Microsoft released a set of updates for its products, July 2015
Microsoft has updated its products, closing a large number of vulnerabilities in them. A total of 4 updates with the Critical status and 10 with the Important status were released. SQL Server software, Internet Explorer web browser, various Windows and Office components have been upgraded. The MS15-065 update, about which we have already written , fixes 29 vulnerabilities in all versions of Internet Explorer, including the 0day RCE CVE-2015-2425 vulnerability in IE11 (Hacking Team 0day), which, according to MS, is already exploited by itw.
The company also closed another 0day LPE vulnerability in Windows (CVE-2015-2387), for which the Hacking Team had an exploit for it. We wrote about it earlier , the vulnerability is present in the system component atmfd.dll (Adobe Type Manager Font Driver) and allows you to elevate the privileges of the attacker in the system. The vulnerability has been closed by updating MS15-077 . The working version of the exploit is walking around the network and the vulnerability has been assigned the status “exploited itw”.
Update MS15-058 fixes several vulnerabilities in Microsoft SQL Server 2008+. Malicious users can exploit vulnerabilities for remote code execution or for elevating privileges in the system. Important. Exploitation Unlikely .
')
The MS15-066 update fixes the dangerous RCE vulnerability CVE-2015-2372 in the VBScript.dll component (VBScript Scripting Engine) on Windows Server 2003-2008. Attackers can remotely execute code in a web browser using a specially crafted web page with a VBScript control . Critical. Exploitation More Likely .
The MS15-067 update fixes the RCE vulnerability CVE-2015-2373 in the RDP component of the server on Windows 7 - 8. An attacker using a specially crafted query can execute remote code on Windows with an active RDP server. The executable files Rdpvideominiport.sys, Rdpcorets.dll, Rdpudd.dll, and also Rdpcore.dll were updated. Critical. Exploitation Unlikely .
Update MS15-068 fixes two RCE vulnerabilities CVE-2015-2361 and CVE-2015-2362 in the Hyper-V component on Windows Server 2008 - 8.1. Using these vulnerabilities, an application with administrator rights on a virtual machine running Hyper-V can execute its code on a host system (virtualization escape). The update is addressed to the Storvsp.sys driver. Critical. Exploitation Less Likely .
Update MS15-069 fixes two RCE vulnerabilities in all supported versions of Windows. Vulnerability CVE-2015-2368 is present in the Windows system component and allows an attacker to execute code in the system by placing a special DLL in the required directory. When a user starts a legitimate application from the same directory, the application will try to load the legitimate library into memory, but download a malicious one instead. The second vulnerability CVE-2015-2369 (Planting Remote Code Execution DLL) is present in the Media Device Manager component, but to exploit it, the attacker must place the malicious DLL in the directory with the malicious RTF file that will be opened by the user. For Windows 8.1, the update is addressed to the Atlthunk.dll library. Important. Exploitation More Likely .
Update MS15-070 fixes multiple vulnerabilities in Office. One of the vulnerabilities with the identifier CVE-2015-2424 (Microsoft Office Memory Corruption Vulnerability) is used by attackers in targeted attacks. Attackers can remotely execute code using specially crafted files. Important.
The MS15-071 update fixes the LPE vulnerability CVE-2015-2374 in the Netlogon component on the server editions of Windows. Using the vulnerability, an attacker can elevate his privileges in the system through the exploitation of the primary domain controller (primary domain controller, PDC). Important. Exploitation Unlikely .
Update MS15-072 fixes one LPE vulnerability CVE-2015-2364 in the Gdi32.dll component on all supported editions of Windows. An attacker can elevate his privileges in the system by launching a special application with an exploit. Important. Exploitation More Likely .
The MS15-073 update closes multiple vulnerabilities in the win32k.sys driver on all supported editions of Windows. Vulnerabilities can be used by attackers to enhance their privileges in the system (LPE), as well as for unauthorized reading of kernel-mode memory (Information Disclosure). Important.
The MS15-074 update closes the LPE vulnerability CVE-2015-2371 in the Windows Installer component for all supported versions of Windows. An attacker can elevate his privileges in the system by running a specially crafted .msi distribution file. The update is addressed to various files, including, Authui.dll, Msi.dll, Msimsg.dll, Msiexec.exe, Msihnd.dll, Appinfo.dll, Consent.exe. Important. Exploitation More Likely .
Update MS15-075 closes two LPE vulnerabilities in the OLE component (Ole32.dll) for all supported versions of Windows. Vulnerabilities allow an attacker to elevate his privileges in the system using a special application. Important. Exploitation More Likely .
Update MS15-076 closes LPE vulnerability in various OS components responsible for implementing Windows Remote Procedure Call (RPC) on all supported OS versions. The system drivers Cng.sys, Ksecpkg.sys and the system library Lsasrv.dll are updated. Important. Exploitation Less Likely .
1 - Exploitation More Likely
The probability of exploiting the vulnerability is very high, attackers can use an exploit, for example, for remote code execution.
2 - Exploitation Less Likely
The exploitation probability is average, since attackers are unlikely to be able to achieve a situation of sustainable exploitation, as well as due to the technical peculiarities of vulnerability and the complexity of developing an exploit.
3 - Exploit code unlikely
The exploitation probability is minimal and attackers are unlikely to be able to develop successfully working code and take advantage of this vulnerability to conduct an attack.
