Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Microsoft March Patch Tuesday - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Microsoft March Patch Tuesday

Overview of the March 2015 Microsoft patches and their status.

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*)
clients servers
MS15-018 Cumulative Security Update For Internet Explorer (Replaces MS15-009 ) (note that for IE8 and later, the VBScript vulnerability CVE-2015-0032 is addressed by MS15-019)
Internet Explorer
CVE-2015-0032
CVE-2015-0056
CVE-2015-0072
CVE-2015-0099
CVE-2015-0100
CVE-2015-1622
CVE-2015-1623
CVE-2015-1624
CVE-2015-1625
CVE-2015-1626
CVE-2015-1627
CVE-2015-1634
KB 3040297 CVE-2015-1625 has been disclosed in public, but no exploits seen yet.. Severity:Critical
Exploitability: 1
Critical Critical
MS15-019 Remote Code Execution Vulnerability in VBScript Scripting Engine (Replaces MS14-084 )
VBScript
CVE-2015-0032
KB 3040297 no known exploits. Severity:Critical
Exploitability: 1
Critical Important
MS15-020 Remote Code Execution Via Loading Untrusted DLLs and Windows Text Service Memory Corruption (Replaces MS14-027 )
Windows Text Services
CVE-2015-0081
CVE-2015-0096
KB 3041836 no known exploits. Severity:Critical
Exploitability: 2
Critical Critical
MS15-021 Remote Code Execution Vulnerability in Adobe Font Drivers (Replaces MS13-081 )
Adobe Font Drivers
CVE-2015-0074
CVE-2015-0087
CVE-2015-0088
CVE-2015-0089
CVE-2015-0090
CVE-2015-0091
CVE-2015-0092
CVE-2015-0093
KB 3032323 no known exploits. Severity:Critical
Exploitability: 2
Critical Important
MS15-022 Remote Code Execution Vulnerability in Microsoft Office (Replaces MS13-072 MS14-022 MS14-023 MS14-050 MS14-073 MS15-012 )
Microsoft Office
CVE-2015-0085
CVE-2015-0086
CVE-2015-0097
CVE-2015-1633
CVE-2015-1636
KB 3038999 no known exploits. Severity:Critical
Exploitability: 1
Critical Important
MS15-023 Elevation of Privilege Vulnerability in Kernel Mode Drivers (Replaces MS15-010 )
Kernel Mode Drivers
CVE-2015-0077
CVE-2015-0078
CVE-2015-0094
CVE-2015-0095
KB 3034344 no known exploits. Severity:Important
Exploitability: 2
Important Important
MS15-024 Information Disclosure Vulnerability in PNG Processing (Replaces MS15-016 )
Windows
CVE-2015-0080
KB 3035132 no known exploits. Severity:Important
Exploitability: 3
Important Important
MS15-025 Elevation of Privilege / Impersonation Vulnerability in Windows Kernel (Replaces MS13-031 MS15-010 MS15-015 )
Windows Kernel
CVE-2015-0073
CVE-2015-0075
KB 3038680 no known exploits. Severity:Important
Exploitability: 2
Important Important
MS15-026 Cross Site Scripting Vulnerabilities in Microsoft Exchange Server
Microsoft Exchange Server
CVE-2015-1628
CVE-2015-1629
CVE-2015-1630
CVE-2015-1631
CVE-2015-1632
KB 3040856 no known exploits. Severity:Important
Exploitability: 2
Important Important
MS15-027 Spoofing Vulnerability in NETLOGON (Replaces MS10-101 )
Windows
CVE-2015-0005
KB 3002657 no known exploits. Severity:Important
Exploitability: 2
Important Important
MS15-028 Access Control List Bypass via Windows Task Scheduler
Windows
CVE-2015-0084
KB 3030377 no known exploits. Severity:Important
Exploitability: 2
Important Important
MS15-029 Information Disclosure in Windows Photo Decoder
Windows Photo Decoder
CVE-2015-0076
KB 3035126 no known exploits. Severity:Important
Exploitability: 2
Important Important
MS15-030 Denial of Service Vulnerability in RDP (Replaces MS14-030 )
Remote Desktop Protocol
CVE-2015-0079
KB 3039976 no known exploits. Severity:Important
Exploitability: 3
Important Important
MS15-031 Schannel Patch for FREAK
Schannel
CVE-2015-1637
KB 3046049 yes. Severity:Important
Exploitability: 1
Important Important
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urt practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
    • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threatatches.

