Security

Microsoft kills TWO Hacking Team vulns: NOT the worst in this Patch Tues either

Office desktops, RDP servers, Hyper-V systems, all hit

Microsoft has released fixes for 59 CVE-listed vulnerabilities in its software – including a patch for the elevation-of-privilege flaw in Windows exploited by spyware maker Hacking Team.

There's a patch (MS15-065) for a remote-code execution bug in Internet Explorer 11 on Windows 7 and 8.1 that also emerged from the Hacking Team leak. Someone tried to sell details of the hole to the Italian surveillance-ware maker, and although the company declined to buy an exploit, enough information was exchanged in the subsequently leaked emails to reveal the flaw.

It's possible there are even more Hacking Team-linked vulnerabilities fixed in this month's Patch Tuesday batch.

There's a remote-code execution hole in Redmond's RDP server on Windows 7 and 8, and Server 2012 and Server Core, and also one in SQL server. There's a Hyper-V guest escape. This Patch Tuesday has something for everyone:

  • MS15-077: The Hacking Team elevation-of-privilege bug in the Windows Adobe Type Manager Font Driver that allows normal programs to gain administrator-level access. The flaw exists in Server 2003 and in Windows Vista and later for desktops and notebooks. The flaw is listed as "important," though the availability of exploit code in the wild should make patching a top priority.
  • MS15-065: The usual IE patch, this time with 29 CVE-listed flaws in Internet Explorer, including remote code execution vulnerabilities. The bulletin is listed as a "critical" fix, and includes an update to address the other Hacking Team-related bug.
  • MS15-066: A bulletin for remote-code execution in the VBScript Scripting Engine. The bulletin is listed as "critical" for Windows machines running IE 6, 7, and 8. Bo Qu of Palo Alto Networks was credited for discovery.
  • MS15-067: A remote-code execution flaw in Remote Desktop Protocol servers running on Windows 7, Windows 8, Server 2012, and Server Core. The bulletin is rated as "critical" with no discovery credit given.
  • MS15-068: Two CVE-listed remote-code execution vulnerabilities in Hyper-V for Windows Server 2008, Windows 8/8.1, Server 2012, and Server Core. An application running in a guest application can exploit this bug to run code on the host. Nightmare. The bulletin is listed as "critical," with discovery credit going to Microsoft's Thomas Garner.
  • MS15-058: Remote-code execution flaws in SQL server. Listed as an "important" risk with no discovery credit given.
  • MS15-069: A pair of remote-code execution vulnerabilities involving RTF and DLL files in Windows Server 2003 and 2012, and Windows Vista to Windows 8.1 RT. The bulletin is listed as "important," with discovery credit going to Haifei Li of McAfee Labs IPS Team and Ashutosh Mehra of HP Zero Day Initiative.
  • MS15-070: An update for eight CVE-listed flaws in Microsoft Office 2007, 2010, 2013, and Office for Mac. The bulletin is listed as "important," although it is possible to exploit some of the bugs to execute arbitrary code on a vulnerable PC if a malicious Office files is opened.
  • MS15-071: An elevation-of-privilege flaw in Netlogon for Windows Server 2003 and later. The bulletin is listed as "important." Discovery credit was not given.
  • MS15-072: An elevation-of-privilege flaw in Windows Graphics Component for Windows Server 2003, 2008, 2012, and Server Core as well as Windows Vista, Windows 7, Windows 8, and Windows RT. The vulnerability is listed as "important" and discovery credit was given to Nicolas Joly.
  • MS15-073: Six elevation-of-privilege and information disclosure flaws in the Windows kernel-mode driver for Windows Server 2003 and later and Windows Vista and later. The bulletin is listed as "important," with credit going to Nils Sommer of zytegeist and Matt Tait of Google Project Zero and enSilo.
  • MS15-074: An elevation-of-privilege vulnerability in Windows Installer for Server 2003 and later, as well as Vista and later. The bulletin is listed as "important" with credit going to Mariusz Mlynsk of HP Zero Day Initiative.
  • MS15-075: Two elevation-of-privilege flaws in Windows OLE for Server 2003 and later and Windows Vista and later. The flaw is listed as "important." Discovery credit was given to Nicolas Joly.
  • MS15-076: Elevation-of-privilege flaw in systems after Windows Server 2003 and Windows Vista. The bulletin was listed as "important" with no discovery credit given.

Get patching before hackers start exploiting them. It also the final Patch Tuesday for Server 2003.

Along with the Microsoft updates, users and admins should also patch or disable Adobe Flash, Acrobat, Reader and Shockwave, as a fresh batch of security fixes are also available for the software today.

If you're like Facebook's new security chief, you may just be wishing Flash would die. ®

Sponsored: The Nuts and Bolts of Ransomware in 2016