Operating System:

[Win]

Published:

14 January 2015

Protect yourself against future threats.

//Service

Sensitive Information Alert

Alert notification provided via email for sensitive material found online by our analyst team which specifically targets your organisation.

Read more
Resources > Security Bulletins > ESB-2015.0083 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.0083
         Vulnerability in Windows Application Compatibility Cache
               Could Allow Elevation of Privilege (3023266)
                              14 January 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Microsoft Windows
Publisher:         Microsoft
Operating System:  Windows 7
                   Windows 8
                   Windows 8.1
                   Windows RT
                   Windows RT 8.1
                   Windows Server 2008 R2
                   Windows Server 2012
                   Windows Server 2012 R2
Impact/Access:     Increased Privileges -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-0002  

Original Bulletin: 
   https://technet.microsoft.com/en-us/library/security/MS15-001

- --------------------------BEGIN INCLUDED TEXT--------------------

Microsoft Security Bulletin MS15-001 - Important

Vulnerability in Windows Application Compatibility Cache Could Allow Elevation
of Privilege (3023266)

Published: January 13, 2015

Version: 1.0

Executive Summary

This security update resolves a publicly disclosed vulnerability in Microsoft
Windows. The vulnerability could allow elevation of privilege if an attacker 
logs on to a system and runs a specially crafted application. An authenticated
attacker who successfully exploited this vulnerability could bypass existing 
permission checks that are performed during cache modification in the 
Microsoft Windows Application Compatibility component and execute arbitrary 
code with elevated privileges.

This security update is rated Important for all supported editions of Windows
7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows
8.1, Windows Server 2012 R2, and Windows RT 8.1.

Affected Software

Windows 7 for 32-bit Systems Service Pack 1

Windows 7 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1

Windows 8 for 32-bit Systems Windows 8 for x64-based Systems

Windows 8.1 for 32-bit Systems

Windows 8.1 for x64-based Systems

Windows Server 2012

Windows Server 2012 R2

Windows RT [1]

Windows RT 8.1 [1]

Windows Server 2008 R2 for x64-based Systems

Service Pack 1 (Server Core installation)

Windows Server 2012 (Server Core installation) Windows Server 2012 R2 (Server
Core installation)

[1] This update is available via Windows Update only.

Vulnerability Information

Microsoft Application Compatibility Infrastructure Elevation of Privilege 
Vulnerability - CVE-2015-0002

An elevation of privilege vulnerability exists in how the Microsoft Windows 
Application Compatibility Infrastructure (AppCompat) improperly checks the 
authorization of the caller's impersonation token. An attacker could attempt 
to exploit this to run a privileged application. The update addresses the 
vulnerability by implementing proper authorization checking of impersonation 
token usage.

This vulnerability has been publicly disclosed. It has been assigned Common 
Vulnerability and Exposure number CVE-2015-0002. When this security bulletin 
was issued, Microsoft was not aware of attacks that attempt to exploit this 
vulnerability.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVLWnjhLndAQH1ShLAQK1PQ/6A9vrKMnHB0wv0Sd32igjg5iwOEPQbjjD
54PwrPG1gQYj/OxxlsGDzljUjDNtWkK5s9Lok+ng4cqaA8p1nvi2K4OJkxhawcj0
RsutckXwQga02f7L7XfrYmuVKq6dWq2SRr+0SJv/sP23X/4C8HNzcClaobMUlSc1
+gqoo5gnIxsHAgQJeqDoJV/TFjhO4lHycusn1WRmalHK3iO2BV/YI5J0DwDdLuHv
eHfGAK2aBGhyTY2Xe7iX/V/Q2qC2WBs8agHGAKX92cEeo3t/gCNR0vO88hTRuEiu
iu6tdeMf9YSPnGoZwCJ6k4kCZh1fypOk9hQSZTj9GGzggD5wccrv+dIs+6gSrqXe
GUKahSCOR9hhFmRr8a6gefFOCcsIbAHsx1vVEEgKAx0Gic2jbxCIiGUFolJwD4VE
8LAm6dis4GOlZm71sEhKuAyWogWNbJgY12wQpKEeFEkOt+bXkWjBuMfcUKuJNYJr
mI4J2y7YjbUbPiCtjFXCXcYgpJ/3bSs3sisr/Zn7qOmmGxJ4DAAujFP/GigN+IRy
NXS2wy+JprOrJyFr2XRyb3SE3RMS+iv6ndrpQ6rKUbzfReY0RBGxDWp7V8bOOjBs
1ItIOIozLCrWfNvTcs/wIh+LsK/I1VCqiVn0L3LggJuoxoLbYgmgbmkrB31cdNLX
wpshMGTOsWM=
=YaEV
-----END PGP SIGNATURE-----