       

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Intrusion Detection In-Depth - SANS London July 2019

Johannes

3562 Posts
ISC Handler
It appears MS is doing some fancy stuff with the bulletin URLs. They all dump back to the technet security bulletin page.
TexISO

19 Posts
I adjusted the URLs. They should work now. Looks like I used an older scheme.
Johannes

3562 Posts
ISC Handler
Exploit for MS15-027 is available at https://code.google.com/p/impacket/source/browse/trunk/examples/smbrelayx.py
Johannes
1 Posts
FYI: I dont see MS15-019 in my WSUS server yet. I do see MS15-018 and MS-020.
TuggDougins

37 Posts
Note that MS15-019 does not apply to all browsers. Some will receive the VBScript patch via MS15-018.
Johannes

3562 Posts
ISC Handler
And MS15-020 fixes a faied Stuxnet patch MS10-046.

http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/CVE-2015-0096-issue-patched-today-involves-failed-Stuxnet-fix/ba-p/6718402#.VP9GQFV4o50
Anonymous
Bad news ... if for real ... CVE-2015-0096 issue patched today involves failed Stuxnet fix

http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/CVE-2015-0096-issue-patched-today-involves-failed-Stuxnet-fix/ba-p/6718402
k4l4m4r1s

7 Posts
Minor note: MS15-018 references KB 3032359, not 3040297 as listed in the chart.
IMFerret

10 Posts
Hi, this is Peter from Berlin/Germany. My first reply. Update KB3033929 fails with error code 80004005. Confirmed on two standalone machines, both Lenovo (ThinkCentre Edge and ThinkPad E-Series, both 64-bit-dual-boot-systems with Windows 7 and Suse Linux). Tested on two different desktop-machines in our enterprise faultlessly, but I'm not feeling comfortable for a broader test already. (Hope my Englisch is good enough for you to follow.)

Does anyone experienced this behaviour?

Thanks, greetings
Peter

URLs:
- https://social.technet.microsoft.com/Forums/en-US/a08ad884-6b05-4632-8f28-2568eb97b636/update-kb3033929-fails-with-error-code-80004005?forum=w7itprosecurity
- http://answers.microsoft.com/en-us/windows/forum/windows_7-windows_update/kb3033929-important-update-failed-reverted-changes/5a902e57-515d-4f15-91e6-eb73781ec382
Peter

2 Posts
That's a fairly non-specific Windows Update error number - try these 2 urls?

windows.microsoft.com/en-us/windows7/…
support.microsoft.com/kb/…
Rob VandenBrink

499 Posts
ISC Handler
Total of 15 T-440 7 Pro 64 bit on 2012 network, no complaints.
ICI2I

63 Posts
Thanks. KB3033929 seems to cause at least some problems:

- http://krebsonsecurity.com/2015/03/ms-update-3033929-causing-reboot-loop/
Peter

2 Posts
MS15-018
Internet Explorer Elevation of Privilege Vulnerability
CVE-2015-0072
0 - Exploitation Detected
0 - Exploitation Detected

(According to tech net mar summary)

The IE UXSS is also fixed by ms15-018
Haven't seen much coverage here, but definitely a nice phishing vector and covered on Fdisclosure(over a month)
Mallory Bobalice

28 Posts

Sign Up for Free or Log In to start participating in the conversation!