Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.1491 MS15-061 - Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057839) 9 June 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Microsoft Windows Publisher: Microsoft Operating System: Windows Impact/Access: Access Confidential Data -- Existing Account Administrator Compromise -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2015-2360 CVE-2015-1768 CVE-2015-1727 CVE-2015-1726 CVE-2015-1725 CVE-2015-1724 CVE-2015-1723 CVE-2015-1722 CVE-2015-1721 CVE-2015-1720 CVE-2015-1719 Original Bulletin: https://technet.microsoft.com/en-us/library/security/MS15-061 - --------------------------BEGIN INCLUDED TEXT-------------------- Bulletin Number: MS15-061 Bulletin Title: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege Severity: Important KB Article: 3057839 Version: 1.0 Published Date: June 9, 2015 Executive Summary This security update resolves vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. This security update is rated Important for all supported releases of Windows. Affected Software Windows Server 2003 Windows Vista Windows Server 2008 Windows 7 Windows Server 2008 R2 Windows 8 and Windows 8.1 Windows Server 2012 and Windows Server 2012 R2 Windows RT and Windows RT 8.1 Vulnerability Information Microsoft Windows Kernel Information Disclosure Vulnerability - CVE-2015-1719 An information disclosure vulnerability exists when the Windows kernel-mode driver improperly handles buffer elements under certain conditions, allowing an attacker to request the contents of specific memory addresses. An attacker who successfully exploited this vulnerability could then potentially read data that is not intended to be disclosed. This vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to obtain information in an attempt to further compromise the affected system. Workstations and servers are primarily at risk. Servers could be at more risk if administrators allow users to log on to servers and to run programs. However, best practices strongly discourage this. To exploit this vulnerability an attacker must have valid logon credentials and be able to execute programs on the system. The security update addresses the vulnerability by correcting how the Windows kernel-mode driver validates memory addresses. Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was originally issued Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers. Microsoft Windows Kernel Use After Free Vulnerability - CVE-2015-1720 An elevation of privilege vulnerability exists when the Windows kernel-mode driver improperly frees an object in memory that an attacker could use to execute arbitrary code with elevated permissions. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights. To exploit this vulnerability an attacker would first have to log on to the system or convince a logged-on user to execute a specially crafted application. Workstations and terminal servers are primarily at risk. The update addresses the vulnerability by changing how certain objects are handled in memory. Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was originally issued Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers. Win32k Null Pointer Dereference Vulnerability - CVE-2015-1721 An elevation of privilege vulnerability exists in the Windows kernel-mode driver due to insufficient validation of certain data passed from user mode. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The update addresses the vulnerability by ensuring that the kernel-mode driver properly validates data passed from user mode. Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was originally issued Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers Multiple Microsoft Windows Kernel Vulnerabilities Multiple elevation of privilege vulnerabilities exist in the Windows kernel-mode driver when it accesses an object in memory that has either not been correctly initialized or deleted. The vulnerabilities may corrupt memory in such a way that an attacker could gain elevated privileges on a targeted system. An authenticated attacker who successfully exploited these vulnerabilities could acquire elevated privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights. To exploit the vulnerabilities, an attacker would first have to log on to the system. An attacker could then run a specially crafted application designed to increase privileges. The update addresses the vulnerabilities by correcting how the kernel-mode driver handles objects in memory. Vulnerability title CVE number Publicly disclosed Exploited Microsoft Windows Kernel Bitmap Handling Use After Free Vulnerability CVE-2015-1722 No No Microsoft Windows Station Use After Free Vulnerability CVE-2015-1723 No No Microsoft Windows Kernel Object Use After Free Vulnerability CVE-2015-1724 No No Microsoft Windows Kernel Brush Object Use After Free Vulnerability CVE-2015-1726 No No Multiple Windows Kernel Buffer Overflow Vulnerabilities Multiple elevation of privilege vulnerabilities exist in the Windows kernel-mode driver when it improperly validates user input. An attacker who successfully exploited these vulnerabilities could gain elevated privileges on a targeted system. An authenticated attacker who successfully exploited these vulnerabilities could acquire elevated privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights. To exploit these vulnerabilities, an attacker would first have to log on to the system. An attacker could then run a specially crafted application designed to increase privileges. The update addresses the vulnerabilities by correcting how the kernel-mode driver validates user input. Vulnerability title CVE number Publicly disclosed Exploited Win32k Buffer Overflow Vulnerability CVE-2015-1725 No No Win32k Pool Buffer Overflow Vulnerability CVE-2015-1727 No No Multiple Win32k Memory Corruption Elevation of Privilege Vulnerabilities An elevation of privilege vulnerability exists when the Windows kernel-mode driver, Win32k.sys, fails to properly free memory. An attacker who successfully exploited this vulnerability could execute arbitrary code within the context of another user. If that other user has elevated rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application designed to increase privileges. The update addresses the vulnerability by correcting how that the Windows kernel-mode driver handles objects in memory. Vulnerability title CVE number Publicly disclosed Exploited Win32k Memory Corruption Elevation of Privilege Vulnerability CVE-2015-1768 No No Win32k Elevation of Privilege Vulnerability CVE-2015-2360 No Yes - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVXd0tBLndAQH1ShLAQJk7Q//WkBu66I49jeb3zcnbl+5UuC5LFqglwl5 MTsPQjxwnGtifVXNeUGMtU1jHpJAtc0OCfM91l7ssbvhxAJihofO/g8izGoyXE2r jY3fOcfiZtGkjE+Lot1vQIuPYvusEnWA+N2rd3ZV5biARksqzb1H8YgAaG18Lrja Zl0+WdbErO0n7VTJ5Qzxxs7tBonkEJfFCT0+ehggku2CNwyhxl3r2LOzAAQVtrBy 0JBDEoPfN8pIZc1KU0OwR/ZFM/HOD+W8Ut3Gia1zuWwLufh9Y7waIDTCZmnKoead uk39+tGkYWZ2GKiqW6pzoHhBuy3L3pRFpw+yM/5bVDj7IXvfIKjKT+jHN5wmvojY bcMTIW7Ucyhu2ghd/sPDW/rQlUoz0D3DyxwKFpPkv1m2Px/SV1c2NSB6O52btN9R kHFKkq0MzqbqRDcS7TTQhZsybuz0UufSqjvWvIX6PKoTHQVzh+v7Cam5T7HnMJLm 38qEBr+9QOkZgrFtMlDrHhHb75W+Dj67ZsZCjPuHsYqR9ekBN9gec/97mfNDRVQn gXj1ICupIFAhsE68oP2SPZUURpDp1N9NOCrPlDpOmWzyPkLAxbAMJRzlK9uHZEUU d2OJsvfGQP27RidVLnfvNrYG9TZf7RdBVJfPbMx2/y5IzG0Raza4VedxeRT9SsZw hqx8a4+/liM= =hTpV -----END PGP SIGNATURE-----