Software

Microsoft security updates May 2015

Microsoft released a set of thirteen Security Bulletins (MS015-043 through MS015-055) to start off May 2015, addressing 46 vulnerabilities in a wide set of Microsoft software technologies. Three of these are rated critical for RCE and the rest of the May 2015 Security Bulletins are rated Important. Two of the critical Bulletins (043 and 044) are especially risky and address critical RCE vulnerabilities across all versions of supported Windows platforms.

  • Internet Explorer (MS015-043) critical
  • GDI+ drivers handling fonts (MS015-044) critical
  • Windows Journal (MS015-045) critical
  • Microsoft Office
  • Sharepoint Server
  • Silverlight
  • .NET Framework
  • JScript and VBScript Scripting Engines
  • MMC file format
  • Schannel (Microsoft’s network crypto libraries)

Most likely, your Windows systems are running at least a couple of those software packages, and will require a reboot after updating.

This round of IE memory corruption vulnerabilities enable remote code execution across all versions of the browser and supported Windows OS, IE6 – IE11. Even Internet Explorer 11 on Windows 8.1 maintains the flawed code, leading many to anticipate Microsoft’s new approach to web browser security in the upcoming Microsoft Edge: Building a safer browser.

Another issue enables RCE in Windows Journal, a note-taking application first written for XP Tablet associated with .jnt files. To disable the app, it seems that you can simply disable the “Tablet PC Options Components” Windows Feature on Vista or Windows 7, but you are without the Control Panel option on Windows 8.x. On Windows 8 and above systems, it looks like you can remove the .jnt file association in the registry, or, you can deny access to journal.exe with a couple of shell commands:

takeown.exe /f “%ProgramFiles%\Windows Journal\Journal.exe”
icacls.exe %ProgramFiles%\Windows Journal\Journal.exe” /deny everyone:(F)

And finally, another couple of font handling GDI+ vulnerabilities are patched, this time in the DirectWrite library handling for both OpenType (cve-2015-1670) and TrueType (cve-2015-1671) fonts. It’s 1671 that enables RCE on Windows systems running SilverLight, Lync, Live Meeting, Microsoft Office 2007 and 2010, supported .Net framework versions, and all the supported Windows operating system versions, including Windows 2008 and 2012 R2 Server Core. Depending on your OS, the patches can touch on a set of files, not just win32k.sys driver code:

Win32k.sys
Gdiplus.dll
D2d1.dll
Fntcache.dll
Dwrite.dll
D3d10level9.dll
D3d10_1.dll
D3d10_1core.dll
D3d10warp.dll

According to Microsoft, “When this security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers”. Which may be mincing words, because Microsoft’s cve-2015-1671 vulnerability acknowledgement listed the Threat Research Manager at FireEye. That disclosure detail may add urgency to updating this vulnerability for some organizations.

Microsoft security updates May 2015

Your email address will not be published. Required fields are marked *

 

  1. Professor ED

    Good review of MS update. Looking for a post release follow-up on hardware/software conflicts and modified patches. Thanks

  2. Allen Jaggard

    I accidentally downloaded “Driver Detector” which purported to be a MS affiliated vendor. My system is Windows 7 and I am fighting to regain my wireless capability on a permanent basis. Although I have cleaned my hard drive and reinstalled my original software several times, this loss of wireless adaptor message continues to return even though I seem to have fixed things. Any suggestions, please? Thanks.

  3. Valerie Golden

    To Kurt Baumgartner: as per your information on the current problems affecting Microsoft programmes, etc., I continually read the messages from Microsoft to download and install their updates, I check daily even though I have programmed Microsoft to notify me when new updates are available. In the last few days in spite of all of this and having Kaspersky as my security programme, I am now unable to use Internet Explorer as a web browser. It has obviously been hijacked. I thought I had solved the problem only to have a second “hijacker” take over IE immediately. It is now almost a week since this occurred. This is the second time this year and I spend hours each day trying to get my computers under my control and choose which browser I want to use. I have tried communicating with Microsoft but appear to be “hijacked” by unknown persons pertaining to work for MS. Microsoft warns users of this service to beware of such situations and advises never to provide names, addresses, banking details. The first question I was asked was to provide the above. I declined, quoting MS advice, but after some “chat” the so called service provider asked me for money to be sent to an account as it was required to assist me on behalf of MS. I declined but he was persistent and wrote that MS would not fix the problem without payment. I cut the interaction. So this time I didn’t even bother with MS. I do not want to hand my computers over to people here who may or may not be able to fix the problem, but more importantly, they all stated they would require my computers for up to a month as they are very busy, in particular with the current problems. How can all this happen when my system is supposed to be protected by Kaspersky? Help!! (I am just short of my 67th year, and find many people involved in the computer industry tend to treat me as if with age my brain has shut down) VG 21/05/2015

Reports

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox