This month we see another very large patch release from Microsoft, with 14 updates, five rated as critical and the remaining nine rated as important. This is almost twice as many updates as Microsoft released in the first quarter of 2014! Your focus for March should be on the update to Microsoft’s VBScript Engine which is patched in two updates: MS15-018 and MS15-019. Both of these updates should be top priority for deployment as they resolve almost half of the 43 reported security issues covered in this month’s update cycle.
Though we have not seen the re-emergence of the Microsoft Advance Notification Service (ANS), Microsoft has updated its technical bulletin summaries with a new column called Known Issues. Unfortunately, at the time of writing, several related Microsoft Knowledge Base (KB) articles are still redirecting to Microsoft 404 “Page not found” or Oops pages.
MS15-018 — Critical
The first critical update for this March Microsoft Update Tuesday is MS15-018 which resolves 12 issues in all versions of Microsoft Internet Explorer (IE). The most severe vulnerability may lead to a remote code execution scenario. In this case, a malicious attacker could create a specially crafted web page that included an ActiveX control that could then be marked as “safe for initialisation” and therefore granted user level security privileges, potentially resulting in a remote code execution scenario. This latest patch from Microsoft (MS15-018) looks like an update to a previous patch MS15-009 which attempted to address similar vulnerabilities in the Microsoft VBScript engine. In fact, it looks like IE is just another vector for this scripting vulnerability as we see Microsoft also provide an OS level update for VBScript in MS15-019.
MS15-019 — Critical
The second critical update for March, MS15-019, is closely related to the IE update MS15-018 as it also deals with memory handling vulnerabilities in the Microsoft VBScript Engine. In addition, the recent update MS15-019 replaces a previously released patch to the Microsoft VBScript Engine MS14-084. MS15-019 updates several versions of the Microsoft VBScript engine including versions 5.6, 5.7 and 5.8. This means that Windows Server 2003, Vista and Server 2008 Service Pack 2 systems are vulnerable. Microsoft has not published any mitigating factors or workarounds for this vulnerability but has noted that no information has been received regarding the successful exploitation of this core system vulnerability. Both patches, MS15-018 and MS15-019 should be top priorities in your patch deployment schedule.
MS15-020 — Critical
The third critical update for March is MS15-020 which relates to a Windows vulnerability that affects all supported versions of Microsoft Windows and may lead to a remote code execution scenario. MS15-020 patches two previously released fixes from Microsoft, MS12-048 and MS14-027, that were both rated as critical. If you have been following Microsoft updates for the past five years, you will have noticed that Microsoft has been attempting to resolve this particular class of issue since 2010 with the update MS10-046.
MS15-021 — Critical
The next critical update for March is MS15-021 which attempts to resolve eight reported vulnerabilities, five of which may lead to a remote code execution vulnerability in the Adobe Font Driver. These vulnerabilities relate to how the Adobe font driver reads or displays certain fonts, and several driver specific memory handling issues. No workarounds or mitigating factors have been published for this update, so it should be a priority for deployment.
MS15-022 — Critical
The final update rated as critical by Microsoft for this March Update Tuesday relates to five vulnerabilities that could lead to a remote code execution scenario for Microsoft Office desktop, server and web based systems. This update addresses several cross-site scripting (XSS) vulnerabilities in Microsoft Sharepoint and Office Server software as well as number of memory corruption issues.
MS15-023 — Important
MS15-023 addresses four vulnerabilities in the Windows kernel mode driver that could lead to a memory disclosure, or at worst an elevation of privilege scenario. This March patch replaces the Microsoft February update MS15-010, which appeared to cause a number of font distortion issues. You can find out more about this here. Given the history of these kinds of updates from Microsoft, I might suggest you test this update pretty thoroughly before full deployment. And, then I might even wait an extra week.
MS15-024 — Important
MS15-024 addresses a single vulnerability that relates to how Windows fails to handle initialized memory properly when dealing with specially crafted image files (PNG files). If unresolved, this security vulnerability could lead to information disclosure scenarios. Include this update in your standard patch testing and deployment program.
MS15-025 — Important
The Microsoft update MS15-025 relates to an attempt to resolve two reported issues that could lead to an elevation of privilege security scenario in how the Windows kernel manages Windows registry virtualisation and security token impersonation levels. Microsoft has published mitigating factors and a workaround for the registry vulnerability here. Include this update in your standard deployment program.
MS15-026 — Important
MS15-026 deals with five reported vulnerabilities in Microsoft Exchange Server which at worst could lead to an elevation of privilege scenario. This Exchange update addresses these vulnerabilities by correcting how Exchange Server handles page content in the Outlook Web App, and by correcting the way Exchange manages meeting organizer authenticity. Include this update in your standard deployment program.
MS15-027 — Important
MS15-027 deals with a single reported vulnerability that may lead to a spoofing scenario when the Microsoft NETLOGON service establishes a secure channel to a different machine with a “spoofed” machine name. To achieve an information disclosure scenario an attacker would have to be logged onto a domain level machine and be able to observe significant network traffic. Include this update in your standard deployment program.
MS15-028 — Important
MS15-028 deals with a single reported vulnerability when the Windows Task Manager fails to properly manage and enforce user level impersonation levels. This issue could lead to the bypass of Access Control Lists (ACL) checks and allow an attacker to run privileged executables. Include this update in your standard deployment program.
MS15-029 — Important
MS15-029 fixes an issue with the Microsoft photo decoder component that when handling JPEG XR image files could lead to a scenario where an attacker could gain privileged information about the target system. The attacker would not be able to execute programs or code which leads to Microsoft rating this as important. Include this update in your standard deployment program.
MS15-030 — Important
MS15-030 addresses a single vulnerability in the Microsoft Remote Desktop Protocol (RDP) which could lead to a denial of service security scenario. By default, most systems do not have RDP enabled, meaning those systems are not at risk from this issue. This update is rated as Important for all currently supported Microsoft desktop and server systems.
MS15-031 — Important
The final update for this massive March update from Microsoft is MS15-031 which relates to the publicly disclosed FREAK “Man in the middle” attack (MITM) that doesn’t just affect Windows, but the whole computing industry. This particular issue goes back to how the U.S. government limited the capabilities of encryption in the late 1990’s as part of its export restriction efforts. Now, with the increased capabilities of modern computers, this encryption restriction is relatively easily overcome, leading to significant weaknesses in most security systems. This update will affect all currently supported Windows desktop and server systems. Though this update is rated as important by Microsoft, this exploit may be employed widely, and therefore the deployment of this update should be a priority.