-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.1860
 Microsoft Security Bulletin MS15-073 Important: Vulnerability in Windows
      Kernel-Mode Driver Could Allow Elevation of Privilege (3070102)
                               15 July 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Microsoft Windows
Publisher:         Microsoft
Operating System:  Windows
Impact/Access:     Administrator Compromise -- Existing Account
                   Access Privileged Data   -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-2382 CVE-2015-2381 CVE-2015-2367
                   CVE-2015-2366 CVE-2015-2365 CVE-2015-2363

Original Bulletin: 
   https://technet.microsoft.com/en-us/library/security/MS15-073

- --------------------------BEGIN INCLUDED TEXT--------------------

Microsoft Security Bulletin MS15-073 Important: Vulnerability in Windows 
Kernel-Mode Driver Could Allow Elevation of Privilege (3070102)

Bulletin Number: MS15-073

Bulletin Title: Vulnerability in Windows Kernel-Mode Driver Could Allow 
Elevation of Privilege

Severity: Important

KB Article: 3070102

Version: 1.0

Published Date: July 14, 2015

Executive Summary

This security update resolves vulnerabilities in Microsoft Windows. The 
vulnerabilities could allow elevation of privilege if an attacker logs on to 
an affected system and runs a specially crafted application.

This security update is rated Important for all supported releases of 
Microsoft Windows. For more information, see the Affected Software section.

Affected Software

Windows Server 2003

Windows Server 2003 Service Pack 2

Windows Server 2003 x64 Edition Service Pack 2

Windows Server 2003 with SP2 for Itanium-based Systems

Windows Server 2003 R2 Service Pack 2

Windows Server 2003 R2 x64 Edition Service Pack 2

Windows Vista

Windows Vista Service Pack 2

Windows Vista x64 Edition Service Pack 2

Windows Server 2008

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for Itanium-based Systems Service Pack 2

Windows 7

Windows 7 for 32-bit Systems Service Pack 1

Windows 7 for x64-based Systems Service Pack 1

Windows Server 2008 R2

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1

Windows 8 and Windows 8.1

Windows 8 for 32-bit Systems

Windows 8 for x64-based Systems

Windows 8.1 for 32-bit Systems

Windows 8.1 for x64-based Systems

Windows Server 2012 and Windows Server 2012 R2

Windows Server 2012

Windows Server 2012 R2

Windows RT and Windows RT 8.1

Windows RT[1]

Windows RT 8.1[1]

Server Core installation option

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core 
installation)

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core 
installation)

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core 
installation)

Windows Server 2012 (Server Core installation)

Windows Server 2012 R2 (Server Core installation)

[1]This update is available via Windows Update only.

Vulnerability Information

Win32k Elevation of Privilege Vulnerability - CVE-2015-2363

An elevation of privilege vulnerability exists due to the way the Windows 
kernel-mode driver handles objects in memory. An attacker who successfully 
exploited this vulnerability could run arbitrary code in kernel mode. An 
attacker could then install programs; view, change, or delete data; or create
new accounts with full user rights. To exploit this vulnerability, an attacker
would first have to log on to the system. An attacker could then run a 
specially crafted application that could exploit the vulnerability and take 
complete control over an affected system.

The update addresses this vulnerability by correcting how the Windows 
Kernel-mode driver handles objects in memory.

Microsoft received information about this vulnerability through coordinated 
vulnerability disclosure. When this security bulletin was originally issued 
Microsoft had not received any information to indicate that this vulnerability
had been publicly used to attack customers.

Win32k Elevation of Privilege Vulnerability - CVE-2015-2365

An elevation of privilege vulnerability exists due to the way the Windows 
kernel-mode driver handles objects in memory. An attacker who successfully 
exploited this vulnerability could run arbitrary code in kernel mode. An 
attacker could then install programs; view, change, or delete data; or create
new accounts with full user rights. To exploit this vulnerability, an attacker
would first have to log on to the system. An attacker could then run a 
specially crafted application that could exploit the vulnerability and take 
complete control over an affected system.

The update addresses this vulnerability by correcting how the Windows 
Kernel-mode driver handles objects in memory.

Microsoft received information about this vulnerability through coordinated 
vulnerability disclosure. When this security bulletin was originally issued 
Microsoft had not received any information to indicate that this vulnerability
had been publicly used to attack customers.

Win32k Elevation of Privilege Vulnerability - CVE-2015-2366

An elevation of privilege vulnerability exists due to the way the Windows 
kernel-mode driver handles objects in memory. An attacker who successfully 
exploited this vulnerability could run arbitrary code in kernel mode. An 
attacker could then install programs; view, change, or delete data; or create
new accounts with full user rights. To exploit this vulnerability, an attacker
would first have to log on to the system. An attacker could then run a 
specially crafted application that could exploit the vulnerability and take 
complete control over an affected system.

