IE and TrueType Handling Code Again Expose Exploitable Vuln Across All OS Versions
Microsoft released a set of thirteen Security Bulletins (MS015-043 through MS015-055) to start off May 2015, addressing 46 vulnerabilities in a wide set of Microsoft software technologies. Three of these are rated critical for RCE and the rest of the May 2015 Security Bulletins are rated Important. Two of the critical Bulletins (043 and 044) are especially risky and address critical RCE vulnerabilities across all versions of supported Windows platforms.
- Internet Explorer (MS015-043) critical
- GDI+ drivers handling fonts (MS015-044) critical
- Windows Journal (MS015-045) critical
- Microsoft Office
- Sharepoint Server
- .NET Framework
- JScript and VBScript Scripting Engines
- MMC file format
- Schannel (Microsoft’s network crypto libraries)
Most likely, your Windows systems are running at least a couple of those software packages, and will require a reboot after updating.
This round of IE memory corruption vulnerabilities enable remote code execution across all versions of the browser and supported Windows OS, IE6 – IE11. Even Internet Explorer 11 on Windows 8.1 maintains the flawed code, leading many to anticipate Microsoft’s new approach to web browser security in the upcoming Microsoft Edge: Building a safer browser.
Another issue enables RCE in Windows Journal, a note-taking application first written for XP Tablet associated with .jnt files. To disable the app, it seems that you can simply disable the “Tablet PC Options Components” Windows Feature on Vista or Windows 7, but you are without the Control Panel option on Windows 8.x. On Windows 8 and above systems, it looks like you can remove the .jnt file association in the registry, or, you can deny access to journal.exe with a couple of shell commands:
takeown.exe /f “%ProgramFiles%\Windows Journal\Journal.exe”
icacls.exe %ProgramFiles%\Windows Journal\Journal.exe” /deny everyone:(F)
And finally, another couple of font handling GDI+ vulnerabilities are patched, this time in the DirectWrite library handling for both OpenType (cve-2015-1670) and TrueType (cve-2015-1671) fonts. It’s 1671 that enables RCE on Windows systems running SilverLight, Lync, Live Meeting, Microsoft Office 2007 and 2010, supported .Net framework versions, and all the supported Windows operating system versions, including Windows 2008 and 2012 R2 Server Core. Depending on your OS, the patches can touch on a set of files, not just win32k.sys driver code:
According to Microsoft, “When this security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers”. Which may be mincing words, because Microsoft’s cve-2015-1671 vulnerability acknowledgement listed the Threat Research Manager at FireEye. That disclosure detail may add urgency to updating this vulnerability for some organizations.
Microsoft security updates May 2015
Good review of MS update. Looking for a post release follow-up on hardware/software conflicts and modified patches. Thanks
I accidentally downloaded “Driver Detector” which purported to be a MS affiliated vendor. My system is Windows 7 and I am fighting to regain my wireless capability on a permanent basis. Although I have cleaned my hard drive and reinstalled my original software several times, this loss of wireless adaptor message continues to return even though I seem to have fixed things. Any suggestions, please? Thanks.
To Kurt Baumgartner: as per your information on the current problems affecting Microsoft programmes, etc., I continually read the messages from Microsoft to download and install their updates, I check daily even though I have programmed Microsoft to notify me when new updates are available. In the last few days in spite of all of this and having Kaspersky as my security programme, I am now unable to use Internet Explorer as a web browser. It has obviously been hijacked. I thought I had solved the problem only to have a second “hijacker” take over IE immediately. It is now almost a week since this occurred. This is the second time this year and I spend hours each day trying to get my computers under my control and choose which browser I want to use. I have tried communicating with Microsoft but appear to be “hijacked” by unknown persons pertaining to work for MS. Microsoft warns users of this service to beware of such situations and advises never to provide names, addresses, banking details. The first question I was asked was to provide the above. I declined, quoting MS advice, but after some “chat” the so called service provider asked me for money to be sent to an account as it was required to assist me on behalf of MS. I declined but he was persistent and wrote that MS would not fix the problem without payment. I cut the interaction. So this time I didn’t even bother with MS. I do not want to hand my computers over to people here who may or may not be able to fix the problem, but more importantly, they all stated they would require my computers for up to a month as they are very busy, in particular with the current problems. How can all this happen when my system is supposed to be protected by Kaspersky? Help!! (I am just short of my 67th year, and find many people involved in the computer industry tend to treat me as if with age my brain has shut down) VG 21/05/2015