Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2015.2582
Microsoft Security Bulletin MS15-111: Important Security Update for Windows
Kernel to Address Elevation of Privilege (3096447)
14 October 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Microsoft Windows
Publisher: Microsoft
Operating System: Windows
Impact/Access: Administrator Compromise -- Existing Account
Execute Arbitrary Code/Commands -- Remote with User Interaction
Reduced Security -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2015-2554 CVE-2015-2553 CVE-2015-2552
CVE-2015-2550 CVE-2015-2549
Original Bulletin:
https://technet.microsoft.com/en-us/library/security/MS15-111
- --------------------------BEGIN INCLUDED TEXT--------------------
Microsoft Security Bulletin MS15-111: Important Security Update for Windows
Kernel to Address Elevation of Privilege (3096447)
Document Metadata
Bulletin Number: MS15-111
Bulletin Title: Security Update for Windows Kernel to Address Elevation of
Privilege
Severity: Important
KB Article: 3096447
Version: 1.0
Published Date: October 13, 2015
Executive Summary
This security update resolves vulnerabilities in Microsoft Windows. The more
severe of the vulnerabilities could allow elevation of privilege if an
attacker logs on to an affected system and runs a specially crafted
application.
Note Customers who are using local and remote reporting attestation solutions
should review the details of CVE-2015-2552 discussed in this bulletin.
This security update is rated Important for all supported releases of
Microsoft Windows. For more information, see the Affected Software section.
Affected Software
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows 8 for 32-bit Systems
Windows 8 for x64-based Systems
Windows 8.1 for 32-bit Systems
Windows 8.1 for x64-based Systems
Windows Server 2012
Windows Server 2012 R2
Windows RT[1]
Windows RT 8.1[1]
Windows 10 for 32-bit Systems[2]
Windows 10 for x64-based Systems[2]
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core
installation)
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core
installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core
installation)
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2 (Server Core installation)
[1]This update is only available via Windows Update.
[2]The Windows 10 update is cumulative. In addition to containing non-security
updates, it also contains all of the security fixes for all of the Windows
10-affected vulnerabilities shipping with this months security release. The
update is available via the Windows Update Catalog. See Microsoft Knowledge
Base Article 3097617 for more information and download links.
Vulnerability Information
Multiple Windows Kernel Elevation of Privilege Vulnerabilities
Multiple elevation of privilege vulnerabilities exist in the way the Windows
kernel handles objects in memory. An attacker who successfully exploited the
vulnerabilities could run arbitrary code in kernel mode. An attacker could
then install programs; view, change, or delete data; or create new accounts
with full user rights.
To exploit the vulnerabilities, an attacker would first have to log on to the
system. An attacker could then run a specially crafted application that could
exploit the vulnerabilities and take control over an affected system. The
update addresses the vulnerabilities by correcting how the Windows kernel
handles objects in memory.
Vulnerability Title CVE number Publicly disclosed Exploited
Windows Kernel Memory Corruption Vulnerability CVE-2015-2549 No No
Windows Elevation of Privilege Vulnerability CVE-2015-2550 No No
Windows Object Reference Elevation of Privilege Vulnerability CVE-2015-2554 No No
Trusted Boot Security Feature Bypass Vulnerability CVE-2015-2552
A security feature bypass vulnerability exists when Windows fails to properly
enforce the Windows Trusted Boot policy. An attacker who successfully
exploited this vulnerability could disable code integrity checks, allowing
test-signed executables and drivers to be loaded on a target device.
Furthermore, an attacker could bypass Trusted Boot integrity validation for
BitLocker and Device Encryption security features.
An attacker who has gained administrative privileges or who has physical
access to a target device could exploit the vulnerability by applying a
maliciously crafted Boot Configuration Data (BCD) setting. The security update
addresses the vulnerability by improving how Windows parses BCD.
This vulnerability has been publicly disclosed. It has been assigned Common
Vulnerability and Exposure number CVE-2015-2552. At the time this security
bulletin was originally issued, Microsoft was unaware of any attack attempting
to exploit this vulnerability.
Windows Mount Point Elevation of Privilege Vulnerability - CVE-2015-2553
An elevation of privilege vulnerability exists when Windows improperly
validates junctions in certain scenarios in which mount points are being
created. An attacker who successfully exploited this vulnerability could
potentially run arbitrary code in the security context of the user running a
compromised application.
To exploit this vulnerability, an attacker would most likely have to leverage
another vulnerability that allows them to run arbitrary code in a sandboxed
application. The update addresses the vulnerability by correcting how Windows
handles certain scenarios involving junction and mount-point creation.
This vulnerability has been publicly disclosed. It has been assigned Common
Vulnerability and Exposure number CVE-2015-2553. At the time this security
bulletin was originally issued, Microsoft was unaware of any attack attempting
to exploit this vulnerability.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVh2ffX6ZAP0PgtI9AQJvyhAAiLNQh2/hsaIwcCz9VQmcfpdpErQKiUwA
MLno+qd+/MeZOj4sUxEBbNBwPYhU0yIySbUFSUpAb0VxDQtk+hcb8cF6zKhMtDBI
bvMKuo0XilqRgkcMiOVYV6HumJxlNLOniLVwxJP7t3iEY8MVkosU7WvDOOIZfifQ
1Uf7WlUWvMLHE14eab2oJ2Fw5V8l5G3WC2DN4NevvxLszLCE1fnZhG1i6yD30aU5
SU/asjwUiywcxEqwLqkJPXlnynKLfiGhGuMYmwNAa/zazH8V3mf4MTR53AvJI1wL
VlqTH5Wo1KC/5ACoE95GjBZju45vxES4W+kyhF2HRkOM+eg5hfJaFIq+wWzSJGWT
wi5EwMydnbus9JYiuBMLpsCXq2QXWgwRSbb4A+G4KKR2UsC2/OiOFARUpCoL75Bv
MP/jtJZXLFr4E+5gKJ2io3fy1ZQ1ZX4+eLutlvcV0OXRBycHFs45BUvq0oHAmSPz
uemXj9XefqQ7ON4CmaFeysfn/4J+bjM5cCUl32VLCyloY3TxkvydQuIsG7U7hNXL
f+asF7ihNM+M9bXcrA/qWLl6pqfVbdOM5uSHI1iSDZATuRXOOjaHILZxWXwcDPAS
Bc7psTYYVmDzQIi1FJAl4q7BEP0a41uRCaamQePgXz0MACAp0Zd85Ez+GG57b/IW
Z7qqyfYK9WE=
=d/nz
-----END PGP SIGNATURE-----