Kaspersky ID:
KLA10646
Дата обнаружения:
11/08/2015
Обновлено:
18/06/2020

Описание

Multiple serious vulnerabilities have been found in Microsoft products. Malicious users can exploit these vulnerabilities to cause denial of service, bypass security restrictions, execute arbitrary code or obtain sensitive information.

Below is a complete list of vulnerabilities

  1. Improper OGL, OpenType and TrueType fonts handling can be exploited remotely via a specially designed document to execute arbitrary code;
  2. Improper memory address initialization and handling impersonation at Windows kernel can be exploited locally to bypass security restrictions;
  3. Improper user logoff can be exploited locally via a specially designed application to obtain sensitive information;
  4. Improper impersonation handling at Windows shell and Windows Object Manager can be exploited locally via a specially designed application to bypass security restrictions;
  5. Improper certificates validation at Remote Desktop Session Host can be exploited remotely via a man-in-the-middle attack to spoof host;
  6. Improper handling DLL loading at Remote Desktop Protocol client can be exploited remotely via a specially designed connection to execute arbitrary code;
  7. Improper logging at Server Message Block can be exploited locally via a specially designed message to cause denial of service;
  8. Improper memory addresses can be exploited remotely via a specially designed web site to obtain sensitive information;
  9. Improper symbolic links processing at Mount Manager can be exploited locally via a specially designed USB device to execute arbitrary code;
  10. Improper handling searching parameter can be exploited remotely via a specially designed webpage to obtain sensitive information;
  11. Lack of files access restrictions at Internet Explorer Enhanced Protection Mode can be exploited locally via a specially designed code execution to obtain sensitive information;
  12. Lack of SSL restrictions can be exploited remotely via man-in-the-middle attack to obtain sensitive information;
  13. Lack of registry and filesystem interaction restrictions can be exploited remotely via a specially designed file to gain privileges;
  14. Improper memory objects handling at Edge can be exploited remotely via a specially designed website to execute arbitrary code;
  15. Improper Address Space Layout Randomization feature usage at Edge can be exploited remotely via a specially designed website to bypass security restrictions.

Technical details

(1) can be exploited by multiple ways for example opening document or website with embedded malicious fonts.

By exploiting (2) malicious can retrieve base address of the kernel driver from affected process or bypass impersonation restrictions. To exploit this vulnerability malicious must log on to system and run specially designed application.

By exploiting (3) malicious can monitor actions of another users loged in to affected system after malicious user loged off or observe data that was accessible to affected users. To exploit this vulnerability attacker must log on to affected system and run a specially designed application which will continue working after malicious logs off.

To exploit (4) malicious user must log on to affected system and run specially designed application.

(5) caused by certificates validation errors during auth. Man-in-the-middle attacker can generate untrusted certificate that matches issuer name and serial number of the trusted certificates.

To exploit (6) attacker must place malicious DLL to target user’s working directory and then lead user to open the specially designed RDP file. Systems without enabled RDP server are out of risk.

(7) caused by improper handling some logging activity by SMB, resulting memory corruption. To exploit this vulnerability malicious must use valid credentials and use specially designed string to leverage SMB server logging error.

(8) caused by Microsoft XML Core Services, exposes memory addresses not intended for disclosure. By exploiting this vulnerability malicious can bypass Address Space Layout Randomization restrictions to obtain sensitive information. To exploit this vulnerability attacker could host malicious website to invoke MSXML via Internet Explorer.

(10) related to Universal Description, Discovery and Integration Services, which improperly validate or sanitize search parameter in FRAME tag.By exploiting this vulnerability via XSS attack malicious could gain auth cookies or unexpectedly redirect affected user.

To exploit (11) attacker must first leverage another vulnerability to cause code execution in IE with EPM. Than malicious can execute Excel, Notepad, PowerPoint or another with unsafe command line parameter. Another part of updates for this vulnerability listed in KLA10645, KLA10648

Vulnerability (12) related to Microsoft XML Core Services and Web Distributed Authoring and Versioning which allows use of SSL 2.0. Man-in-the-middle attacker can force SSL 2.0 session and then decrypt part of transmitted data.

(13) caused by allowance of registry and filesystem changes for some applications from sandbox. Attacker must lead user to open some specially designed file invokes vulnerable sandboxed application.

Vulnerability (15) allow attacker to predict the memory offsets of specific instructions in a given call stack.

Первичный источник обнаружения

Эксплуатация

The following public exploits exists for this vulnerability:

https://www.exploit-db.com/exploits/37911

https://www.exploit-db.com/exploits/37918

https://www.exploit-db.com/exploits/37923

https://www.exploit-db.com/exploits/38222

https://www.exploit-db.com/exploits/37920

https://www.exploit-db.com/exploits/37919

https://www.exploit-db.com/exploits/37921

https://www.exploit-db.com/exploits/37922

https://www.exploit-db.com/exploits/37916

https://www.exploit-db.com/exploits/37917

https://www.exploit-db.com/exploits/37914

https://www.exploit-db.com/exploits/37915

Malware exists for this vulnerability. Usually such malware is classified as Exploit. More details.

Связанные продукты

Список CVE

  • CVE-2015-2423
    warning
  • CVE-2015-2431
    critical
  • CVE-2015-2430
    critical
  • CVE-2015-2456
    critical
  • CVE-2015-2458
    critical
  • CVE-2015-2433
    warning
  • CVE-2015-2432
    critical
  • CVE-2015-2471
    warning
  • CVE-2015-2472
    warning
  • CVE-2015-2473
    critical
  • CVE-2015-2474
    critical
  • CVE-2015-2475
    warning
  • CVE-2015-2476
    warning
  • CVE-2015-1769
    high
  • CVE-2015-2449
    warning
  • CVE-2015-2455
    critical
  • CVE-2015-2460
    critical
  • CVE-2015-2459
    critical
  • CVE-2015-2462
    critical
  • CVE-2015-2461
    critical
  • CVE-2015-2464
    critical
  • CVE-2015-2463
    critical
  • CVE-2015-2465
    warning
  • CVE-2015-2454
    warning
  • CVE-2015-2453
    warning
  • CVE-2015-2434
    warning
  • CVE-2015-2435
    critical
  • CVE-2015-2428
    warning
  • CVE-2015-2441
    critical
  • CVE-2015-2446
    critical
  • CVE-2015-2429
    critical
  • CVE-2015-2440
    warning
  • CVE-2015-2442
    critical

Список KB

Смотрите также

Узнай статистику распространения уязвимостей в своем регионе statistics.securelist.com

Нашли неточность в описании этой уязвимости? Дайте нам знать!
Kaspersky IT Security Calculator:
Оцените ваш профиль кибербезопасности
Узнать больше
Встречай новый Kaspersky!
Каждая минута твоей онлайн-жизни заслуживает топовой защиты.
Узнать больше
Confirm changes?
Your message has been sent successfully.