Kaspersky Threats

Detect date

?

11/10/2015

Severity

?

Critical

Description

Multiple serious vulnerabilities have been found in Microsoft Windows. Malicious users can exploit these vulnerabilities to spoof user interface, cause denial of service, gain privileges, bypass security restrictions, execute arbitrary code or obtain sensitive information.

Below is a complete list of vulnerabilities

Improper memory objects access at Edge can be exploited remotely via a specially designed web content to bypass security restrictions or execute arbitrary code;
Improper ASLR (Address Space Layout Randomization) implementation at Edge can be exploited remotely via a specially designed web content to bypass security restrictions;
Improper memory objects handling at kernel can be exploited by logged in user via a specially designed application to gain privileges;
Improper memory addresses initialization at kermel can be exploited by logged in user via a specially designed application to bypass security restrictions and obtain sensitive information;
Improper handling of embedded fonts at Adobe Type Manager Library can be exploited remotely via a specially designed web content or document to execute arbitrary code;
Improper permissions validation at kernel can be exploited by logged in user via a specially designed application to bypass security restrictions;
Improper buffer handling at Network Driver Interface Standard can be exploited by logged in user via a specially designed application to gain privileges;
Lack of memory address verification at Winsock can be exploited by logged in user via a specially designed application to gain privileges;
Improper encryption negotiation handling at Internet Protocol Security can be exploited by remote user with valid credentials via a specially designed application to cause denial of service;
Weakness at supported versions of Transport Layer Security protocol can be exploited remotely via man-in-the-middle attack to spoof user impersonation;
Improper password change handling at Kerberos can be exploited via a login manipulations to bypass security restrictions;
An unknown vulnerability at Windows Journal can be exploited remotely via a specially designed Journal file to execute arbitrary code.

Technical details

Vulnerability (4) can lead to Kernel ASLR bypass.

Vulnerability (7) caused by not checking buffer size prior to copy memory into it.

Vulnerability (8) caused by not checking memory address validity before call.

To exploit (10) remote attacker must cause man-in-the-middle attack between client and legitimate server. By exploiting this vulnerability attacker can impersonate victim on any other server that uses credentials same with attacked.

Vulnerability (11) caused by failing to check the password change of a user signing into a workstation. By exploiting this vulnerability attacker can bypass Kerberos authentication and decrypt drives protected by BitLocker.

Vulnerability (12) has multiple described mitigations designed to prevent opening malicious log file. Short list placed further, for full description look at MS15-115 advisory. Mitigations: do not open suspicious .jnt files; remove .jnt file association; remove Windows Journal; deny access to Journal.exe.

Affected products

Microsoft Windows 10
Microsoft Windows 10 Version 1511
Microsoft Windows Vista Service Pack 2
Microsoft Windows Server 2008 Service Pack 2
Microsoft Windows 7 Service Pack 1
Microsoft Windows Server 2008 R2 Service Pack 1
Microsoft Windows 8
Microsoft Windows 8.1
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2

Solution

Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)

Original advisories

CVE-2015-6064
CVE-2015-6113
CVE-2015-6078
CVE-2015-2478
CVE-2015-6088
CVE-2015-6098
CVE-2015-6097
CVE-2015-6073
CVE-2015-6100
CVE-2015-6112
CVE-2015-6111
CVE-2015-6109
CVE-2015-6104
CVE-2015-6103
CVE-2015-6102
CVE-2015-6101
CVE-2015-6095

Impacts

?

ACE

[?]

OSI

[?]

DoS

[?]

SB

[?]

PE

[?]

SUI

[?]