The update addresses this vulnerability by correcting how the Windows 
Kernel-mode driver handles objects in memory.

Microsoft received information about this vulnerability through coordinated 
vulnerability disclosure. When this security bulletin was originally issued 
Microsoft had not received any information to indicate that this vulnerability
had been publicly used to attack customers.

Win32k Information Disclosure Vulnerability - CVE-2015-2367

An information disclosure vulnerability exists when the Windows kernel-mode 
driver improperly handles certain non-initialized values in memory. An 
attacker who successfully exploited this vulnerability could leak memory 
addresses or other sensitive kernel information that could be used for further
exploitation of the system.

The update addresses this vulnerability by correcting how the Windows 
Kernel-mode driver handles objects in memory.

Microsoft received information about this vulnerability through coordinated 
vulnerability disclosure. When this security bulletin was originally issued 
Microsoft had not received any information to indicate that this vulnerability
had been publicly used to attack customers.

Win32k Information Disclosure Vulnerability - CVE-2015-2381

An information disclosure vulnerability exists in the Windows kernel-mode 
driver that could allow the disclosure of kernel memory contents to an 
attacker. This vulnerability is caused when the Windows kernel-mode driver 
leaks private address information during a function call.

An attacker could use this information disclosure vulnerability to gain 
information about the system that could then be combined with other attacks to
compromise the system. The information disclosure vulnerability by itself does
not allow arbitrary code execution. However, an attacker could use it in 
conjunction with another vulnerability to bypass security features such as 
Address Space Layout Randomization (ASLR). The update addresses this 
vulnerability by changing how the kernel-mode driver handles objects in 
memory.

Microsoft received information about this vulnerability through coordinated 
vulnerability disclosure. When this security bulletin was issued, Microsoft 
had not received any information to indicate that this vulnerability had been
publicly used to attack customers.

Win32k Information Disclosure Vulnerability - CVE-2015-2382

An information disclosure vulnerability exists in the Windows kernel-mode 
driver that could allow the disclosure of kernel memory contents to an 
attacker. This vulnerability is caused when the Windows kernel-mode driver 
leaks private address information during a function call.

An attacker could use this information disclosure vulnerability to gain 
information about the system that could then be combined with other attacks to
compromise the system. The information disclosure vulnerability by itself does
not allow arbitrary code execution. However, an attacker could use it in 
conjunction with another vulnerability to bypass security features such as 
Address Space Layout Randomization (ASLR). The update addresses this 
vulnerability by changing how the kernel-mode driver handles objects in 
memory.

Microsoft received information about this vulnerability through coordinated 
vulnerability disclosure. When this security bulletin was issued, Microsoft 
had not received any information to indicate that this vulnerability had been
publicly used to attack customers.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVaWeOH6ZAP0PgtI9AQKLbg//c7oPM/qXLnmHCtHRKbLKn3zdLe4wy3j4
v6WWPAbPnaMYGRjLcMiFTwrxXFNaf+kmqdM+owbBjP/nx1UGY2wyBz8I76dJua34
OwIan5VF6Tm1dpQ42SbNR4SUGQ33Bjl8dJ6pzJz31qOA0goJf31IPPKnq2e7zq4a
nULyHELxCgZwBK2kVVWEe7P0GpLZWKWwT4+UV9/zUYySGTWnLU/VDP/FNTvyVT8N
bpbhxcXKZ+H0ggt7kllKSxrlmaJrxiwl1jJKeqC/9c3mOauxek14yL2mc6u5iWcw
wMFXyEI647ClovEzxFaSmD5/4IX64gDvhlVmaLgCsJYWWZVaxz0T48mHob08wmqT
xrvKsMrdbEYjyGFrSyMBvUSQPp15VgLG3lw8Ksw4BmBTuOcP7EfbhR0Fg2QGEWXh
Ukqa/PdW4KSVqylRTGAgDTFCd1uzpb58PTnxgsWP3Y0FJpgv2EH9rv87vJZccXE7
8wifpxwBGTYUtWofZs5eI/h2rkrgN5SZzyniIoh0XkzTe1f/6X/cVWBtWuvw2C5H
aCSKbGfM0Nuz3/EFjT+NpFj8FxXaSo1kbl/mjwfpjzeHpuISf/PgcmLTS1SBzJ3g
w9txz3/DCR+ktT4GHQh95oGPavQmrhJz/W4O5ttuzsSA1C2YVG4Y3S1+5GrEPLT3
RDiXHcW8+SA=
=VIHA
-----END PGP SIGNATURE-----