October: for many of us, it’s the month of falling leaves, jack-o-lanterns and tiny ghosts and goblins who run from house to house, asking that age-old question: “Trick or treat?” As always on the second Tuesday of the month, some of us IT pros are wondering the same thing in relation to this next round of security patches.
I’m happy to report a change in the trend seen in the past several months, which saw us dealing with a dozen or more updates each time. October’s Patch Tuesday brings us only six updates, evenly divided between the critical and the important with three of each. There’s one patch for Microsoft Office applications and services in the mix; the rest pertain to Windows components and two of those are cumulative updates for Microsoft’s web browsers, Internet Explorer and Edge.
Of course, those six patches addresses a whole multitude of different vulnerabilities. The vulnerabilities that we’re looking at this time include the usual suspects: remote code execution, information disclosure and elevation of privilege, and many of them are related to memory corruption issues.
Now let’s get down into the details of this month’s patches. For more information from the proverbial horse’s mouth, see the Security Bulletin Summary on the TechNet web site at https://technet.microsoft.com/en-us/library/security/ms15-oct.aspx
MS15-106 (KB3096441) This is a cumulative update for Internet Explorer that addresses 14 separate vulnerabilities in all supported versions of IE. It affects IE 7, 8, 9, 10 and 11 on all supported Windows operating systems, including RT/RT 8.1. It is rated critical on Windows client computers and moderate on Windows servers. Of course, the server core OSes are not affected since they do not have web browsers installed.
The vulnerabilities run the gamut: scripting engine memory corruption, elevation of privilege, information disclosure, and ASLR bypass. The most severe could be exploited to run arbitrary code. Microsoft has published workarounds for some of the scripting engine memory corruption vulnerabilities, which include restricting access to VBScript.dll and JScript.dll. Full instructions for how to do so are contained in the security bulletin at https://technet.microsoft.com/library/security/MS15-106 .
The update fixes the problems by changing the way IE handles objects in memory, how JScript and VBScript handle objects in memory and by adding additional permission validations to IE.
MS15-108 (KB3089659) This is an update for JScript and VBScript scripting engines in Windows that addresses four vulnerabilities. It affects only a segment of the Windows client and server population: Windows Vista and Windows Server 2008, including the server core installation. However, it is rated critical for those operating systems.
The vulnerabilities include two scripting engine memory corruption vulnerabilities, VBScript and JScript ASLR bypass vulnerability, and a scripting engine information disclosure vulnerability. You might recognize these are some of the same issues addressed by the cumulative browser update described above. Microsoft has published workarounds for some of the scripting engine memory corruption vulnerabilities, which include restricting access to VBScript.dll and JScript.dll. Full instructions for how to do so are contained in the security bulletin at https://technet.microsoft.com/en-us/library/security/MS15-108
The update fixes the problem by changing the way the VBScript and JScript scripting engines handle objects in memory, and helping to ensure that affected versions of VBScript properly implement the ASLR security feature.
MS15-109 (KB3096443) This is an update to the Windows Shell and Microsoft Tablet Input Band components of the operating system that addresses a pair of vulnerabilities, both of which are rated critical. It affects all currently supported versions of the Windows client and server OS, including the server core installations and also including Windows 10.
These two vulnerabilities can both be exploited to accomplish remote code execution. One is a toolbar use-after-free issue caused by improper handling of objects in memory, which can be exploited by sending a specially crafted toolbar object and convincing a user to open it. The other is a tablet input band issue that is also based on improper handling of objects in memory. This one could be exploited in a web-based attack through compromised sites or user-provided content/ads, or via an email attachment.
The update fixes the problem by changing the way the Shell and Tablet Input Band handle objects in memory.
MS15-107 (KB3096448) This is a cumulative update similar to MS15-106 but for the new Edge web browser that is included in Windows 10. It addresses two vulnerabilities and affects only Edge on Windows 10 (both 32 bit and 64 bit editions). It is rated important for both.
The vulnerabilities consist of one memory-related information disclosure vulnerability and one XSS filter bypass issue. The first is related to the way some functions in Edge handle objects in memory. The second is due to the way Edge disables an HTML attribute that could allow initially disabled scripts to run in the wrong security context. Microsoft hasn’t identified any mitigations or workarounds for either of these.
The update fixes the problem by changing the way the web browser handles objects in memory.
MS15-110 (KB3096440) This is an update for Microsoft Office applications and services, as well as SharePoint Server. It addresses six vulnerabilities and affects Microsoft Excel 2007, 2010, 2013, 2013 RT, 2016, Excel for Mac 2011, Excel 2016 for Mac, Excel Viewer, Excel Services on SharePoint 2007, 2010, and 2013. Also Microsoft Web App 2010, Microsoft Excel Web App 2010, Microsoft Office Web Apps Server 2013, Visio 2007 and 2010, SharePoint Server 2007, 2010 and 2013 and Microsoft SharePoint Foundation 2013. It is rated important.
The vulnerabilities include three memory corruption vulnerabilities in Microsoft Office, a SharePoint information disclosure vulnerability, an XSS spoofing vulnerability in Office Web Apps, and a security feature bypass in SharePoint. The most severe of these can be exploited to accomplish remote code execution and no workarounds have been published for any of them. There is a mitigating factor for the Office memory corruption vulnerabilities, in that valid credentials for the SharePoint site would be required to carry out the exploit, as long as anonymous access is not enabled (default is to disable it).
The update fixes the problems by changing the way Office handles objects in memory, making sure that SharePoint InfoPath forms services handle DTD entities properly, improving the sanitization of web requests by Office Web Apps Server and making changes to the way SharePoint sanitizes web requests.
MS15-111 (KB3096447) This is an update to the Windows kernel that addresses five vulnerabilities. It affects all currently supported versions of Windows client and server operating systems, including RT/RT8.1, Windows 10 and the server core installations. It is rated important for all, as elevation of privilege is the maximum security impact.
The vulnerabilities include three kernel elevation of privilege vulnerabilities, one of which is a memory corruption issue and another that’s a Windows object reference issue. There is also a trusted boot security feature bypass vulnerability and a Windows mount point vulnerability. Microsoft has published workarounds for one of these, the full instructions for which can be found in the security bulletin at https://technet.microsoft.com/library/security/MS15-111.
The update fixes the problems by changing the way the Windows kernel handles objects in memory, correcting the way Windows handles certain scenarios involving junction and mount-point creation, and by making improvements to the way Windows parses Boot Configuration Data (BCD).