Tuesday, June 9, 2015

Patch Week: time to update Windows, Flash, and VMWare

It's that time of the month again: the time when several software makers unload their latest software updates to address vulnerabilities discovered in their software. This time, Microsoft blesses us with 8 updates covering the Windows operating system, Internet Explorer, Windows Media Player, and Exchange Server. Adobe delivers the latest update for Flash Player; and VMWare issues updates for their popular virtualization software.

At least two of the vulnerabilities are exploited through a browser plug-in (Flash Player, and Windows Media Player). Google and Mozilla make it simple to make plug-ins be "click-to-play" in Chrome and Firefox, which prevents a malicious media file from compromising your computer simply by browsing to a website. Internet Explorer, alas, has no such option. Keep in mind that click-to-play simply prevents malicious content from playing immediately upon browsing to a site - if you choose to let the content play, it can still exploit the vulnerability.

  • MS15-056: Internet Explorer; with the most severe vulnerability, simply browsing to a compromised web site is enough for an attacker to take control of your computer. SANS Internet Storm Center reports that CVE-2015-1765 (an information disclosure vulnerability) was already public.
  • MS15-057: Windows Media Player; browsing to a compromised website that plays a malicious media file is enough to trigger this exploit, which allows an attacker to run any code they choose
  • MS15-058 not released
  • MS15-059: Microsoft Office; with this vulnerability, opening a malicious document (which may be delivered as an email attachment) allows an attacker to run any code of their choosing.
  • MS15-060: Internet Explorer; a vulnerability exists in the "Microsoft Common Controls" feature, in which browsing to a compromised website and then clicking "F12" to launch developer tools allows an attacker to run code of their choosing.
  • MS15-061: Windows Operating System; a malicious executable (such as might be delivered by email, or downloaded in the browser) can exploit this vulnerability to gain elevated privileges. This could allow malware to bypass UAC controls and run with administrator rights.
  • MS15-062: Active Directory; affects only servers acting as Domain Controllers; an attacker can submit a specially-crafted URL to the server, which could then be run unintentionally by a user logged in with administrative credentials.
  • MS15-063: Windows Operating System; an attacker would have to place a malicious DLL file on the system or a shared drive, then get the user to run a program that loads that DLL. In this case, the attacker could gain elevated privileges.
  • MS15-064: Exchange Server; if a user clicked on a malicious URL while logged into Exchange Server as a privileged user, the attacker could gain elevated privileges.

  • APSB15-11: Flash Player; a variety of vulnerabilities, the most severe of which could let an attacker take control of your computer if you browse to a compromised website with malicious Flash content.

  • VMSA-2015-0004: VMWare Workstation, VMWare Fusion, and Horizon View Client; the most significant vulnerability could allow a user within a guest operating system to take control of the host operating system, a condition known as a VM escape.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen