KLA10694 Multiple vulnerabilities in Microsoft Windows

Multiple serious vulnerabilities have been found in Microsoft Windows. Malicious users can exploit these vulnerabilities to spoof user interface, cause denial of service, gain privileges, bypass security restrictions, execute arbitrary code or obtain sensitive information.

Below is a complete list of vulnerabilities

1. Improper memory objects access at Edge can be exploited remotely via a specially designed web content to bypass security restrictions or execute arbitrary code;
2. Improper ASLR (Address Space Layout Randomization) implementation at Edge can be exploited remotely via a specially designed web content to bypass security restrictions;
3. Improper memory objects handling at kernel can be exploited by logged in user via a specially designed application to gain privileges;
4. Improper memory addresses initialization at kermel can be exploited by logged in user via a specially designed application to bypass security restrictions and obtain sensitive information;
5. Improper handling of embedded fonts at Adobe Type Manager Library can be exploited remotely via a specially designed web content or document to execute arbitrary code;
6. Improper permissions validation at kernel can be exploited by logged in user via a specially designed application to bypass security restrictions;
7. Improper buffer handling at Network Driver Interface Standard can be exploited by logged in user via a specially designed application to gain privileges;
8. Lack of memory address verification at Winsock can be exploited by logged in user via a specially designed application to gain privileges;
9. Improper encryption negotiation handling at Internet Protocol Security can be exploited by remote user with valid credentials via a specially designed application to cause denial of service;
10. Weakness at supported versions of Transport Layer Security protocol can be exploited remotely via man-in-the-middle attack to spoof user impersonation;
11. Improper password change handling at Kerberos can be exploited via a login manipulations to bypass security restrictions;
12. An unknown vulnerability at Windows Journal can be exploited remotely via a specially designed Journal file to execute arbitrary code.

Technical details

Vulnerability (4) can lead to Kernel ASLR bypass.

Vulnerability (7) caused by not checking buffer size prior to copy memory into it.

Vulnerability (8) caused by not checking memory address validity before call.

To exploit (10) remote attacker must cause man-in-the-middle attack between client and legitimate server. By exploiting this vulnerability attacker can impersonate victim on any other server that uses credentials same with attacked.

Vulnerability (11) caused by failing to check the password change of a user signing into a workstation. By exploiting this vulnerability attacker can bypass Kerberos authentication and decrypt drives protected by BitLocker.

Vulnerability (12) has multiple described mitigations designed to prevent opening malicious log file. Short list placed further, for full description look at MS15-115 advisory. Mitigations: do not open suspicious .jnt files; remove .jnt file association; remove Windows Journal; deny access to Journal.exe.

Original advisories

CVE-2015-6064

CVE-2015-6113

CVE-2015-6078

CVE-2015-2478

CVE-2015-6088

CVE-2015-6098

CVE-2015-6097

CVE-2015-6073

CVE-2015-6100

CVE-2015-6112

CVE-2015-6111

CVE-2015-6109

CVE-2015-6104

CVE-2015-6103

CVE-2015-6102

CVE-2015-6101

CVE-2015-6095

Exploitation

Public exploits exist for this vulnerability.

Malware exists for this vulnerability. Usually such malware is classified as Exploit. More details.

Related products

Microsoft-Windows-Vista-4

Microsoft-Windows-Server-2012

Microsoft-Windows-8

Microsoft-Windows-7

Microsoft-Windows-Server-2008

Windows-RT

Microsoft-Windows-10

CVE list

CVE-2015-6064 critical

CVE-2015-6113 warning

CVE-2015-6078 critical

CVE-2015-2478 high

CVE-2015-6088 warning

CVE-2015-6098 high

CVE-2015-6097 critical

CVE-2015-6073 critical

CVE-2015-6100 high

CVE-2015-6112 high

CVE-2015-6111 high

CVE-2015-6109 warning

CVE-2015-6104 critical

CVE-2015-6103 critical

CVE-2015-6102 warning

CVE-2015-6101 high

CVE-2015-6095 warning

KB list

3081320

3100213

3105864

3097877

3105211

3102939

3105256

3092601

3101246

3105213

3104519

3101722

3104521

3101746

Solution

Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)

Impacts

• ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

• OSI

Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.

• DoS

Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.

• SB

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

• PE

Privilege escalation. Exploitation of vulnerabilities with this impact can lead to performing by abuser actions, which are normally disallowed for current role.

• SUI

Spoof user interface. Exploitation of vulnerabilities with this impact can lead to changes in user interface to beguile user into inaccurate behavior.

Affected Products

• Microsoft Windows 10Microsoft Windows 10 Version 1511Microsoft Windows Vista Service Pack 2Microsoft Windows Server 2008 Service Pack 2Microsoft Windows 7 Service Pack 1Microsoft Windows Server 2008 R2 Service Pack 1Microsoft Windows 8Microsoft Windows 8.1Microsoft Windows Server 2012Microsoft Windows Server 2012 R2