While Patch Tuesday may soon be a footnote to how patch management used to operate (more on that later), Microsoft’s May Security Bulletin makes 2015 its biggest year for patches (if the first five months give any indication to the remaining seven). Thus far we’ve seen 55 Microsoft patches in 2015 (13 in the most recent release)—the most seen through May in the last five years.
So let’s dive deep into what’s new for Microsoft, Adobe, and Firefox 38 in this hefty Patch Tuesday.
MS15-046 patches several vulnerabilities in Microsoft Office involving specially crafted Office files. If a user opens such a file via email or visits a malicious/compromised website, an attacker could run arbitrary code in the context of the current user’s privileges. Editions most at risk are MS Office 2007, 2010, and 2013.
The patch addresses a vulnerabilities involving use-after-free (CVE-2015-0085), memory corruption (CVE-2015-0086), Word local zone remote code execution (CVE-2015-0097), and SharePoint XSS (CVE-2015-1633 and CVE-2015-1636). Workarounds are also provided for the Word and SharePoint vulnerabilities.
Microsoft Font Drivers
MS15-044 resolves vulnerabilities that could allow remote code execution if a user opens a special crafted document or visits sites containing embedded TrueType fonts. Affected products include Windows, Microsoft .NET Framework, Office, Lync, and Silverlight. The patch corrects how Windows DirectWrite library handles TrueType (CVE-2015-1671) and Open Type (CVE-2015-1670) fonts.
Patch MS15-053 addresses VBScript engine (CVE-2015-1684) and JScript (CVE-2015-1686) vulnerabilities, resolving ASLR security feature bypasses; though the attack vector for these vulnerabilities is through Internet Explorer.
MS15-043 is a catch-all for Internet Explorer versions 6-11. The patch addresses 14 critical vulnerabilities (22 total) that could allow remote code execution and an attacker to gain user rights—admins beware. Microsoft’s patch piles on additional permission validations, IE’s handling of objects in memory, and ensuring ASLR security features are implemented.
Another critically-rated patch (MS15-045) affects Windows Journal. It resolves several vulnerabilities allowing remote code execution (CVE-2015-1675, CVE-2015-1695, CVE-2015-1696, CVE-2015-1697, CVE-2015-1698, and CVE-2015-1699).
Though considering the popularity of Microsoft Journal (rather, the lack thereof), you may just consider disabling the program and dedicating focus elsewhere.
MS15-048 resolves a denial of service vulnerability (CVE-2015-1672) and an elevation of privileges vulnerability (CVE-2015-1673). The patches fix how .NET Framework decrypts XML data and handles objects in memory.
Yet another fix for SChannel (CVE-2015-1716), MS15-055 fixes a Windows vulnerability where Secure Channel allows weak key lengths and could result in various attacks resulting in information disclosure. Microsoft has beefed up its required DHE key length to 1024 bits.
Adobe has also released their coinciding security update resolving 34 vulnerabilities, with all patches rated as critical (“1” in Adobe terms) and could allow remote code execution. Affected programs include Acrobat X and XI as well as Reader X and XI, and involve issues such as use-after-free, buffer overflows, and memory corruption.
Patches also fix a publicly exploited vulnerability that could allow attackers to gain sensitive information (CVE-2014-8452).
Will We Ever Meet Again?
At the recent Ignite event, Microsoft announced that the upcoming release of Windows 10 will also spell an end to the era of the monthly Patch Tuesday update. Security updates will be released as they become available. This may be in response to the super-packed Patch Tuesdays of recent years where teams struggle to prioritize and patch vulnerabilities attackers may have already been exploiting for weeks.
No official release date has been announced as of yet, but Windows 10 is expected to drop this summer. Hopefully this change in method will result in less frantic security departments and more secure networks. It may take some getting used to, but security will likely improve as good guys can work in the same real-world timeframe the bad guys have been enjoying and exploiting for years.
On the other hand, other vendors have gotten on board with the monthly update release cycle, including Adobe, Mozilla, and Google to name a few. They might pick up the Patch Tuesday banner just as Microsoft lays it down.