Patch Tuesday Analysis - October 2015
Download as PPTX, PDF0 likes217 views
This document summarizes a webinar on minimizing the impact of the October 2015 Patch Tuesday. It discusses the Microsoft, Adobe, and Google security bulletins released, including fixes for remote code execution, elevation of privilege, and information disclosure vulnerabilities. It provides an overview of the affected products and vulnerabilities addressed. It also reviews other patches released since the previous Patch Tuesday and lists resources for further information.
Patch Tuesday Analysis - October 2015
- 1. Chris Goettl Sr. Product Manager Minimizing the Impact of Patch Tuesday Wednesday, October 14th, 2015 Dial In: 1-855-749-4750 (US) Attendees:
- 2. Shavlik Confidential Feel free to ask questions via the online Q&A link in the WebEx interface. Questions may be answered during the presentation. Unanswered questions will be resolved via email after the presentation is over. A copy of this presentation will be available at http://www.shavlik.com/webinars/ after the webinar. 2 Logistics
- 3. Shavlik Confidential October 2015 Patch Tuesday Overview Review October 2015 Security Bulletins Patch Recommendations Other patches released since last Patch Tuesday 3 Agenda
- 5. Shavlik Confidential 6 Microsoft Security Bulletins / 33 Vulnerabilities Addressed 2 Adobe Bulletins / 68 Vulnerabilities Addressed 1 Google Bulletin / 24 Vulnerabilities Addressed Affected Products: All supported Windows operating systems (Including Windows 10) Internet Explorer, Edge Microsoft Office 2007, 2010, 2013, 2016 Office Web Apps Sharepoint Adobe Acrobat and Reader Adobe Flash Google Chrome 5 Patch Tuesday Overview for October 2015
- 6. Shavlik Confidential Security Bulletins: 3 bulletin is rated as Critical. 3 bulletins are rated as Important. Vulnerability Impact: 4 bulletins address vulnerabilities that could allow Remote Code Execution. 1 bulletin addresses a vulnerability that could allow Elevation of Privileges. 1 bulletin addresses a vulnerability that could allow Information Disclosure. 6 Overview for Microsoft October 2015
- 7. Shavlik Confidential Security Bulletins: Adobe Flash Player (Priority 1) Adobe Acrobat and Reader (Priority 2) Google Chrome (High and includes Priority 1 Flash plug-in update) Vulnerability Impact: Adobe Flash Player resolves 13 vulnerabilities including Security Feature Bypass, Code Execution . Adobe Reader and Acrobat resolve 55 vulnerabilities including Code Execution, Information Disclosure, Secuirty Feature Bypass, and DoS. Google Chrome resolves 24 vulnerabilities, and the 13 from the Flash plug-in, including Security Feature Bypass, Use-after-free, Information Disclosure, and Memory Corruption vulnerabilities. 7 Overview for 3rd Party Vendors October 2015
- 8. Shavlik Confidential Maximum Severity: Critical Affected Products: Windows 10, Internet Explorer, Edge Description: This update for Windows 10 includes functionality improvements and resolves the vulnerabilities in Windows that are described in the following Microsoft security bulletins: MS15-106, MS15-107, MS15-109, MS15-111. Windows 10 updates are cumulative. Therefore, this package contains all previously released fixes. Impact: Remote Code Execution, Elevation of Privilege, Information Disclosure Fixes 23 vulnerabilities: CVE-2015-2482, CVE-2015-6042, CVE-2015-6044, CVE-2015-6046, CVE-2015-6047, CVE-2015-6048, CVE-2015-6049, CVE-2015- 6050, CVE-2015-6051, CVE-2015-6052, CVE-2015-6053, CVE-2015-6055, CVE-2015-6056 (Public Disclosure), CVE-2015-6059, CVE-2015-6057, CVE-2015-6058, CVE-2015-2515, CVE-2015-2548, CVE-2015-2549, CVE-2015-2550, CVE-2015-2552 (Public Disclosure), CVE-2015-2553 (Public Disclosure), CVE-2015-2554 Replaces: CSWU-009 Restart Required: Requires Restart 8 CSWU-010: Cumulative update for Windows 10: October 13, 2015
- 9. Shavlik Confidential Maximum Severity: Critical Affected Products: Internet Explorer Description: This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. Impact: Remote Code Execution Fixes 14 vulnerabilities: CVE-2015-2482, CVE-2015-6042, CVE-2015-6044, CVE-2015-6046, CVE-2015-6047, CVE-2015-6048, CVE- 2015-6049, CVE-2015-6050, CVE-2015-6051, CVE-2015-6052, CVE-2015-6053, CVE-2015-6055, CVE-2015- 6056 (Public Disclosure), CVE-2015-6059 Replaces: 3087038 in MS15-094 Restart Required: Requires Restart 9 MS15-106: Cumulative Security Update for Internet Explorer (3096441)
