Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2015.0323
MS15-010: Vulnerabilities in Windows Kernel-Mode Driver
Could Allow Remote Code Execution
11 February 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Microsoft Windows
Publisher: Microsoft
Operating System: Windows
Impact/Access: Administrator Compromise -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Unauthorised Access -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2015-2010 CVE-2015-0060 CVE-2015-0059
CVE-2015-0058 CVE-2015-0057 CVE-2015-0010
CVE-2015-0003
Original Bulletin:
https://technet.microsoft.com/en-us/library/security/MS15-010
- --------------------------BEGIN INCLUDED TEXT--------------------
Bulletin Number: MS15-010
Bulletin Title: Vulnerabilities in Windows Kernel-Mode Driver Could Allow
Remote Code Execution
Severity: Critical
KB Article: 3036220
Version: 1.0
Published Date: February 10, 2015
Executive Summary
This security update resolves one publicly disclosed and five privately
reported vulnerabilities in Microsoft Windows. The most severe of the
vulnerabilities could allow remote code execution if an attacker convinces a
user to open a specially crafted document or visit an untrusted website that
contains embedded TrueType fonts.
This security update is rated Critical for all supported editions of Windows
7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows
8.1, Windows Server 2012 R2, and Windows RT 8.1; it is rated Important for all
supported editions of Windows Server 2003, Windows Vista, and Windows Server
2008. For more information, see the Affected Software section.
Affected Software
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows 8 for 32-bit Systems
Windows 8 for x64-based Systems
Windows 8.1 for 32-bit Systems
Windows 8.1 for x64-based Systems
Windows Server 2012
Windows Server 2012 R2
Windows RT[1]
Windows RT 8.1[1]
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core
installation)
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core
installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core
installation)
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2 (Server Core installation)
[1]This update is available via Windows Update only.
Vulnerability Information
Win32k Elevation of Privilege Vulnerability - CVE-2015-0003
An elevation of privilege vulnerability exists in the Windows kernel-mode
driver (Win32k.sys) that is caused when it improperly handles objects in
memory. An attacker who successfully exploited this vulnerability could gain
elevated privileges. An attacker could then install programs; view, change, or
delete data; or create new accounts with full administrative rights. The
update addresses the vulnerability by correcting how the kernel-mode driver
validates certain parameters against registered objects.
Microsoft received information about this vulnerability through coordinated
vulnerability disclosure. When this security bulletin was originally issued
Microsoft had not received any information to indicate that this vulnerability
had been publicly used to attack customers.
CNG Security Feature Bypass Vulnerability - CVE-2015-0010
A security feature bypass vulnerability exists in the Cryptography Next
Generation (CNG) kernel-mode driver (cng.sys) when it fails to properly
validate and enforce impersonation levels. An attacker could exploit this
vulnerability by convincing a user to run a specially crafted application that
is designed to cause CNG to improperly validate impersonation levels,
potentially allowing the attacker to gain access to information beyond the
access level of the local user. The security update addresses the
vulnerability by correcting how the kernel-mode driver validates and enforces
impersonation levels.
This vulnerability has been publicly disclosed. It has been assigned Common
Vulnerability and Exposure number CVE-2015-2010. When this security bulletin
was originally issued Microsoft had not received any information to indicate
that this vulnerability had been publicly used to attack customers.
Win32k Elevation of Privilege Vulnerability - CVE-2015-0057
An elevation of privilege vulnerability exists in the Windows kernel-mode
driver (Win32k.sys) that is caused when it improperly handles objects in
memory. An attacker who successfully exploited this vulnerability could gain
elevated privileges and read arbitrary amounts of kernel memory. An attacker
could then install programs; view, change, or delete data; or create new
accounts with full administrative rights.
To exploit the vulnerability, an attacker would first have to log on to the
system. An attacker could then run a specially crafted application designed to
elevate privileges. The update addresses the vulnerability by correcting how
the kernel-mode driver handles objects in memory.
Microsoft received information about this vulnerability through coordinated
vulnerability disclosure. When this security bulletin was originally issued
Microsoft had not received any information to indicate that this vulnerability
had been publicly used to attack customers.
