Microsoft Patch Tuesday, May 2015

May's Patch Tuesday is upon us and with it comes three Critical and eleven Important rated bulletins. Although this release has only three more bulletins than last month (and one fewer Critical bulletin) it still fixes 48 individual CVEs, nearly twice the amount as last month. It's not much of a surprise that Internet Explorer accounts for 22 of those 48 vulnerabilities, the most severe of which could result in arbitrary remote code execution. The two other Critical bulletins rest in Microsoft's GDI+ and Windows Journal. The GDI+ bulletin contains two separate vulnerabilities that can be exploited by embedding a maliciously crafted TrueType font into a document that will be processed by a Windows program like Lync, Office or Silverlight. The Windows Journal bulletin wraps up six individual vulnerabilities, the worst of which would allow remote code execution through a malicious Journal file.

Probably the biggest news affecting Patch Tuesday came out of the Microsoft Ignite Conference where the entire idea of Patch Tuesday was revisited. It was at the conference that Microsoft announced that there would be no more Patch Tuesday for the upcoming Windows 10 release. Instead Microsoft will be adopting a more agile 24/7 patching cycle where patches will be pushed out as soon as they are written. The new program will be called Windows Update for Business (WUB).

The program is based on Distribution Rings where admins that want to push out patches as soon as they are available can do so, while other admins that prefer to wait until a patch has been thoroughly tested can wait. While providing patches immediately for admins is an excellent move on Microsoft's part, it leaves many questions still unanswered. Will patches for older OSes Like Vista and Windows 8 receive patches at the same time as Windows 10? How will on demand patches affect the Microsoft Active Protections Program (MAPP)? The MAPP program gives security vendors like Trustwave a early look at patches before they are released on Patch Tuesday. This gives security vendors time to create protections like Anti-Virus and Network IDS signatures before the vulnerabilities being patched become public knowledge. We'll have to wait and see, but several months from now Microsoft Patch write-ups like this one may look completely different.

MS15-043
Critical
CVE-2015-1658, CVE-2015-1684, CVE-2015-1685, CVE-2015-1686, CVE-2015-1688, CVE-2015-1689, CVE-2015-1691, CVE-2015-1692, CVE-2015-1694, CVE-2015-1703, CVE-2015-1704, CVE-2015-1705, CVE-2015-1706, CVE-2015-1708, CVE-2015-1709, CVE-2015-1710, CVE-2015-1711, CVE-2015-1712, CVE-2015-1713, CVE-2015-1714, CVE-2015-1717, CVE-2015-1718
Cumulative Security Update for Internet Explorer

This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user.

This security update is rated Critical for Internet Explorer 6 (IE 6) through Internet Explorer 11 (IE 11) on affected Windows clients, and Moderate for Internet Explorer 6 (IE 6) through Internet Explorer 11 (IE 11) on affected Windows servers.

MS15-044
Critical
CVE-2015-1670, CVE-2015-1671
Vulnerabilities in GDI+ Could Allow Remote Code Execution

This security update resolves vulnerabilities in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Microsoft Lync, and Microsoft Silverlight. The more severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded TrueType fonts.

This security update is rated Critical for supported releases of Microsoft Windows and all affected editions of Microsoft .NET Framework, Microsoft Office, Microsoft Lync, and Microsoft Silverlight.

MS15-045
Critical
CVE-2015-1675, CVE-2015-1695, CVE-2015-1696, CVE-2015-1697, CVE-2015-1698, CVE-2015-1699
Vulnerability in Windows Journal Could Allow Remote Code Execution

This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if a user opens a specially crafted Journal file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Critical for all supported editions of Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1

MS15-046
Important
CVE-2015-1682, CVE-2015-1683
Vulnerabilities in Microsoft Office Could Allow Remote Code Execution

This security update resolves two vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user.

This security update is rated Important for all supported editions of the following software:

  • Microsoft Office 2007 Microsoft Word 2007
  • Microsoft Office 2010, Microsoft Excel 2010, Microsoft PowerPoint 2010, Microsoft Word 2010
  • Microsoft Office 2013, Microsoft Excel 2013, Microsoft PowerPoint 2013, Microsoft Word 2013
  • Microsoft Office 2013 RT, Microsoft Excel 2013 RT, Microsoft Word 2013 RT
  • Microsoft PowerPoint Viewer
  • Word Automation Services on Microsoft SharePoint Server 2010, Excel Services
  • Word Automation Services on Microsoft SharePoint Server 2013
  • Microsoft Office Web Apps 2010, Microsoft Excel Web App 2010, Microsoft PowerPoint Web App 2010, Microsoft Word Web App 2010, Microsoft Office Web Apps Server 2010
  • Word Automation Services on Microsoft SharePoint Server 2013
  • Microsoft Excel Web App 2013, Microsoft Word Web App 2013, Microsoft Office Web Apps Server 2013
  • Microsoft SharePoint Foundation 2010, Microsoft SharePoint Server 2010
  • Microsoft SharePoint Server 2013

MS15-047
Important
CVE-2015-1700
Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution

This security update resolves vulnerabilities in Microsoft Office server and productivity software. The vulnerabilities could allow remote code execution if authenticated attacker sends specially crafted page content to a SharePoint server. An attacker who successfully exploited these vulnerabilities could run arbitrary code in the security context of the W3WP service account on the target SharePoint site.

