Microsoft Patch Tuesday insight: FREAK, Stuxnet and more

Each month I’ll be offering insight into Microsoft’s Patch Tuesday updates, giving advice on which are the most serious vulnerabilities and how to prioritize them. Microsoft rates it’s own vulnerabilities internally, so whilst the ratings can give a good idea of severity, the scoring system isn’t infallible.

We generally compare two sources of information to try and understand the full impact of the patch update – Microsoft’s own rating as well as ratings from US-CERT , which uses the Common Vulnerability Scoring System (CVSS).

By taking US-Cert’s independent ratings alongside Microsoft’s, you get a much clearer picture of which vulnerabilities are going to pose the biggest risk to your customers.

This month’s Microsoft Patch Tuesday is a relatively hefty one, with a total of 14 separate updates, with five rated Critical and the rest as Important, according to Microsoft. One update that surprises me is MS15-031, which resolves a major well-known issue with Windows called FREAK. This was serious enough a vulnerability that it was almost released as an out-of-band patch just last week, yet it’s only been rated as Important and not increased to Critical. Very odd!

The eagle-eyed will also notice MS15-020 is included in this month’s update that fixes the Stuxnet vulnerability, which is a virus/worm believed to have been developed by the US and Israel and used specifically to attack nuclear reprocessing plants in Iran. With a CVSS of 9.3 this should definitely be a priority for all businesses, whether you happen to be working at an Iranian nuclear plant or not.

Outlined below are the patches that you should actually consider rolling out first.

Critical patches
MS15-018 – CVSS: 9.3
This security update fixes a total of 13 separate vulnerabilities in Internet Explorer. The most serious flaw could allow remote code execution if a user were to a view a specially crafted webpage. An attacker would be able to gain the same access rights as the current user, so if you’re logged in as an administrator, that attacker can essentially have full control of the system.

The update addresses the vulnerability by modifying the way Internet Explorer handles objects in memory, helps to ensure policies are properly enforced and by adding additional permission validations.

MS15-019 – CVSS: 9.3
This security update resolves a vulnerability in VBScript (a script language designed for interpretation by web browsers). Again, if a user visits a specially crafted webpage it could allow remote code execution. The update is rated Critical for the VBScript scripting engine in Microsoft Windows, but only moderate for affected versions of VBScript on Windows Servers.

MS15-020 – CVSS: 9.3
This patch addresses the Stuxnet vulnerability, and while there were previous patches, they didn’t completely fix all of the vulnerable path code. Even if you aren’t working at an Iranian nuclear reprocessing plant its still worth patching as it can allow remote code execution if a user browses a specially crafted web page, open a specially crafted file, or browse a working directory that contains a specially crafted DLL file. Let’s stop Stuxnet once and for all!

MS15-021 – CVSS: 9.3
This update resolves eight privately reported vulnerabilities within Adobe Font Driver. The most serious of the eight could allow an attacker to take complete control of an affected system if a user views a specially crafted file or website.

MS15-022 – CVSS: 9.3
The final Critical update from Microsoft addresses vulnerabilities in Microsoft Office 2007, 2010 and 2013. This update patches five privately reported vulnerabilities, three of which could allow remote code execution.

Important updates
A further nine updates came from Microsoft this month that were all rated as Important. There is some discrepancy over the severity of the Important updates this month compared to US-CERT’s rating, so I’d recommend patching MS15-025 and MS15-030 once you’ve dealt with the Critical updates, and then take the rest from there.

Three of the Important updates could allow an elevation of privilege. That is to say, an attacker that successfully gains access to your system can elevate their privilege to an administrator. From there, they could install programs; view, change or delete data; or create new accounts with full user rights.

Two updates (MS15-028, MS15-031) could allow security feature bypass, so an attacker with limited privileges could use the vulnerabilities to execute files that they do not have permission to run. MS15-031 resolves the FREAK vulnerability, an industry-wide issue that’s not specific just to the Windows operating system.

The final three updates resolve issues in Microsoft Windows and NETLOGON that prevent spoofing, information disclosure, and a denial of service attack.

Next steps
There’s rarely a Patch Tuesday that goes by where there isn’t an issue with one of the patches that can cause problems such as the dreaded blue screen of death. I’d advise that before you roll out patches to your customers, look at the binary code for each update and move to testing and piloting the updates before deployment. This is what we do for both our customers and MSPs and then work through the roll out of the patches through Verismic Syxsense.

Update no. CVSS Score Microsoft rating Affected software Details
MS15-018 9.3 Critical Microsoft Windows, Internet Explorer Cumulative security update for Internet Explorer
MS15-019 9.3 Critical Microsoft Windows Vulnerability in VBScript scripting engine could allow remote code execution
MS15-020 9.3 Critical Microsoft Windows Vulnerabilities in Microsoft Windows could allow remote code execution
MS15-021 9.3 Critical Microsoft Windows Vulnerabilities in Adobe Font Driver could allow remote code execution
MS15-022 9.3 Critical Microsoft Office, Microsoft Server Software Vulnerabilities in Microsoft Office could allow remote code execution
MS15-030 7.8 Important Microsoft Windows Vulnerability in Remote Desktop Protocol could allow denial of service
MS15-025 7.2 Important Microsoft Windows Vulnerabilities in Windows Kernel could allow elevation of privilege
MS15-023 5.6 Important Microsoft Windows Vulnerabilities in Kernel-Mode Driver could allow elevation of privilege
MS15-024 4.3 Important Microsoft Windows Vulnerability in PNG Processing could allow information disclosure
MS15-026 4.3 Important Microsoft Exchange Vulnerabilities in Microsoft Exchange Server could allow elevation of privilege
MS15-027 4.3 Important Microsoft Windows Vulnerability in NETLOGON could allow spoofing
MS15029 4.3 Important Microsoft Windows Vulnerability in Windows Photo Decoder Component could allow information disclosure
MS15-028 2.1 Important Microsoft Windows Vulnerability in Windows Task Scheduler could allow security feature bypass
MS15-031 5.0 Important Microsoft Windows Vulnerability in Schannel could allow security feature bypass

Our monthly blog post appears here.