Kaspersky Threats

Erkennungsdatum

?

08/11/2015

Schweregrad

?

Kritisch

Beschreibung

Multiple serious vulnerabilities have been found in Microsoft products. Malicious users can exploit these vulnerabilities to cause denial of service, bypass security restrictions, execute arbitrary code or obtain sensitive information.

Below is a complete list of vulnerabilities

Improper OGL, OpenType and TrueType fonts handling can be exploited remotely via a specially designed document to execute arbitrary code;
Improper memory address initialization and handling impersonation at Windows kernel can be exploited locally to bypass security restrictions;
Improper user logoff can be exploited locally via a specially designed application to obtain sensitive information;
Improper impersonation handling at Windows shell and Windows Object Manager can be exploited locally via a specially designed application to bypass security restrictions;
Improper certificates validation at Remote Desktop Session Host can be exploited remotely via a man-in-the-middle attack to spoof host;
Improper handling DLL loading at Remote Desktop Protocol client can be exploited remotely via a specially designed connection to execute arbitrary code;
Improper logging at Server Message Block can be exploited locally via a specially designed message to cause denial of service;
Improper memory addresses can be exploited remotely via a specially designed web site to obtain sensitive information;
Improper symbolic links processing at Mount Manager can be exploited locally via a specially designed USB device to execute arbitrary code;
Improper handling searching parameter can be exploited remotely via a specially designed webpage to obtain sensitive information;
Lack of files access restrictions at Internet Explorer Enhanced Protection Mode can be exploited locally via a specially designed code execution to obtain sensitive information;
Lack of SSL restrictions can be exploited remotely via man-in-the-middle attack to obtain sensitive information;
Lack of registry and filesystem interaction restrictions can be exploited remotely via a specially designed file to gain privileges;
Improper memory objects handling at Edge can be exploited remotely via a specially designed website to execute arbitrary code;
Improper Address Space Layout Randomization feature usage at Edge can be exploited remotely via a specially designed website to bypass security restrictions.

Technical details

(1) can be exploited by multiple ways for example opening document or website with embedded malicious fonts.

By exploiting (2) malicious can retrieve base address of the kernel driver from affected process or bypass impersonation restrictions. To exploit this vulnerability malicious must log on to system and run specially designed application.

By exploiting (3) malicious can monitor actions of another users loged in to affected system after malicious user loged off or observe data that was accessible to affected users. To exploit this vulnerability attacker must log on to affected system and run a specially designed application which will continue working after malicious logs off.

To exploit (4) malicious user must log on to affected system and run specially designed application.

(5) caused by certificates validation errors during auth. Man-in-the-middle attacker can generate untrusted certificate that matches issuer name and serial number of the trusted certificates.

To exploit (6) attacker must place malicious DLL to target user’s working directory and then lead user to open the specially designed RDP file. Systems without enabled RDP server are out of risk.

(7) caused by improper handling some logging activity by SMB, resulting memory corruption. To exploit this vulnerability malicious must use valid credentials and use specially designed string to leverage SMB server logging error.

(8) caused by Microsoft XML Core Services, exposes memory addresses not intended for disclosure. By exploiting this vulnerability malicious can bypass Address Space Layout Randomization restrictions to obtain sensitive information. To exploit this vulnerability attacker could host malicious website to invoke MSXML via Internet Explorer.

(10) related to Universal Description, Discovery and Integration Services, which improperly validate or sanitize search parameter in FRAME tag.By exploiting this vulnerability via XSS attack malicious could gain auth cookies or unexpectedly redirect affected user.

To exploit (11) attacker must first leverage another vulnerability to cause code execution in IE with EPM. Than malicious can execute Excel, Notepad, PowerPoint or another with unsafe command line parameter. Another part of updates for this vulnerability listed in KLA10645, KLA10648

Vulnerability (12) related to Microsoft XML Core Services and Web Distributed Authoring and Versioning which allows use of SSL 2.0. Man-in-the-middle attacker can force SSL 2.0 session and then decrypt part of transmitted data.

(13) caused by allowance of registry and filesystem changes for some applications from sandbox. Attacker must lead user to open some specially designed file invokes vulnerable sandboxed application.

Vulnerability (15) allow attacker to predict the memory offsets of specific instructions in a given call stack.

