May Patch Tuesday, KB3049563, KB3057110, KB3057110The past few months have been heavy on the security updates, from Microsoft and other vendors. This month is no exception. We’re looking at 13 security patches that came down the pike today, and hoping that number doesn’t prove to be unlucky; it’s not so much the number of patches as the problems that have been coming in their wake that has many IT pros dreading the second Tuesday of the month.

Perhaps Microsoft has recognized that this is a problem. As I wrote a couple of days ago in the blog No More Patch Tuesday, these big piles of patches that fall out of the sky all at once may soon be a thing of the past. At their Ignite conference, Microsoft indicated that after the release of Windows 10, security (and other) updates will be released as they’re ready, instead of being saved up for one pre-set day of the month.

But for now, we’re still dealing with another long patching day, with updates for a broad cross section of Microsoft products: Windows, IE, Office, SharePoint, .NET Framework, and Silverlight. The good news is that only three are rated critical.

For more detailed information about all of these updates, please see the May Security Bulletin Summary on the Microsoft web site at https://technet.microsoft.com/en-us/library/security/ms15-may.aspx

Critical

MS15-043 (KB3049563)
This is the usual cumulative update for Internet Explorer, which addresses more than 20 separate vulnerabilities in the web browser software. The most serious could result in remote code execution. It affects all supported versions of IE (6, 7, 8, 9, 10 and 11) and is rated critical on client operating systems and moderate on servers.

The vulnerabilities include multiple memory corruption issues, several VBScript and Jscript Address Space Layout Randomization (ASLR) bypass vulnerabilities, elevation of privilege, and information disclosure vulnerabilities. Microsoft has published workarounds for some of the vulnerabilities. You can find the instructions on the TechNet web site at https://technet.microsoft.com/library/security/MS15-043

The update fixes these problems by changing the way IE handles objects in memory, ensuring that affected versions of Jscript and VBScript and IE properly implement ASLR security, adding more permission validations and preventing information stored in the clipboard from being accessed by malicious sites.

MS15-044 (KB3057110)
This is an update for two vulnerabilities that exist in several Microsoft products:  Windows, the .NET Framework, Office, Lync and Silverlight. The most serious could result in remote code execution. It affects all currently supported versions of Windows (Vista, 7, 8/8.1, RT/RT8.1, Server 2003, 2008, 2008 R2, 2012, 2012 R2, including the server core installations.

The vulnerabilities include an OpenType font parsing problem that occurs when Windows DirectWrite library handles OpenType fonts improperly, making it possible for an attacker to read data intended to be private, as well as a vulnerability by which the affected software components handle TrueType fonts improperly, making it possible for an attacker to take complete control of the system.  Microsoft has not published any workarounds or mitigations for either of these vulnerabilities.

The update fixes the problems by changing the way the Windows DirectWrite library handles OpenType and TrueType fonts.

MS15-045 (KB3057110)
This is an update for six vulnerabilities in Windows Journal. The most serious could result in remote code execution. It affects Windows Vista, 7, 8/8.1, RT/RT 8.1, Server 2008, 2008 R2, 2012 and 2012 R2. The rating is critical across all operating systems.

The vulnerabilities occur when a specially crafted Journal file is opened. Two of the vulnerabilities have been publicly disclosed. Microsoft has identified a “workaround” that consists of not opening any .jnt files and removing the .jnt file type association to prevent them from being opened automatically. You can also deny access to Journal.exe. Instructions for all of these methods can be found on the TechNet web page at https://technet.microsoft.com/en-us/library/security/ms15-045.aspx

The update fixes the problem by changing the way Windows Journal parses .jnt files.

Important

MS15-046 (KB3057181)
This is an update for a pair of memory corruption vulnerabilities in all supported versions of Microsoft Office and standalone Word, Excel and PowerPoint 2007, 2010, 2013, 2013 RT, 2011 for Mac, PowerPoint Viewer, Word Automation Services and Excel Services on SharePoint Server 2010 and 2013, Office Web Apps 2010 and 2013, SharePoint Foundation Server 2010 and SharePoint Server 2013.

The vulnerabilities could be exploited to run arbitrary code in the context of the logged-on user, if the user opens a specially crafted file. There have been no reports of exploits in the wild as of the release of the update. Microsoft has not published any workarounds or mitigations for either of the vulnerabilities.

The update fixes the problem by changing the way Office parses specially crafted files.

MS-047 (KB3058583)
This is an update for a vulnerability in Microsoft SharePoint Server that could result in remote code execution. It affects SharePoint Server 2007, 2010 and 2013 and is rated Important for all of them.

The vulnerability occurs when SharePoint fails to properly sanitize the content of specially crafted pages. In order to exploit the vulnerability, an attacker would need to be able to authenticate, thus reducing the risk – as long as the SharePoint server is not configured to allow anonymous users to access it. Anonymous access is not enabled by default.

The update fixes the problem by correcting the way SharePoint Server sanitizes specially crafted page content.

MS-048 (KB3057134)
This is an update for two vulnerabilities in the Microsoft .NET Framework, the most serious of which could allow an attacker to elevate privileges and take complete control of a machine. It affects .NET Framework versions 1.1 SP1, 2.0 SP2, 3.5, 3.5.1, 4, 4.5, 4.51, and 4.5.2 on all currently supported Windows server and client operating systems.

The first vulnerability occurs when the .NET Framework tries to decrypt specially crafted XML files and could be exploited to degrade the website performance and impact availability of applications using the .NET Framework. The second happens when .NET’s WinForms libraries don’t handle objects in memory properly, and can be exploited to elevate privileges. Microsoft has not published any workarounds or mitigations for either.