We recommend that our users install updates as soon as possible and, if you have not already done so, enable automatic delivery of updates using Windows Update (this option is enabled by default).
technet.microsoft.com/library/security/ms15-Jul
be secure.
The company also closed another 0day LPE vulnerability in Windows (CVE-2015-2387), for which the Hacking Team had an exploit for it. We wrote about it earlier , the vulnerability is present in the system component atmfd.dll (Adobe Type Manager Font Driver) and allows you to elevate the privileges of the attacker in the system. The vulnerability has been closed by updating MS15-077 . The working version of the exploit is walking around the network and the vulnerability has been assigned the status “exploited itw”.
Update MS15-058 fixes several vulnerabilities in Microsoft SQL Server 2008+. Malicious users can exploit vulnerabilities for remote code execution or for elevating privileges in the system. Important. Exploitation Unlikely .
')
The MS15-066 update fixes the dangerous RCE vulnerability CVE-2015-2372 in the VBScript.dll component (VBScript Scripting Engine) on Windows Server 2003-2008. Attackers can remotely execute code in a web browser using a specially crafted web page with a VBScript control . Critical. Exploitation More Likely .
The MS15-067 update fixes the RCE vulnerability CVE-2015-2373 in the RDP component of the server on Windows 7 - 8. An attacker using a specially crafted query can execute remote code on Windows with an active RDP server. The executable files Rdpvideominiport.sys, Rdpcorets.dll, Rdpudd.dll, and also Rdpcore.dll were updated. Critical. Exploitation Unlikely .
Update MS15-068 fixes two RCE vulnerabilities CVE-2015-2361 and CVE-2015-2362 in the Hyper-V component on Windows Server 2008 - 8.1. Using these vulnerabilities, an application with administrator rights on a virtual machine running Hyper-V can execute its code on a host system (virtualization escape). The update is addressed to the Storvsp.sys driver. Critical. Exploitation Less Likely .
Update MS15-069 fixes two RCE vulnerabilities in all supported versions of Windows. Vulnerability CVE-2015-2368 is present in the Windows system component and allows an attacker to execute code in the system by placing a special DLL in the required directory. When a user starts a legitimate application from the same directory, the application will try to load the legitimate library into memory, but download a malicious one instead. The second vulnerability CVE-2015-2369 (Planting Remote Code Execution DLL) is present in the Media Device Manager component, but to exploit it, the attacker must place the malicious DLL in the directory with the malicious RTF file that will be opened by the user. For Windows 8.1, the update is addressed to the Atlthunk.dll library. Important. Exploitation More Likely .
Update MS15-070 fixes multiple vulnerabilities in Office. One of the vulnerabilities with the identifier CVE-2015-2424 (Microsoft Office Memory Corruption Vulnerability) is used by attackers in targeted attacks. Attackers can remotely execute code using specially crafted files. Important.
The MS15-071 update fixes the LPE vulnerability CVE-2015-2374 in the Netlogon component on the server editions of Windows. Using the vulnerability, an attacker can elevate his privileges in the system through the exploitation of the primary domain controller (primary domain controller, PDC). Important. Exploitation Unlikely .
Update MS15-072 fixes one LPE vulnerability CVE-2015-2364 in the Gdi32.dll component on all supported editions of Windows. An attacker can elevate his privileges in the system by launching a special application with an exploit. Important. Exploitation More Likely .
The MS15-073 update closes multiple vulnerabilities in the win32k.sys driver on all supported editions of Windows. Vulnerabilities can be used by attackers to enhance their privileges in the system (LPE), as well as for unauthorized reading of kernel-mode memory (Information Disclosure). Important.
The MS15-074 update closes the LPE vulnerability CVE-2015-2371 in the Windows Installer component for all supported versions of Windows. An attacker can elevate his privileges in the system by running a specially crafted .msi distribution file. The update is addressed to various files, including, Authui.dll, Msi.dll, Msimsg.dll, Msiexec.exe, Msihnd.dll, Appinfo.dll, Consent.exe. Important. Exploitation More Likely .
Update MS15-075 closes two LPE vulnerabilities in the OLE component (Ole32.dll) for all supported versions of Windows. Vulnerabilities allow an attacker to elevate his privileges in the system using a special application. Important. Exploitation More Likely .
Update MS15-076 closes LPE vulnerability in various OS components responsible for implementing Windows Remote Procedure Call (RPC) on all supported OS versions. The system drivers Cng.sys, Ksecpkg.sys and the system library Lsasrv.dll are updated. Important. Exploitation Less Likely .
1 - Exploitation More Likely
The probability of exploiting the vulnerability is very high, attackers can use an exploit, for example, for remote code execution.
2 - Exploitation Less Likely
The exploitation probability is average, since attackers are unlikely to be able to achieve a situation of sustainable exploitation, as well as due to the technical peculiarities of vulnerability and the complexity of developing an exploit.
3 - Exploit code unlikely
The exploitation probability is minimal and attackers are unlikely to be able to develop successfully working code and take advantage of this vulnerability to conduct an attack.
We recommend that our users install updates as soon as possible and, if you have not already done so, enable automatic delivery of updates using Windows Update (this option is enabled by default).
technet.microsoft.com/library/security/ms15-Jul
be secure.
Source: https://habr.com/ru/post/262661/
All Articles