J003-Content-PatchTue_SQIn the U.S., Labor Day weekend has just passed and it is now officially the end to summer. Although here in Texas the temperatures still hover close to 90° F, there is a whiff of autumn in the air already. Thus begins what is traditionally the most hectic period of my year as we ramp up for the holiday season ahead.

We’re still quite a few days away from the Twelve Days of Christmas, but this month we’ll be singing about the Twelve Patches of Microsoft, as that’s how many security bulletins the company issued this time. If you were hoping for one of those three or four patch months (remember those?), you’re out of luck, but at least it’s not quite as bad as last month’s fourteen updates. This month Microsoft also blew past the 100 update marker for this year.

Five of the 12 are rated critical and the remaining seven are classified as important, running the gamut from information disclosure and denial of service issues to elevation of privilege, security feature bypass and remote code execution vulnerabilities.  In all, these 12 patches address 55 vulnerabilities in a range of Microsoft products, including Windows 10 and the new Edge web browser.

Note that when Microsoft releases information about its patches, it only lists as affected those operating systems that are still supported. There is a good chance that vulnerabilities that are in all supported versions of Windows may also be in Windows XP and Server 2003, which are now out of support.

So here we go with this month’s changes. For more information from the proverbial horse’s mouth, see the Security Bulletin Summary on the TechNet web site at https://technet.microsoft.com/en-us/library/security/ms15-sep.aspx

Critical

 MS15-094 (KB 3089548)

This is the pretty-much-monthly cumulative update for Internet Explorer. It affects IE 7, 8, 9, 10, and 11 on all supported versions of Windows, including IE 11 on Windows 10. It’s rated critical for browsers running on Windows client operating systems and moderate for those running on Windows servers.

The update addresses 17 vulnerabilities, with 13 of those being memory corruption issues. The most severe potential impact is arbitrary code execution.  There is also a scripting engine memory corruption vulnerability, an elevation of privilege vulnerability related to improper validation of permissions, an information disclosure vulnerability, and a tampering vulnerability that occurs when IE accesses a file with an improper flag.  The scripting engine issue has a workaround that you can find in the contents of the bulletin on the TechNet web site at https://technet.microsoft.com/library/security/ms15-094.
The update fixes the problems by changing the way IE handles objects in memory, correcting the way JScript and VBScript handle objects in memory, and helping ensure that IE correctly permits file operations.

MS15-095 (KB 3089665)

This is an update for the new Windows 10 web browser, Microsoft Edge. It affects Windows 10 systems, both 32 and 64 bit and is rated critical.

The update addresses four memory corruption vulnerabilities that could allow an attacker to execute arbitrary code in the context of the currently logged-on user, if the user can be persuaded to visit a specially crafted or compromised web site. There are no published mitigations or workarounds.

The update fixes the problem by changing the way Edge handles objects in memory. None of the vulnerabilities had been publicly disclosed or exploited in the wild at the time of the patch release.

MS15-097 (KB 3089656)

This is an update for the Microsoft Graphics Component in Windows, Office and Lync. It affects all currently supported versions of Windows, both client and server operating systems, including Windows RT and Windows 10 and also including the server core installations.  It affects Office 2007 and 2010, and Lync 2010 and 2013 as well as Skype for Business.  It is rated critical for Windows Vista, Server 2008, Office 2007/2010 and Lync 2010/2013. It is rated Important for all other operating systems.

The update addresses 11 vulnerabilities, the most severe of which can allow remote code execution via embedded OpenType fonts in a specially crafted document or untrusted web site. Other potential impacts include denial of service, elevation of privilege and security feature bypass (kernel ASLR bypass). To exploit most of these vulnerabilities, the attacker would have to be able to log onto the affected system or convince a user to open a document or visit a web site. There are workarounds published for the OpenType font parsing vulnerability, which involve renaming or disabling ATMFD.DLL. Instructions are contained in the security bulletin content at https://technet.microsoft.com/en-us/library/security/ms15-097.aspx

The update fixes the problems by changing the way the Adobe Type Manager Library handles OpenType fonts, the way the Windows kernel-mode driver handles objects in memory, the way the kernel handles memory addresses and the way Windows validates integrity levels.

MS15-098 (KB 3089669)

This is an update for the Windows Journal component in Windows. It affects all supported versions of the Windows operating system, client and server, except for Itanium editions of Server. It is rated critical for all affected systems.

The update addresses five vulnerabilities, four of which are critical as they could be exploited to accomplish remote code execution. The fifth is a denial of service vulnerability that has a low severity rating. The four RCE vulnerabilities is exploitable only if the user can be convinced to open a specially crafted Journal file. There are published workarounds that involve removing the .JNT file type association or disabling the Windows feature that installed Windows Journal. Instructions are contained in the security bulletin content at https://technet.microsoft.com/en-us/library/security/ms15-098.aspx

The update fixes the problems by changing the way Windows Journal parses Journal files.

MS15-099 (KB 3089664)

This is an update for Microsoft Office. It affects all supported editions of Office 2007, 2010, 2013 and 2013 RT, for which it is rated critical. It also affects Excel for Mac 2011  and 2016 and Microsoft SharePoint Foundation 2013/SharePoint Server 2013, for which it is rated Important.

