Microsoft kills TWO Hacking Team vulns: NOT the worst in this Patch Tues either

Office desktops, RDP servers, Hyper-V systems, all hit

Microsoft has released fixes for 59 CVE-listed vulnerabilities in its software – including a patch for the elevation-of-privilege flaw in Windows exploited by spyware maker Hacking Team.

There's a patch (MS15-065) for a remote-code execution bug in Internet Explorer 11 on Windows 7 and 8.1 that also emerged from the Hacking Team leak. Someone tried to sell details of the hole to the Italian surveillance-ware maker, and although the company declined to buy an exploit, enough information was exchanged in the subsequently leaked emails to reveal the flaw.

It's possible there are even more Hacking Team-linked vulnerabilities fixed in this month's Patch Tuesday batch.

There's a remote-code execution hole in Redmond's RDP server on Windows 7 and 8, and Server 2012 and Server Core, and also one in SQL server. There's a Hyper-V guest escape. This Patch Tuesday has something for everyone:

  • MS15-077: The Hacking Team elevation-of-privilege bug in the Windows Adobe Type Manager Font Driver that allows normal programs to gain administrator-level access. The flaw exists in Server 2003 and in Windows Vista and later for desktops and notebooks. The flaw is listed as "important," though the availability of exploit code in the wild should make patching a top priority.
  • MS15-065: The usual IE patch, this time with 29 CVE-listed flaws in Internet Explorer, including remote code execution vulnerabilities. The bulletin is listed as a "critical" fix, and includes an update to address the other Hacking Team-related bug.
  • MS15-066: A bulletin for remote-code execution in the VBScript Scripting Engine. The bulletin is listed as "critical" for Windows machines running IE 6, 7, and 8. Bo Qu of Palo Alto Networks was credited for discovery.
  • MS15-067: A remote-code execution flaw in Remote Desktop Protocol servers running on Windows 7, Windows 8, Server 2012, and Server Core. The bulletin is rated as "critical" with no discovery credit given.
  • MS15-068: Two CVE-listed remote-code execution vulnerabilities in Hyper-V for Windows Server 2008, Windows 8/8.1, Server 2012, and Server Core. An application running in a guest application can exploit this bug to run code on the host. Nightmare. The bulletin is listed as "critical," with discovery credit going to Microsoft's Thomas Garner.
  • MS15-058: Remote-code execution flaws in SQL server. Listed as an "important" risk with no discovery credit given.
  • MS15-069: A pair of remote-code execution vulnerabilities involving RTF and DLL files in Windows Server 2003 and 2012, and Windows Vista to Windows 8.1 RT. The bulletin is listed as "important," with discovery credit going to Haifei Li of McAfee Labs IPS Team and Ashutosh Mehra of HP Zero Day Initiative.
  • MS15-070: An update for eight CVE-listed flaws in Microsoft Office 2007, 2010, 2013, and Office for Mac. The bulletin is listed as "important," although it is possible to exploit some of the bugs to execute arbitrary code on a vulnerable PC if a malicious Office files is opened.
  • MS15-071: An elevation-of-privilege flaw in Netlogon for Windows Server 2003 and later. The bulletin is listed as "important." Discovery credit was not given.
  • MS15-072: An elevation-of-privilege flaw in Windows Graphics Component for Windows Server 2003, 2008, 2012, and Server Core as well as Windows Vista, Windows 7, Windows 8, and Windows RT. The vulnerability is listed as "important" and discovery credit was given to Nicolas Joly.
  • MS15-073: Six elevation-of-privilege and information disclosure flaws in the Windows kernel-mode driver for Windows Server 2003 and later and Windows Vista and later. The bulletin is listed as "important," with credit going to Nils Sommer of zytegeist and Matt Tait of Google Project Zero and enSilo.
  • MS15-074: An elevation-of-privilege vulnerability in Windows Installer for Server 2003 and later, as well as Vista and later. The bulletin is listed as "important" with credit going to Mariusz Mlynsk of HP Zero Day Initiative.
  • MS15-075: Two elevation-of-privilege flaws in Windows OLE for Server 2003 and later and Windows Vista and later. The flaw is listed as "important." Discovery credit was given to Nicolas Joly.
  • MS15-076: Elevation-of-privilege flaw in systems after Windows Server 2003 and Windows Vista. The bulletin was listed as "important" with no discovery credit given.

Get patching before hackers start exploiting them. It also the final Patch Tuesday for Server 2003.

Along with the Microsoft updates, users and admins should also patch or disable Adobe Flash, Acrobat, Reader and Shockwave, as a fresh batch of security fixes are also available for the software today.

If you're like Facebook's new security chief, you may just be wishing Flash would die. ®

Tech Resources

Apps are Essential, so your WAF must be effective

You can’t run a business today without applications—and because apps are critical to strategic business imperatives and commerce, they have become the prime target for attackers.

Webcast Slide Deck | How backup modernization changes the ransomware game

If the thrill of backing up your data and wondering if you will ever see it again has worn off, start the new year by getting rid of the lingering pain of legacy backup. Bipul Sinha, CEO of the Cloud Data Management Company, Rubrik, and Miguel Zatarain, Director of Global Infrastructure Technology at PACCAR, Fortune 500 manufacturer of trucks and Rubrik customer, are talking to the Reg’s Tim Phillips about how to eliminate the costly, slow and spotty performance of legacy backup, and how to modernize your implementation in 2021 to make your business more resilient.

Three reasons you need a hybrid multicloud

Businesses need their IT teams to operate applications and data in a hybrid environment spanning on-premises private and public clouds. But this poses many challenges, such as managing complex networking, re-architecting applications for the cloud, and managing multiple infrastructure silos. There is a pressing need for a single platform that addresses these challenges - a hybrid multicloud built for the digital innovation era. Just this Regcast to find out: Why hybrid multicloud is the ideal path to accelerate cloud migration.

Top 20 Private Cloud Questions Answered

Download this asset for straight answers to your top private cloud questions.

Biting the hand that feeds IT © 1998–2021