The update fixes the problem by changing the way .NET Framework handles objects in memory and the way it decrypts XML data.

MS-049 (KB3058985)
This is an update for a vulnerability in Microsoft Silverlight that could result in elevation of privilege. It affects Silverlight versions 5, along with Silverlight 5 Developer Runtime, installed on all currently supported version or Windows or on Mac OS X. The rating is important across all platforms.

The vulnerability is an out of browser application vulnerability that is caused by Silverlight improperly allowing applications intended to run with very limited permissions to run at medium integrity level, which means they have the permissions of the currently logged on user. The good news is that the attacker has to be able to log on to the system or convince a user to run a specially crafted Silverlight application. Microsoft has published a workaround that consists of temporarily preventing Silverlight from running. For instructions on how to do this in IE, Mozilla Firefox and Google Chrome, see the TechNet web page at https://technet.microsoft.com/en-us/library/security/ms15-049.aspx . Another workaround is to remove Silverlight from the IE ElevationPolicy in the registry.

The update fixes the problem by adding checks to make sure non-elevated processes can only run at low integrity level.

MS-050 (KB3055642)
This is an update for an elevation of privilege vulnerability in the Service Control Manager (SCM), a component in Windows that starts, stops and interacts with Windows services. It affects all currently supported client and server versions of Windows, including server core installations, and is rated important across all versions.

The vulnerability occurs when the SCM verifies impersonation levels improperly. This can enable an attacker to elevate privileges by running a specially crafted application. The attacker would have to be able to log onto the system. Servers are at lower risk if configured according to best practices to prevent users from logging on and running programs. Microsoft has not published any workarounds or mitigations for this vulnerability.

The update fixes the problem by changing the way SCM verifies impersonation levels.

MS-051 (KB3057191)
This is an update for five memory disclosure vulnerabilities in the Windows kernel-mode driver. It affects all currently supported versions of the Windows client and server operating systems, including server core installations. It is rated important across all versions.

The vulnerability occurs during function calls, when the Windows kernel-mode driver leaks private address information that could allow disclosure of the contents of kernel memory. This would provide an attacker with information about the system that could be used in conjunction with other exploits. The good news is that an attacker must have valid logon credentials and be able to log on locally in order to successfully exploit the vulnerability.

The update fixes the problem by changing the way the Windows kernel-mode driver handles objects in memory.

MS-052 (KB3050514)
This is an update for a vulnerability in the Windows kernel that could allow bypass of security features. It affects Windows 8/8.1, RT/RT8.1, Server 2012 and 2012 R2, including the server core installations.  It is rated important for all versions.

The vulnerability occurs because the Windows kernel doesn’t properly validate a memory address, which enables an attacker to get information that can be used to bypass ASLR. The good news is that in order to exploit the vulnerability, the attacker has to be able to log on to the system and run a specially crafted application.

The update fixes the problem by changing the way memory addresses are validated by the Windows kernel.

MS-053 (KB3057263)
This is an update for two ASLR bypass vulnerabilities, one in the VBScript and the other in the VBScript and JScript scripting engines. They affect JScript versions 5.6, 5.7, 5.8 and VBScript versions 5.6, 5.7 and 5.8 running in IE 6, 7, 8, 9, 10 and 11 on Windows Vista and Server 2003 and 2008, including the server core installation. It is rated important for all of the affected operating systems.

The vulnerabilities occur when the VBScript or JScript engines fail to use the ASLR security feature, which an attacker can exploit to predict memory offsets of specific instructions and use the information in conjunction with other exploits to run arbitrary code. Microsoft has published a workaround for the VBScript vulnerability that restricts access to VBScript.dll. You can find the instructions on the TechNet web page at https://technet.microsoft.com/en-us/library/security/ms15-053.aspx

The update fixes the problem by ensuring that affected versions of JScript and VBScript implement ASLR properly.

MS-054 (KB3051768)
This is an update for two vulnerabilities in the Microsoft Management Console file format (.MSC) that could be used to create a denial of service. The MMC is a component of Windows and this affects all supported versions of Windows except Server 2003.  That is, it affects Vista, 7, 8/8.1, RT/RT8.1, Server 2008, 2008 R2, 2012 and 2012 R2, including the server core installations.  It is rated important for all affected systems.

The vulnerability occurs when Windows tries to access a specially crafted .msc file and does not properly validate the destination buffer, creating a denial of service. This can be exploited by an unauthenticated user by convincing an authenticated user to open a share that contains the .msc file. Microsoft has published a workaround that involves turning off metafile processing by editing the registry. You can find the instructions on the TechNet web site at https://technet.microsoft.com/en-us/library/security/ms15-054.aspx

The update fixes the problem by changing the way Windows validates destination buffers in specific scenarios.

MS-055 (KB3061518)
This is an update for a vulnerability in Schannel (Secure Channel) in Windows that could allow for information disclosure. It affects all supported versions of the Windows client and server operating system, including the server core installations. It is rated important across all versions.

The vulnerability occurs because Schannel allows use of a weak Diffie-Hellman ephemeral key length of 512 bits in an encrypted TLS session. The good news is that an exploit will not be successful unless the server targeted in the attack supports use of 512 bit DHE key lengths, and the default for Windows server is 1024 bits. Microsoft has published a workaround that consists of disabling DHE cipher suites via the registry. You can find the instructions on the TechNet web site at https://technet.microsoft.com/en-us/library/security/ms15-055.aspx

The update fixes the problem by increasing minimum DHE key length to 1024 bits.