Tuesday, June 9, 2015

Patch Week: time to update Windows, Flash, and VMWare

It's that time of the month again: the time when several software makers unload their latest software updates to address vulnerabilities discovered in their software. This time, Microsoft blesses us with 8 updates covering the Windows operating system, Internet Explorer, Windows Media Player, and Exchange Server. Adobe delivers the latest update for Flash Player; and VMWare issues updates for their popular virtualization software.

At least two of the vulnerabilities are exploited through a browser plug-in (Flash Player, and Windows Media Player). Google and Mozilla make it simple to make plug-ins be "click-to-play" in Chrome and Firefox, which prevents a malicious media file from compromising your computer simply by browsing to a website. Internet Explorer, alas, has no such option. Keep in mind that click-to-play simply prevents malicious content from playing immediately upon browsing to a site - if you choose to let the content play, it can still exploit the vulnerability.

  • MS15-056: Internet Explorer; with the most severe vulnerability, simply browsing to a compromised web site is enough for an attacker to take control of your computer. SANS Internet Storm Center reports that CVE-2015-1765 (an information disclosure vulnerability) was already public.
  • MS15-057: Windows Media Player; browsing to a compromised website that plays a malicious media file is enough to trigger this exploit, which allows an attacker to run any code they choose
  • MS15-058 not released
  • MS15-059: Microsoft Office; with this vulnerability, opening a malicious document (which may be delivered as an email attachment) allows an attacker to run any code of their choosing.
  • MS15-060: Internet Explorer; a vulnerability exists in the "Microsoft Common Controls" feature, in which browsing to a compromised website and then clicking "F12" to launch developer tools allows an attacker to run code of their choosing.
  • MS15-061: Windows Operating System; a malicious executable (such as might be delivered by email, or downloaded in the browser) can exploit this vulnerability to gain elevated privileges. This could allow malware to bypass UAC controls and run with administrator rights.
  • MS15-062: Active Directory; affects only servers acting as Domain Controllers; an attacker can submit a specially-crafted URL to the server, which could then be run unintentionally by a user logged in with administrative credentials.
  • MS15-063: Windows Operating System; an attacker would have to place a malicious DLL file on the system or a shared drive, then get the user to run a program that loads that DLL. In this case, the attacker could gain elevated privileges.
  • MS15-064: Exchange Server; if a user clicked on a malicious URL while logged into Exchange Server as a privileged user, the attacker could gain elevated privileges.

  • APSB15-11: Flash Player; a variety of vulnerabilities, the most severe of which could let an attacker take control of your computer if you browse to a compromised website with malicious Flash content.

  • VMSA-2015-0004: VMWare Workstation, VMWare Fusion, and Horizon View Client; the most significant vulnerability could allow a user within a guest operating system to take control of the host operating system, a condition known as a VM escape.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.