IT administrators today were granted a relatively light month of security bulletins from Microsoft, which is likely to be welcomed given that Windows Server 2003 security support ends in little more than a month.
Microsoft today released eight bulletins, two of them rated critical, including a now-customary beefy Internet Explorer update.
Two-dozen vulnerabilities were addressed in the latest cumulative update for IE, MS15-056, a good chunk of those flaws rated critical in later versions of the browser. Most of the vulnerabilities enable remote code execution; one information disclosure bug has been publicly disclosed, but Microsoft said it is not aware of exploits in the wild.
Microsoft said the publicly disclosed bug allows an attacker to access a user’s browser history; the update prevents browser histories from being accessed by a malicious site. The flaw does not impact Windows Server installations since those run by default in Enhanced Security Configuration, which is a restricted mode that reduces the chances of web content being executed on the server.
“Although an attacker could almost certainly read the browsing history after exploiting any of the other dozens of vulnerabilities plugged this month, it seems likely to me that the information disclosure is going to be more easily exploited than any memory corruption bug,” said Craig Young, security researcher at Tripwire.
Young also calls out one of the memory flaws, CVE-2015-1756, which is rated important by Microsoft in MS15-060. The bug is a use-after-free vulnerability in Microsoft Common Controls subsystem, which could allow remote code execution if the user interacts with malicious content through IE and then invokes F12 Developer Tools in IE.
“This flaw presents an interesting attack vector for going after researchers using the Internet Explorer ‘Developer Tools’ to analyze a malicious of malfunctioning web site,” Young said.
The IE bulletin also addresses three elevation of privilege flaws and a long list of memory corruption vulnerabilities that enable an attacker to run code on a victim’s machine.
The other critical bulletin, MS15-057, patches a remote code execution bug in Windows Media Player. Malicious media content executed by the vulnerable media player could give an attacker complete control over the user’s computer, Microsoft said. The bulletin is rated critical for Windows Media Player 10 on Windows Server 2003, Windows Media Player 11 on Vista or Windows Server 2008, and Windows Media Player 12 on Windows 7 or Server 2008 R2. Microsoft said it addressed how the player handles DataObjects to correct the vulnerability. Microsoft did provide one workaround that involves removing wmplayer.exe from the IE ElevationPolicy.
The Windows Media Player vulnerability was reported through coordinated vulnerability disclosure, Microsoft said, adding that it is not aware of public attacks exploiting this bug.
The remaining bulletins are rated important by Microsoft:
Microsoft also released two separate security advisories, one updating Flash Player in Internet Explorer, addressing security vulnerabilities already patched by Adobe earlier in the day, while the other updates the Juniper Networks Windows In-Box Junos Pulse Client for Windows 8.1 and RT 8.1. Junos Pulse is a VPN shipped with Windows 8.1 and later.
The update patches the so-called FREAK vulnerability and other OpenSSL issues in Junos Pulse.
kb.juniper.net/InfoCenter/index?page=content&id=KB29833
msdn.microsoft.com/en-us/library/windows/desktop/bb775493%28v=vs.85%29.aspx
technet.microsoft.com/en-us/library/security/2755801.aspx
technet.microsoft.com/en-us/library/security/2962393.aspx
technet.microsoft.com/en-us/library/security/MS15-056
technet.microsoft.com/en-us/library/security/MS15-057
technet.microsoft.com/library/security/MS15-059
technet.microsoft.com/library/security/MS15-060
technet.microsoft.com/library/security/MS15-061
technet.microsoft.com/library/security/MS15-062
technet.microsoft.com/library/security/MS15-063
technet.microsoft.com/library/security/MS15-064
technet.microsoft.com/library/security/ms15-jun
threatpost.com/adobe-patches-13-vulnerabilities-in-flash-player/113222
www.microsoft.com/en-us/server-cloud/products/windows-server-2003/