Detect date ?	11/10/2015
Severity ?	Critical
Description	Multiple serious vulnerabilities have been found in Microsoft Windows. Malicious users can exploit these vulnerabilities to spoof user interface, cause denial of service, gain privileges, bypass security restrictions, execute arbitrary code or obtain sensitive information. Below is a complete list of vulnerabilities Improper memory objects access at Edge can be exploited remotely via a specially designed web content to bypass security restrictions or execute arbitrary code; Improper ASLR (Address Space Layout Randomization) implementation at Edge can be exploited remotely via a specially designed web content to bypass security restrictions; Improper memory objects handling at kernel can be exploited by logged in user via a specially designed application to gain privileges; Improper memory addresses initialization at kermel can be exploited by logged in user via a specially designed application to bypass security restrictions and obtain sensitive information; Improper handling of embedded fonts at Adobe Type Manager Library can be exploited remotely via a specially designed web content or document to execute arbitrary code; Improper permissions validation at kernel can be exploited by logged in user via a specially designed application to bypass security restrictions; Improper buffer handling at Network Driver Interface Standard can be exploited by logged in user via a specially designed application to gain privileges; Lack of memory address verification at Winsock can be exploited by logged in user via a specially designed application to gain privileges; Improper encryption negotiation handling at Internet Protocol Security can be exploited by remote user with valid credentials via a specially designed application to cause denial of service; Weakness at supported versions of Transport Layer Security protocol can be exploited remotely via man-in-the-middle attack to spoof user impersonation; Improper password change handling at Kerberos can be exploited via a login manipulations to bypass security restrictions; An unknown vulnerability at Windows Journal can be exploited remotely via a specially designed Journal file to execute arbitrary code. Technical details Vulnerability (4) can lead to Kernel ASLR bypass. Vulnerability (7) caused by not checking buffer size prior to copy memory into it. Vulnerability (8) caused by not checking memory address validity before call. To exploit (10) remote attacker must cause man-in-the-middle attack between client and legitimate server. By exploiting this vulnerability attacker can impersonate victim on any other server that uses credentials same with attacked. Vulnerability (11) caused by failing to check the password change of a user signing into a workstation. By exploiting this vulnerability attacker can bypass Kerberos authentication and decrypt drives protected by BitLocker. Vulnerability (12) has multiple described mitigations designed to prevent opening malicious log file. Short list placed further, for full description look at MS15-115 advisory. Mitigations: do not open suspicious .jnt files; remove .jnt file association; remove Windows Journal; deny access to Journal.exe.
Affected products	Microsoft Windows 10 Microsoft Windows 10 Version 1511 Microsoft Windows Vista Service Pack 2 Microsoft Windows Server 2008 Service Pack 2 Microsoft Windows 7 Service Pack 1 Microsoft Windows Server 2008 R2 Service Pack 1 Microsoft Windows 8 Microsoft Windows 8.1 Microsoft Windows Server 2012 Microsoft Windows Server 2012 R2
Solution	Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)
Original advisories	CVE-2015-6064 CVE-2015-6113 CVE-2015-6078 CVE-2015-2478 CVE-2015-6088 CVE-2015-6098 CVE-2015-6097 CVE-2015-6073 CVE-2015-6100 CVE-2015-6112 CVE-2015-6111 CVE-2015-6109 CVE-2015-6104 CVE-2015-6103 CVE-2015-6102 CVE-2015-6101 CVE-2015-6095
Impacts ?	ACE [?] OSI [?] DoS [?] SB [?] PE [?] SUI [?]
Related products	Microsoft Windows Vista Microsoft Windows Server 2012 Microsoft Windows 8 Microsoft Windows 7 Microsoft Windows Server 2008 Windows RT Microsoft Windows 10
CVE-IDS ?	CVE-2015-60649.3Critical CVE-2015-61132.1Warning CVE-2015-60789.3Critical CVE-2015-24787.2High CVE-2015-60884.3Warning CVE-2015-60987.2High CVE-2015-60979.3Critical CVE-2015-60739.3Critical CVE-2015-61006.9High CVE-2015-61125.8High CVE-2015-61116.8High CVE-2015-61092.1Warning CVE-2015-61049.3Critical CVE-2015-61039.3Critical CVE-2015-61022.1Warning CVE-2015-61016.9High CVE-2015-60954.9Warning
Microsoft official advisories	Microsoft Security Update Guide
KB list	3081320 3100213 3105864 3097877 3105211 3102939 3105256 3092601 3101246 3105213 3104519 3101722 3104521 3101746
Exploitation	The following public exploits exists for this vulnerability: https://www.exploit-db.com/exploits/38793 https://www.exploit-db.com/exploits/38796 https://www.exploit-db.com/exploits/38713 https://www.exploit-db.com/exploits/38714 https://www.exploit-db.com/exploits/38794 https://www.exploit-db.com/exploits/38795 Malware exists for this vulnerability. Usually such malware is classified as Exploit. More details.
	Find out the statistics of the vulnerabilities spreading in your region

KLA10694Multiple vulnerabilities in Microsoft Windows

KLA10694
Multiple vulnerabilities in Microsoft Windows