The update addresses five vulnerabilities, three of which are memory corruption issues, with one malformed EPS file vulnerability and one XSS spoofing vulnerability. The first four could be exploited to accomplish remote code execution. There are both mitigating factors and a workaround for the malformed EPS file vulnerability, in that it cannot be exploited automatically through a web-based attack. A user would have to visit the attacker’s site or open an email attachment with Word as the email reader.  The workaround involves editing the ACL to deny access to EPSIMP32.FLT for all users. Instructions are contained in the security bulletin at https://technet.microsoft.com/en-us/library/security/ms15-099.aspx

The update fixes the problem by changing the way Office handles files in memory and the way SharePoint validates web requests.

Important

MS15-096 (KB 3072595)

This is an update that addresses a single vulnerability in Active Directory Service on Windows Server operating systems. It affects Windows Server 2008, 2008 R2, 2012, and 2012 R2, including the server core installation. It is rated Important on all versions.

The vulnerability could be exploited to create a denial of service condition if an authenticated user creates multiple machine accounts, causing the Active Directory to stop responding. The attacker would have to have valid credentials to log on and create the accounts.  A mitigating factor is that the attacker would also need to log on with an account that has privileges to join computers to the domain in order to exploit this vulnerability.

The update fixes the problem by changing the way machine accounts are created on Windows Server operating systems.

MS15-100 (KB 3087918)

This is an update for Windows Media Center. It affects WMC running on Vista, Windows 7 and Windows 8.  It is rated Important for all affected systems.

The update addresses a single vulnerability by which an attacker could gain the user rights of the logged on user when the user opens a specially crafted .mcl file containing malicious code. This could allow remote code execution if the current user has administrative privileges. There are no mitigations or workarounds published.

The update fixes the problem by changing the way Media Center link files are handled by WMC.

MS15-101 (KB 3089662)

This is an update to the .NET Framework. It affects versions 2.0, 3.5, 3.51, 4, 4.5, 4.5.1 and 4.5.2 running on Vista, Windows 7, 8, 8.1, RT and RT 8.1, 10, and Server 2008, 2008 R2, 2012, and 2012 R2, including server core installations. It is rated Important for all.

The update addresses two vulnerabilities, one of which is an elevation of privilege issue with the other being a denial of service vulnerability. The first can be exploited through either a web browser attack or a Windows .NET attack. The second would be exploited by an attacker who sends a small number of specially crafted requests to an ASP.NET server to disrupt the availability of sites that use ASP.NET. No mitigations or workarounds have been published for either vulnerability.

The update fixes the problems by changing the way .NET Framework copies objects in memory and the way it handles specially crafted requests.

MS15-102 (KB 3089657)

This is an update to the Windows Task Management component. It affects all supported versions of the Windows operating system, client and server, including Windows RT, 10 and server core installations. It is rated Important for all.

The update addresses three vulnerabilities, all of which are elevation of privilege issues. The first and third occur when Windows doesn’t properly validate and enforce impersonation levels and the second happens when certain file system interactions are improperly verified. To exploit any of the vulnerabilities, the attacker would have to have credentials to be able to log onto the system and then run a specially crafted application. There are no mitigations or workarounds that have been published for any of these vulnerabilities.

MS15-103 (KB 3089250)

This is an update for Microsoft Exchange Server. It affects only Exchange Server 2013, with cumulative update 8 and 9 and SP1.  It is rated Important.

The update addresses three vulnerabilities, one of which is an information disclosure vulnerability while the other two are spoofing issues. The first occurs with Outlook Web Access fails to handle web requests properly. The other two are related to improper sanitation of specially crafted email by OWA.  There are no mitigations or workarounds published for any of these vulnerabilities.

The update fixes these problems by changing the way OWA handles web requests and helping make sure that OWA sanitizes user input and mail content properly.

MS15-104 (KB 3089952)

This is an update for Lync Server and Skype for Business. It affects Skype for Business 2015 and Lync Server 2013. It is rated Important for both.

The update addresses three vulnerabilities, two of which are information disclosure issues whereas the third is an XSS elevation of privilege vulnerability.  In order to exploit any of these vulnerabilities, the attacker must get the user to click a specially crafted URL in a web-based or email scenario.  There are no mitigations or workarounds published for any of these vulnerabilities.

The update fixes the problems by changing the way that both Skype for Business Server and Lync Server sanitize user input and updates iQuery in both products.

MS15-105 (KB 3091287)

This is an update for the Hyper-V component in Windows. It affects Windows 8.1 on x64 machines, Windows Server 2012 R2 and Windows 10 x64, but only those that have enabled the Hyper-V role. It is rated Important for all.

The update addresses a single vulnerability that occurs when ACL settings are incorrectly applied in Hyper-V. To exploit it, an attacker must run a specially crafted application. There are no mitigations or workarounds published for this vulnerability.

The update fixes the problem by changing the way Hyper-V applies ACL configuration settings.