Redmond's Patch Tuesday to kill off the Windows FREAK show
IE update, Server fixes come in massive flaw fix
Microsoft has issued 14 security bulletins to protect against a total of 44 different CVE-listed security vulnerabilities in its monthly Patch Tuesday release.
The patch bundle includes Microsoft's solution for the now-infamous FREAK security vulnerability and some major fixes for Internet Explorer. Five of the patches are marked as "critical," and the rest are all "important".
The complete list of the March bulletins is as follows:
- MS15-018 A cumulative update for Internet Explorer 6-11. The package includes fixes for 12 CVE-classified vulnerabilities, including nine which could be exploited for remote code execution attacks. One of the flaws has been publicly disclosed, though no exploit code was posted or spotted in the wild.
The update is considered critical for all Windows client systems, while Windows Server installations are considered less of a risk as the browser is rarely used. Researchers with HP's Zero Day Initiative, Palo Alto Networks and several independent researchers were credit with bug discoveries.
- MS15-019 A fix for a single remote code execution vulnerability in the Internet Explorer 6-7 VBScript component. The update is only rated 'critical' for Windows Vista installations and Internet Explorer versions 8 and later are not listed as vulnerable to attack. Discovery was credited to Bo Qu of Palo Alto Networks.
- MS15-020 Two remote code execution flaws in Windows which could allow remote code execution by directing the user to a malicious webpage or launching an infected DLL file.
The bulletin has been rated 'critical' for all client and Server versions of Windows from Vista and Server 2003 through Windows 8.1 and Server 2012 R2. Two of the discoveries were credited to Garage4Hackers and Michael Heerklotz of HP's Zero Day Initiative while a third was spotted by Francis Provencher or Protek Research labs.
- MS15-021 Eight flaws in the Adobe Font Driver components for Windows and Windows Server exploitable through a malicious website or file. The fix is rated 'critical' for all supported versions of Windows and Windows Server due to the possibility of remote code execution. Mateusz Jurczyk of Google Project Zero spotted all eight vulnerabilities.
- MS15-022 Five CVE-listed vulnerabilites in Office and Sharepoint Server. The Office flaws could allow remote code execution when the user launched a malicious file while another could allow elevation of privilege on SharePoint servers by exploiting a cross-site-scripting vulnerability.
Credit for spotting the problem goes to researcher Adi Ivascu as well as 3S Labs of the HP Zero Day Initiative, Ben Hawkes of the Google Security Team and Noam Rathaus of SecuriTeam Secure Disclosure.
- MS15-023 Four vulnerabilities in the Windows Kernel-Mode driver allowing elevation of privilege and information disclosure attacks by way of launching a specially-crafted application.
This bulletin is rated as 'important' for all supported versions of Windows and Windows Server. Researcher 'KK' was credited with discovering a flaw, as was Ashutosh Mehra of Adobe Systems, James Forshaw of Google Project Zero and WanderingGlitch with the HP Zero Day Initiative.
- MS15-024 An information disclosure vulnerability in Windows exploited by launching a malformed PNG image. All versions of Windows and Windows Server are impacted with an aggregate security rating of 'important'. Researcher Michael Zalewski of Google spotted the vulnerability.
- MS15-025 Two vulnerabilities in the kernel all supported versions of Windows and Windows Server, exploitable via a malicious application. The vulnerabilities could be targeted to gain elevation of privilege on a targeted system. The bulletin is considered 'important'by Redmond and credit for discovery goes to James Forshaw of Google Project Zero.
- MS15-026 Five vulnerabilities in Exchange Server 2013, including elevation of privilege and spoofing flaws. Other versions of Windows and Windows Server are not vulnerable. Adi Vascu, Nicolai Grodum and Darius Petrescu got credit for reporting the bugs.
- MS15-027 One flaw in the Windows Server Netlogon component which could be exploited by an attacker to spoof another user on a local network. The flaw was rated 'important' for Windows Server 2003, 2008 and 2012 with client versions of Windows not affected. Discovery was credited to Alberto Solino of Core Security.
- MS15-028 An elevation of privilege vulnerability in Windows 7, RT, 8 and 8.1 as well as Windows Server 2008 through 2012 R2. The Task Scheduler flaw could be targeted by an attacker to raise system privileges. The bulletin is rated 'important' with credit going to James Forshaw of Google Project Zero.
- MS15-029 An information disclosure vulnerability in the Windows Photo Decoder for Windows Vista and later and Windows Server 2008 and later. The flaw could be exploited through a malformed JPG file and is classified as 'important' by Microsoft. Michael Zalewski of Google was given credit.
- MS15-030 A denial of service vulnerability in the Remote Desktop Protocol. The vulnerable component is present in Windows 7, 8 and 8.1 as well as Server 2012 and 2012 R2. The bulletin is rated as 'important' with no acknowledgement given.
- MS15-031 The aforementioned FREAK update. Microsoft has issued the fix for all supported versions of Windows and Windows Server running the vulnerable Schannel component. The company has labeled the fix as 'important'.
Redmond is advising all users and administrators to test (if necessary) and install the updates as soon as possible. ®