Windows Cursor Object Double Free Vulnerability - CVE-2015-0058
An elevation of privilege vulnerability exists in the Windows kernel-mode
driver (win32k.sys) due to a double-free condition. An attacker who
successfully exploited this vulnerability could run arbitrary code in kernel
mode.
An attacker who successfully exploited this vulnerability could run arbitrary
code in kernel mode. An attacker could then install programs; view, change, or
delete data; or create new accounts with full administrative rights. To
exploit the vulnerability, an attacker would first have to log on to the
system. An attacker could then run a specially crafted application designed to
elevate privileges. The update addresses the vulnerability by correcting how
the kernel-mode driver validates data returned from user mode functions before
being executed.
Microsoft received information about this vulnerability through coordinated
vulnerability disclosure. When this security bulletin was originally issued
Microsoft had not received any information to indicate that this vulnerability
had been publicly used to attack customers.
TrueType Font Parsing Remote Code Execution Vulnerability - CVE-2015-0059
A remote code execution vulnerability exists in the Windows kernel-mode driver
(Win32k.sys) that is caused when it improperly handles TrueType fonts.
An attacker who successfully exploited this vulnerability could run arbitrary
code in kernel mode. An attacker could then install programs; view, change, or
delete data; or create new accounts with full administrative rights. To
exploit the vulnerability, an attacker would need to convince a user to open a
specially crafted document or visit an untrusted website that contains
embedded TrueType Fonts. The update addresses the vulnerability by correcting
how the kernel-mode driver handles TrueType fonts.
Microsoft received information about this vulnerability through coordinated
vulnerability disclosure. When this security bulletin was originally issued
Microsoft had not received any information to indicate that this vulnerability
had been publicly used to attack customers.
Windows Font Driver Denial of Service Vulnerability - CVE-2015-0060
A denial of service vulnerability exists in the Windows kernel-mode driver
(Win32k.sys) that is caused when the Windows font mapper attempts to scale a
font.
An attacker who successfully exploited this vulnerability could cause the
users computer to stop responding. An attacker could attempt to exploit this
vulnerability by convincing a user to open a malicious file or visit a
malicious website link. The update addresses the vulnerability by correcting
how the kernel-mode driver checks font widths prior to loading fonts into
memory.
Microsoft received information about this vulnerability through coordinated
vulnerability disclosure. When this security bulletin was originally issued
Microsoft had not received any information to indicate that this vulnerability
had been publicly used to attack customers.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVNqXAhLndAQH1ShLAQLbHw/+LfH/xfbgZarHq8wutcVdzycFTeWF6Xb3
nmKWXQDeF7+2V6TVSKX6gFR8VZrnvuQ6qg8dA7hQXDE27R/46bLdpTMvrOBZDdks
F16xps25vVbY2zqpgxv5MrxA13GGTsxWVCb9AL2uiH0ZJGxdP5YMit/7rVhuKDEi
m5ZbKuK4eBPRZcMvYdWmyPeGXNw57X1uomU2s9t53NERPz0a6avpCUF/M6kKjxrX
zMyNmUSZhIDh6KZAfx/yUt12hQumAZvciLV6x7aMCEysnL65ztikITHgxpVECb+i
p957O2KsDi7Nz+8JHhxbeQcEsXPzArjGLJKdFW7awujdDcCjG9I3JITcm5JLbtuz
BMaWJiGC0wwcFG8aV4hlP+6fFe9KAbAUZW5AJHrJYgdVhvHrA1pO9wv0jK5pjq20
lIZsoKZOSWutrWvnrWQVWOLBEF7JnrHG7sZL2pni8HLn8pnyVdVRvYl8o21lAZXU
gCE4PEUWUL5ftjajhNyekuvAFQQZKiAFyW01BN5I7AyoOhidA/PhebKv8FQwqMbk
+u/7BShoEzvCfudANcczN6FxH05VVzaKqfoBpqSA4q0MsORsBoP1Vdx/pM6fgeWE
zGCz8dLyllzBteqwuFvbvqp3bd+KmxwMggXblKlezAFtw9ubRwDxJU/etXCuh4H7
DsTuoFK46bs=
=ucnT
-----END PGP SIGNATURE-----