Beeinträchtigte Produkte

Windows Vista Service Pack 2
Windows Server 2008 Service Pack 2
Windows 7 Service Pack 1
Windows Server 2008 R2
Windows 8
Windows 8.1
Windows Server 2012
Windows Server 2012 R2
Windows RT
Windows RT 8.1
Windows 10
.NET framework versions 3.0 SP2, 4, 4.5, 4.5.1, 4.5.2, 4.6
Office 2007 Service Pack 3
Office 2010 Service Pack 2
Live Meeting 2007 Console
Lync 2010
Lync 2013 Service Pack 1
Silverlight 5
BizTalk Server 2010, 2013, 2013 R2

Lösung

Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)

Ursprüngliche Informationshinweise

CVE-2015-2423
CVE-2015-2431
CVE-2015-2430
CVE-2015-2456
CVE-2015-2458
CVE-2015-2433
CVE-2015-2432
CVE-2015-2471
CVE-2015-2472
CVE-2015-2473
CVE-2015-2474
CVE-2015-2475
CVE-2015-2476
CVE-2015-1769
CVE-2015-2449
CVE-2015-2455
CVE-2015-2460
CVE-2015-2459
CVE-2015-2462
CVE-2015-2461
CVE-2015-2464
CVE-2015-2463
CVE-2015-2465
CVE-2015-2454
CVE-2015-2453
CVE-2015-2434
CVE-2015-2435
CVE-2015-2428
CVE-2015-2441
CVE-2015-2446
CVE-2015-2429
CVE-2015-2440
CVE-2015-2442

Folgen

?

ACE

[?]

OSI

[?]

DoS

[?]

SB

[?]

CVE-IDS

?

Offizielle Informationshinweise von Microsoft

Microsoft Sicherheitsupdate-Guide

KB-Liste

3081436
3080790
3072305
3071756
3072307
3072306
3072303
3072309
3080129
3082458
3082459
3079743
3080348
3073893
3075591
3075590
3075593
3075592
3084525
3076895
3087119
3055014
2825645
3075222
3075221
3075220
3075226
3072310
3072311
3076949
3073921
3054890
3060716
3078662
3079757
3078601
3078071
3046017
3054846
3080333
3082487

Link zum Original

Informieren Sie sich über die Statistiken der in Ihrer Region verbreiteten Sicherheitslücken

