/MS15-022

The update fixes the problems by correcting the way objects in memory are handled and ensuring that SharePoint properly sanitizes user input.

NOTE: There are known issues associated with some of the individual Office product versions to which this update applies. You can find a list of KB articles pertaining to each of the different products in KB 3038999 on the Microsoft support site at https://support.microsoft.com/kb/3038999

Important

MS15-023 (KB3034344) This update is for multiple vulnerabilities in the Windows kernel mode driver that could allow an elevation of privilege. It affects all currently supported versions of the Windows client and server operating systems, including Windows RT/RT 8.1 and including the server core installations of Windows Server 2008, 2008 R2, 2012 and 2012 R2. Severity rating is important for all operating systems.

These four vulnerabilities have different causes, including the failure to properly initialize function buffers, failure to properly validate the calling thread’s token, leaking of private information during a function call, and the way the kernel mode driver dereferences a NULL pointer. There are no published mitigations or workarounds at this time.

The update fixes the problems by correcting the initialization and validation processes, and changing how objects in memory are handled.

MS15-24 (KB3035132) This update is for a single vulnerability in PNG processing that could allow for disclosure of information. It affects all currently supported versions of the Windows client and server operating systems, including Windows RT/RT 8.1 and including the server core installations of Windows Server 2008, 2008 R2, 2012 and 2012 R2.

The vulnerability occurs because uninitialized memory isn’t handled properly when Windows parses malformed PNG image files. It could be exploited by hosting a web site that contains specially crafted malformed PNG files. There are no published mitigations or workarounds at this time.

The update fixes the problem by changing the way Windows processes PNG files.

MS15-025 (KB3038680) This update is for two vulnerabilities in the Windows kernel that could lead to elevation of privilege. It affects all currently supported versions of the Windows client and server operating systems, including Windows RT/RT 8.1 and including the server core installations of Windows Server 2008, 2008 R2, 2012 and 2012 R2.

These two vulnerabilities include one that is caused by the way the Windows registry virtualization improperly allows a user to make changes to the virtual store of another user, and one that is due to the failure of Windows to properly validate and enforce impersonation levels. There is a published workaround for the first vulnerability. You can find the instructions in the security bulletin at https://technet.microsoft.com/library/security/MS15-025?f=255&MSPPError=-2147217396

The update fixes these problems by correcting the way registry virtualization handles virtual stores and by changing how Windows validates impersonation levels.

NOTE: Almost immediately upon release, security pros noticed that there are some known issues with this patch. The problem occurs when you download and install updates manually. Updates 3035131 and advisory 3033929 were released at the same time and the two share binaries. The order in which you manually install them matters. If you install advisory update 3033929 first, then when you try to install update 3035131 you’ll get a message saying it is already installed. Be sure to install update 3035131 first.

MS15-026 (KB3040856) This update is for multiple vulnerabilities in Microsoft Exchange Server that could be used to accomplish an elevation of privileges. It affects only Exchange Server 2013 SP1 and Exchange Server 2013 Cumulative Update 7.  Older versions of Exchange are not affected.

These five vulnerabilities include one that involves failure to properly validate meeting organizer identity when accepting or changing a meeting request, along with four different OWA XSS vulnerabilities that occur because Exchange doesn’t properly sanitize page content in OWA. There is a published workaround for two of the OWA vulnerabilities. You can find the instructions in the security bulletin at https://technet.microsoft.com/library/security/MS15-026

The update fixes the problems by changing the way page content is sanitized in OWA and by correcting the way Exchange validates meeting organizer authenticity.

MS15-027 (KB3002657) This update is for the spoofing vulnerability in the NETLOGON service in Windows. It affects all currently supported Windows Server operating systems (2003, 2008, 2008 R2, 2012 and 2012 R2), including the server core installations. It does not affect Windows client operating systems.

The vulnerability is caused by the improper establishment of the secure communications channel by the Netlogon service when connecting to a different machine with a spoofed computer name. The good news is that an attacker needs to be logged into a domain member computer and be able to see network traffic in order to exploit it. There are no published mitigations or workarounds at this time.

The update fixes the problem by changing the way Netlogon handles the establishment of secure channels.

MS15-028 (KB3030377) This update is for a vulnerability in the Windows Task Scheduler component of Windows that could be used to allow a user to run files that the user does not have permission to run. It affects Windows 7, 8, 8.1, RT and RT 8.1, as well as Windows Server 2008 R2, 2012 and 2012 R2, including the server core installations. It does not affect Windows Vista, Server 2003 or Server 2008.

This vulnerability is a security feature bypass that happens when Windows Task Scheduler doesn’t properly validate and enforce impersonation levels, which could be exploited to run executable files that the user doesn’t have permission to run. There is a published workaround for the vulnerability. You can find instructions in the security bulletin at https://technet.microsoft.com/library/security/MS15-028

The update fixes the problem by correcting the way Task Scheduler validates impersonation levels.

MS15-029 (KB3035126) This update is for a vulnerability in the Windows Photo Decoder component that could be used to allow information disclosure.  It affects Windows Vista, 7, 8, 8.1 and RT/RT 8.1, as well as Server 2008, 2008 R2, 2012 and 2012 R2. It does not affect Server 2003 or the server core installations.

This vulnerability is due to improper handling of uninitialized memory when the Windows Photo Decoder parses specially crafted JPEG XR image files. An attacker can exploit it by convincing a user to visit a web site where such files are hosted, and would potentially be able to read data not intended for disclosure. There are no published mitigations or workarounds at this time.

The update fixes the problem by correcting the way Windows processes JPEG XR image files.

MS15-030 (KB3046049) This update is for a vulnerability in RDP (the Remote Desktop Protocol) that could be used by an attacker to launch a denial of service attack. It affects Windows 7, 8, 8.1, and Server 2012 and 2012 R2, including the server core installation. It does not affect Vista, Windows RT/RT 8.1 or previous versions of Windows Server.

The vulnerability exists when there are multiple RDP sessions created that fail to properly free objects in memory.  The attacker can leverage this to overwhelm the system memory and prevent legitimate users from logging on. There is a published workaround for this vulnerability. You can find the instructions in the security bulletin at https://technet.microsoft.com/library/security/MS15-030

The update fixes the problem by changing the way the Remote Desktop Protocol manages objects in memory.

MS15-031 (KB3046049) This update is for the widely-publicized Schannel vulnerability also known as FREAK, caused by downgraded cipher key lengths in TLS connections. We did an article on this vulnerability that you can check out for more information: Freaking Out over the Latest SSL Vulnerability. It affects all currently supported versions of the Windows client and server operating systems, including Windows RT/RT 8.1 and including the server core installations of Windows Server 2008, 2008 R2, 2012 and 2012 R2.

This is a security feature bypass issue that impacts not just Windows but Apple and Android devices as well. An attacker can exploit the short RSA key length support that was mandated by the U.S. government for export software to create a man-in-the-middle (MITM) attack. The good news is that by default export cipher support is disabled in Windows Vista/Server 2008 and later operating systems.  If it’s not, there is a workaround that involves disabling it via the Group Policy Object Editor. You’ll find instructions in the security bulletin at https://technet.microsoft.com/library/security/MS15-031

The update fixes the problem by correcting the cipher suite enforcement policies that are used when the client and server computers exchange keys.

NOTE: Before you apply this update, you should undo the workaround that is described in security advisory 3046049 if you had applied it. Otherwise you may find that your Internet services quit working.