- 10. Shavlik Confidential Maximum Severity: Critical Affected Products: Microsoft Windows Vista and Server 2008 Description: This security update resolves vulnerabilities in the VBScript and JScript scripting engines in Microsoft Windows. The more severe of the vulnerabilities could allow remote code execution if an attacker hosts a specially crafted website that is designed to exploit the vulnerabilities through Internet Explorer (or leverages a compromised website or a website that accepts or hosts user-provided content or advertisements) and then convinces a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that uses the IE rendering engine to direct the user to the specially crafted website. Impact: Remote Code Execution Fixes 4 vulnerabilities: CVE-2015-2482, CVE-2015-6052, CVE-2015-6055, CVE-2015-6059 Replaces: 3068368 in MS15-066, Restart Required: May Require Restart 10 MS15-108: Security Update for JScript and VBScript to Address Remote Code Execution (3089659)
- 11. Shavlik Confidential Maximum Severity: Critical Affected Products: Microsoft Windows Vista and Server 2008 Description: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if a user opens a specially crafted toolbar object in Windows or an attacker convinces a user to view specially crafted content online. Impact: Remote Code Execution Fixes 2 vulnerabilities: CVE-2015-2515, CVE-2015-2548 Replaces: 3079757 in MS15-088, 3039066 in MS15-020, Restart Required: May Require Restart 11 MS15-109: Security Update for Windows Shell to Address Remote Code Execution (3096443)
- 12. Shavlik Confidential Maximum Severity: Important Affected Products: Microsoft Office, Office Web Apps, SharePoint Description: This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. Impact: Remote Code Execution Fixes 6 vulnerabilities: CVE-2015-2555, CVE-2015-2556, CVE-2015-2557, CVE-2015-2558, CVE-2015-6037, CVE-2015-6039 (Publicly Disclosed) Replaces: 3081455, Restart Required: May Require Restart 12 MS15-110: Security Updates for Microsoft Office to Address Remote Code Execution (3096440)
- 13. Shavlik Confidential Maximum Severity: Important Affected Products: Microsoft Windows Description: This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application. Impact: Elevation of Privilege Fixes 6 vulnerabilities: CVE-2015-2549, CVE-2015-2550, CVE-2015-2552 (Publicly Disclosed), CVE-2015-2553 (Publicly Disclosed), CVE-2015-2554 Replaces: 3045999 in MS15-038, 3067505 in MS15-076, 3050514 in MS15-052, 3035131 in MS15-025, Restart Required: Requires Restart 13 MS15-111: Security Update for Windows Kernel to Address Elevation of Privilege (3096447)
- 14. Shavlik Confidential Maximum Severity: Priority 2 Affected Products: Adobe Acrobat and Reader Description: Adobe has released security updates for Adobe Acrobat and Reader for Windows and Macintosh. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Impact: Elevation of Privilege Fixes 55 vulnerabilities: CVE-2015-5583, CVE-2015-5586, CVE-2015-6683, CVE-2015-6684, CVE-2015-6685, CVE-2015-6686, CVE-2015-6687, CVE-2015- 6688, CVE-2015-6689, CVE-2015-6690, CVE-2015-6691, CVE-2015-6692, CVE-2015-6693, CVE-2015-6694, CVE-2015-6695, CVE- 2015-6696, CVE-2015-6697, CVE-2015-6698, CVE-2015-6699, CVE-2015-6700, CVE-2015-6701, CVE-2015-6702, CVE-2015-6703, CVE-2015-6704, CVE-2015-6705, CVE-2015-6706, CVE-2015-6707, CVE-2015-6708, CVE-2015-6709, CVE-2015-6710, CVE-2015- 6711, CVE-2015-6712, CVE-2015-6713, CVE-2015-6714, CVE-2015-6715, CVE-2015-6716, CVE-2015-6717, CVE-2015-6718, CVE- 2015-6719, CVE-2015-6720, CVE-2015-6721, CVE-2015-6722, CVE-2015-6723, CVE-2015-6724, CVE-2015-6725, CVE-2015-7614, CVE-2015-7615, CVE-2015-7616, CVE-2015-7617, CVE-2015-7618, CVE-2015-7619, CVE-2015-7620, CVE-2015-7621, CVE-2015- 7622, CVE-2015-7623, CVE-2015-7624 Replaces: APSB15-15 Restart Required: 14 APSB15-24: Security Updates Available for Adobe Acrobat and Reader
- 15. