Microsoft released 14 patches on its third monthly Update Tuesday, to include critical patches for the FREAK flaw and Internet Explorer.
With five critical patches released in total, to address a total of 44 vulnerabilities in all, experts recommended patching MS15-018 first, the bulletin for Internet Explorer. Trustwave’s Karl Sigler said that Internet Explorer accounts for fifteen of the vulnerabilities, the majority of which are memory corruption bugs, the worst of which could result in remote code execution.
He said: “This bulletin patches twelve vulnerabilities in Internet Explorer, the majority of which are memory corruption flaws. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user running IE.
“This security update covers Internet Explorer 6 (IE 6) through Internet Explorer 11 (IE 11) and is rated Critical on affected Windows clients and Moderate for affected Windows servers.”
Alan Bentley, SVP International at HEAT Software (formerly Lumension), said that two vulnerabilities were publicly disclosed, and one is under active attack, the other ten CVEs were privately reported and impact all versions of IE.
Rated as “important”, MS15-031 patches the vulnerability in the Secure Channel (Schannel) which could allow security feature bypass.
Sigler said: “This bulletin patches a vulnerability in Microsoft Windows that facilitates exploitation of the publicly disclosed FREAK technique, an industry-wide issue that is not specific to Windows operating systems. Any Windows system using Schannel to connect to a remote TLS server with an insecure cipher suite is affected.”
Tod Beardsley, engineering manager at Rapid7, said: “The news here is that Microsoft Schannel – the Windows analog of OpenSSL – is also susceptible to cipher downgrade attacks by active attackers. This isn’t particularly surprising, given Microsoft’s traditional role as a software vendor to Government institutions the world over; it would be strange is Windows did not ship with the weakened, export-grade ciphers that enables the attack in the first place.
“Because of the active man-in-the-middle requirement, this bug can be pretty useful for spies who are targeting specific users in otherwise high security network environments. It’s not very useful for typical internet criminals, since there are much easier methods to redirect and gather user traffic at varying levels of sophistication.”
Also highlighted was MS15-020, which is rated critical for all versions of Windows, and allows an attacker to trick a target into browsing a directory on a website or opening a file. Wolfgang Kandek, CTO of Qualys, said: “Windows Text Services has a vulnerability that allows the attacker to gain remote code execution on the machine. It also has a fix for CVE-2015-0096, a vulnerability related to the original Stuxnet vulnerability CVE-2010-2568.”
Sigler said: “This patches two vulnerabilities in Microsoft Windows. The two vulnerabilities exist when DLLs are loaded that improperly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the logged-on user.”