This security update is rated Important for supported editions of Microsoft SharePoint Server 2007, Microsoft SharePoint Server 2010, Microsoft SharePoint Foundation 2010, Microsoft SharePoint Server 2013, Microsoft SharePoint Foundation 2013, Microsoft Project Server 2010, and Microsoft Project Server 2013.

MS15-048
Important
CVE-2015-1672, CVE-2015-1673
Vulnerabilities in .NET Framework Could Allow Escalation of Privilege

This security update resolves vulnerabilities in Microsoft .NET Framework. The more severe of the vulnerabilities could allow escalation of privilege if an attacker sends specially crafted data to a Windows Forms application running in partial trust.

This security update is rated Important for Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4, Microsoft .NET Framework 4.5, Microsoft .NET Framework 4.5.1, and Microsoft .NET Framework 4.5.2 on affected releases of Microsoft Windows.

MS15-049
Important
CVE-2015-1715
Vulnerability in Silverlight Could Allow Escalation of Privilege

This security update resolves a vulnerability in Microsoft Silverlight. The vulnerability could allow escalation of privilege if a specially crafted Silverlight application is run on an affected system. To exploit the vulnerability an attacker would first have to log on to the system or convince a logged on user to execute the specially crafted application.

This security update is rated Important for Microsoft Silverlight 5 and Microsoft Silverlight 5 Developer Runtime when installed on Mac or all supported releases of Microsoft Windows

MS15-050
Important
CVE-2015-1702
Vulnerability in Service Control Manager Could Allow Escalation of Privilege

This security update resolves a vulnerability in the Windows Service Control Manager (SCM), which is caused when the SCM improperly verifies impersonation levels. The vulnerability could allow escalation of privilege if an attacker could first log on to the system, and then run a specially crafted application designed to increase privileges.

This security update is rated Important for all supported editions of Microsoft Windows.

MS15-051
Important
CVE-2015-1676, CVE-2015-1677, CVE-2015-1678, CVE-2015-1679, CVE-2015-1680, CVE-2015-1701
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Escalation of Privilege

This security update resolves six vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow escalation of privilege if an attacker could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.

This security update is rated Important for all supported editions of Windows.

MS15-052
Important
CVE-2015-1674
Vulnerability in Windows Kernel Could Allow Security Feature Bypass

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow the bypass of Kernel Address Space Layout Randomization (KASLR) memory protections if an attacker can log on to an affected system and run a specially crafted application.

This security update is rated Important for supported editions of Windows Server 2003 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.

MS15-053
Important
CVE-2015-1684, CVE-2015-1686
Vulnerabilities in JScript and VBScript Scripting Engines Could Allow Security Feature Bypass

This security update resolves ASLR security feature bypasses in the JScript and VBScript scripting engines in Microsoft Windows. An attacker could use an ASLR bypass in conjunction with another vulnerability, such as a remote code execution vulnerability, that could take advantage of the ASLR bypass to run arbitrary code. For example, a remote code execution vulnerability that is blocked by ASLR, could be exploited after a successful ASLR bypass.

This security update is rated Important for affected versions of the VBScript scripting engine on supported editions of Windows Server 2003, Windows Vista, Windows Server 2008, and Server Core installations of Windows Server 2008 R2.

MS15-054
Important
CVE-2015-1681
Vulnerability in Microsoft Management Console File Format Could Allow Denial of Service

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow denial of service if a remote, unauthenticated attacker could convince a user to open a share containing a specially crafted .msc file. However, the attacker would have no means to force a user to visit the share or view the file.

This security update is rated Important for all supported editions of Microsoft Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2.

MS15-055
Important
CVE-2015-1716
Vulnerability in Schannel Could Allow Information Disclosure

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow information disclosure when Secure Channel (Schannel) allows the use of a weak Diffie-Hellman ephemeral (DFE) key length of 512 bits in an encrypted TLS session. Allowing 512-bit DHE keys makes DHE key exchanges weak and vulnerable to various attacks. A server needs to support 512-bit DHE key lengths for an attack to be successful; the minimum allowable DHE key length in default configurations of Windows servers is 1024 bits.

This security update is rated Important for all supported releases of Microsoft Windows.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.