Erkennungsdatum ?	08/11/2015
Schweregrad ?	Kritisch
Beschreibung	Multiple serious vulnerabilities have been found in Microsoft products. Malicious users can exploit these vulnerabilities to cause denial of service, bypass security restrictions, execute arbitrary code or obtain sensitive information. Below is a complete list of vulnerabilities Improper OGL, OpenType and TrueType fonts handling can be exploited remotely via a specially designed document to execute arbitrary code; Improper memory address initialization and handling impersonation at Windows kernel can be exploited locally to bypass security restrictions; Improper user logoff can be exploited locally via a specially designed application to obtain sensitive information; Improper impersonation handling at Windows shell and Windows Object Manager can be exploited locally via a specially designed application to bypass security restrictions; Improper certificates validation at Remote Desktop Session Host can be exploited remotely via a man-in-the-middle attack to spoof host; Improper handling DLL loading at Remote Desktop Protocol client can be exploited remotely via a specially designed connection to execute arbitrary code; Improper logging at Server Message Block can be exploited locally via a specially designed message to cause denial of service; Improper memory addresses can be exploited remotely via a specially designed web site to obtain sensitive information; Improper symbolic links processing at Mount Manager can be exploited locally via a specially designed USB device to execute arbitrary code; Improper handling searching parameter can be exploited remotely via a specially designed webpage to obtain sensitive information; Lack of files access restrictions at Internet Explorer Enhanced Protection Mode can be exploited locally via a specially designed code execution to obtain sensitive information; Lack of SSL restrictions can be exploited remotely via man-in-the-middle attack to obtain sensitive information; Lack of registry and filesystem interaction restrictions can be exploited remotely via a specially designed file to gain privileges; Improper memory objects handling at Edge can be exploited remotely via a specially designed website to execute arbitrary code; Improper Address Space Layout Randomization feature usage at Edge can be exploited remotely via a specially designed website to bypass security restrictions. Technical details (1) can be exploited by multiple ways for example opening document or website with embedded malicious fonts. By exploiting (2) malicious can retrieve base address of the kernel driver from affected process or bypass impersonation restrictions. To exploit this vulnerability malicious must log on to system and run specially designed application. By exploiting (3) malicious can monitor actions of another users loged in to affected system after malicious user loged off or observe data that was accessible to affected users. To exploit this vulnerability attacker must log on to affected system and run a specially designed application which will continue working after malicious logs off. To exploit (4) malicious user must log on to affected system and run specially designed application. (5) caused by certificates validation errors during auth. Man-in-the-middle attacker can generate untrusted certificate that matches issuer name and serial number of the trusted certificates. To exploit (6) attacker must place malicious DLL to target user’s working directory and then lead user to open the specially designed RDP file. Systems without enabled RDP server are out of risk. (7) caused by improper handling some logging activity by SMB, resulting memory corruption. To exploit this vulnerability malicious must use valid credentials and use specially designed string to leverage SMB server logging error. (8) caused by Microsoft XML Core Services, exposes memory addresses not intended for disclosure. By exploiting this vulnerability malicious can bypass Address Space Layout Randomization restrictions to obtain sensitive information. To exploit this vulnerability attacker could host malicious website to invoke MSXML via Internet Explorer. (10) related to Universal Description, Discovery and Integration Services, which improperly validate or sanitize search parameter in FRAME tag.By exploiting this vulnerability via XSS attack malicious could gain auth cookies or unexpectedly redirect affected user. To exploit (11) attacker must first leverage another vulnerability to cause code execution in IE with EPM. Than malicious can execute Excel, Notepad, PowerPoint or another with unsafe command line parameter. Another part of updates for this vulnerability listed in KLA10645, KLA10648 Vulnerability (12) related to Microsoft XML Core Services and Web Distributed Authoring and Versioning which allows use of SSL 2.0. Man-in-the-middle attacker can force SSL 2.0 session and then decrypt part of transmitted data. (13) caused by allowance of registry and filesystem changes for some applications from sandbox. Attacker must lead user to open some specially designed file invokes vulnerable sandboxed application. Vulnerability (15) allow attacker to predict the memory offsets of specific instructions in a given call stack.
Beeinträchtigte Produkte	Windows Vista Service Pack 2 Windows Server 2008 Service Pack 2 Windows 7 Service Pack 1 Windows Server 2008 R2 Windows 8 Windows 8.1 Windows Server 2012 Windows Server 2012 R2 Windows RT Windows RT 8.1 Windows 10 .NET framework versions 3.0 SP2, 4, 4.5, 4.5.1, 4.5.2, 4.6 Office 2007 Service Pack 3 Office 2010 Service Pack 2 Live Meeting 2007 Console Lync 2010 Lync 2013 Service Pack 1 Silverlight 5 BizTalk Server 2010, 2013, 2013 R2
Lösung	Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)
Ursprüngliche Informationshinweise	CVE-2015-2423 CVE-2015-2431 CVE-2015-2430 CVE-2015-2456 CVE-2015-2458 CVE-2015-2433 CVE-2015-2432 CVE-2015-2471 CVE-2015-2472 CVE-2015-2473 CVE-2015-2474 CVE-2015-2475 CVE-2015-2476 CVE-2015-1769 CVE-2015-2449 CVE-2015-2455 CVE-2015-2460 CVE-2015-2459 CVE-2015-2462 CVE-2015-2461 CVE-2015-2464 CVE-2015-2463 CVE-2015-2465 CVE-2015-2454 CVE-2015-2453 CVE-2015-2434 CVE-2015-2435 CVE-2015-2428 CVE-2015-2441 CVE-2015-2446 CVE-2015-2429 CVE-2015-2440 CVE-2015-2442
Folgen ?	ACE [?] OSI [?] DoS [?] SB [?]
CVE-IDS ?	CVE-2015-24234.3Critical CVE-2015-24319.3Critical CVE-2015-24309.3Critical CVE-2015-24569.3Critical CVE-2015-24589.3Critical CVE-2015-24332.1Critical CVE-2015-24329.3Critical CVE-2015-24714.3Critical CVE-2015-24724.3Critical CVE-2015-24739.3Critical CVE-2015-24749.0Critical CVE-2015-24754.3Critical CVE-2015-24762.6Critical CVE-2015-17697.2Critical CVE-2015-24494.3Critical CVE-2015-24559.3Critical CVE-2015-24609.3Critical CVE-2015-24599.3Critical CVE-2015-24629.3Critical CVE-2015-24619.3Critical CVE-2015-24649.3Critical CVE-2015-24639.3Critical CVE-2015-24652.1Critical CVE-2015-24542.1Critical CVE-2015-24534.7Critical CVE-2015-24344.3Critical CVE-2015-24359.3Critical CVE-2015-24282.1Critical CVE-2015-24419.3Critical CVE-2015-24469.3Critical CVE-2015-24299.3Critical CVE-2015-24404.3Critical CVE-2015-24429.3Critical
Offizielle Informationshinweise von Microsoft	Microsoft Sicherheitsupdate-Guide
KB-Liste	3081436 3080790 3072305 3071756 3072307 3072306 3072303 3072309 3080129 3082458 3082459 3079743 3080348 3073893 3075591 3075590 3075593 3075592 3084525 3076895 3087119 3055014 2825645 3075222 3075221 3075220 3075226 3072310 3072311 3076949 3073921 3054890 3060716 3078662 3079757 3078601 3078071 3046017 3054846 3080333 3082487
	Link zum Original
	Informieren Sie sich über die Statistiken der in Ihrer Region verbreiteten Sicherheitslücken

KLA10646Multiple vulnerabilities in Microsoft Windows

KLA10646
Multiple vulnerabilities in Microsoft Windows