It's 2015, and someone can pwn Windows PCs by inserting a USB stick
Update Windows, Office, IE, Edge and Adobe Flash – plus OpenSSH
Patch Tuesday Microsoft has released 14 sets of software patches to address critical security vulnerabilities in Windows, Office, Internet Explorer, and Edge. Yes, even Edge: Microsoft's supposedly whizzbang super-secure web browser.
Users and sysadmins should apply August's Patch Tuesday fixes as soon as possible: the bugs can be exploited to remotely execute code on vulnerable systems, allowing miscreants to hijack computers and install malware by tricking people into opening documents and webpages.
Plugging a malicious USB device into a Windows PC can grant an attacker administrator privileges, allowing them to commandeer the computer. Microsoft said it had "reason to believe" that this USB vulnerability "has been used in targeted attacks against customers."
The full update includes:
- MS15-079: A critical update to fix 10 privately disclosed flaws in Internet Explorer. IE 7 through 11 are listed as vulnerable. Most of these bugs allow attackers to execute malicious code remotely by exploiting memory corruption in the browser. The code would be delivered in a specially crafted webpage, so browsing a dodgy website would be enough to pwn Internet Explorer.
- MS15-80: Flaws in the Microsoft Graphics Component for Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Microsoft Lync, and Microsoft Silverlight. The update is listed as critical for Windows Vista through Windows 10 and all supported versions of Windows Server. A specially crafted document, or an untrusted webpage that contains embedded TrueType or OpenType fonts, can trigger the bugs to execute malicious code with full administrator privileges.
- MS15-081: Eight CVE-listed flaws in Office 2007-2016, including Office for Mac. The update includes remote code execution vulnerabilities, one of which has already been publicly disclosed. Opening a specially crafted Office file will trigger the execution of code hidden in the document.
- MS15-082: Two CVE-listed remote code execution flaws in the Windows Remote Desktop Protocol (RDP) component for Windows Vista through Windows 8 and 8.1. They can be exploited to gain remote-code execution with full administrator privileges.
- MS15-083: Remote-code execution flaw in Windows Vista, Windows Server 2008, and Server Core Installation. The bug is triggered "if an attacker sends a specially crafted string to the SMB server error logging," according to Microsoft.
- MS15-084: Three CVE-listed vulnerabilities in the XML parsing code in Windows Vista through Windows 8.1 and Office 2007. These can be exploited to reveal the contents of an attacked machine's memory. "An attacker would have to convince users to click the link, typically by way of an enticement in an email or Instant Messenger message," Microsoft noted.
- MS15-085: One CVE-listed flaw in Windows Vista through Windows 10 allows an attacker to gain administrator-level access if they plug in an evil USB device. "The vulnerability could allow elevation-of-privilege if an attacker inserts a malicious USB device into a target system. An attacker could then write a malicious binary to disk and execute it," according to Microsoft.
- MS15-086: One elevation-of-privilege flaw in Windows System Center/Bulletin. "The vulnerability could allow elevation of privilege if a user visits an affected website by way of a specially crafted URL," Microsoft said.
- MS15-087: A cross-site scripting vulnerability for UDDI Services in Windows Server 2008 and Server Core Installation. "The vulnerability could allow elevation-of-privilege if an attacker engineered a cross-site scripting (XSS) scenario by inserting a malicious script into a webpage search parameter. A user would have to visit a specially crafted webpage where the malicious script would then be executed," we're told.
- MS15-088: An information disclosure vulnerability in Windows Vista through Windows 10 and Windows Server 2008–2012. One CVE-listed flaw that has been publicly disclosed.
- MS15-089: An information disclosure flaw in WebDAV for Windows Vista through Windows 8.1. Windows Server 2008 and Server 2012 are also vulnerable.
- MS15-090: Three elevation-of-privilege flaws in Windows Vista through Windows 8.1 and Server 2008/Server Core Installation, allowing a miscreant to gain admin-level access. "The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application or convinces a user to open a specially crafted file that invokes a vulnerable sandboxed application, allowing an attacker to escape the sandbox," said Microsoft.
- MS15-091: A cumulative security update for the Microsoft Edge web browser for Windows 10 systems. The update includes fixes for four CVE-listed flaws potentially allowing for remote-code execution. "The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge," the biz said.
- MS15-092: Three elevation-of-privilege flaws in .NET Framework for Windows Vista through Windows 10 and Server Core Installation, allowing miscreants to gain administrator-level access. "The vulnerabilities could allow elevation of privilege if a user runs a specially crafted .NET application. However, in all cases, an attacker would have no way to force users to run the application; an attacker would have to convince users to do so," explained Microsoft.
If Microsoft's fixes weren't enough, Adobe has posted an update to fix 34 CVE-listed vulnerabilities in Flash Player. Users running Flash on Windows, OS X, and Linux should update (or disable or set as click-to-run) the Adobe Flash player.
Finally, OpenSSH 7.0 has been released, which fixes four security bugs and bans password-based root logins by default. ®