In July’s Patch Tuesday update, Microsoft issued 14 security fixes for its software, compared to eight bulletins released in June. Those patches are on top of the Adobe patches to fix zero-day vulnerabilities in Flash.
The patches fix dozens of vulnerabilities in Microsoft Windows, Microsoft Office, Microsoft SQL Server, and Internet Explorer. Hackers are actively exploiting three bulletins: MS15-065, MS15-070, and MS15-077, according to Microsoft’s Dustin Childs.
MS15-065 deals with 28 flaws in versions of IE 6 and later, including a number of fixes for critical vulnerabilities. MS15-065 affects the VBScript engine in Windows Server 2003, Windows Server 2008, and Windows Vista, which could allow hackers to take over a machine. And MS15-067 fixes issues in Windows 7 and Windows 8, which targets Remote Desktop Protocol (RDP).
Hacking Team Response
Craig Young, a security researcher at advanced threat detection firm Tripwire, told us the “prize pig” in July’s Patch Tuesday is, hands down, the remote desktop bug described in MS15-067. CVE-2015-2373 is the first code execution bug in RDP he can remember since 2012.
“This is very high impact because many businesses rely on remote desktop protocol and many advanced home users configure remote access for RDP into their home,” Young said. “This should definitely be on the top of everyone’s install list. Although Microsoft describes that code execution is tricky, there are a lot of smart people out there and I’m sure it won’t be long before proof-of-concept code starts floating around.”
Meanwhile, with MS15-077, Young said Microsoft has answered the tough question of what happens when zero-day is publicly disclosed just days before a scheduled patch release. The answer in this case is that Microsoft addressed the elevation of privilege bug used by the Hacking Team — the Italian company that supplies hacker tools to the world — to covertly give its surveillance software privileged access to affected Windows systems, he said.
Recently, three new critical, zero-day vulnerabilities in Adobe Flash were made public after the Hacking Team was hacked. Adobe said successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. Adobe also revealed the exploits targeting these vulnerabilities have been published publicly.
On Tuesday, Adobe patched vulnerabilities CVE-2015-5122 and CVE-2015-5123 for Adobe Flash Player for Windows, Macintosh and Linux.
Beyond the Biggies
“We also now know that the dropped patch from June was, in fact, for a Microsoft SQL Server remote code execution bug,” Young said. “This issue will be particularly critical for database hosting providers allowing users access to create and manipulate database schema in a shared environment. Successful exploitation of this flaw would allow the attacker complete access to the SQL Server by leveraging a very specific edge case.”
Beyond the biggies, Young pointed to another bug that he finds especially interesting. That bug is also likely to affect many shared hosting providers. He’s talking about MS15-068.
“MS15-068 for Microsoft’s Hyper-V virtualization platform squashes a bug that would allow privileged users on guest machines to gain code execution on the hosting machine,” Young said. “This unicorn is actually two unicorns; it turns out that MS15-068 takes care of both a buffer overflow and an uninitialized memory bug.”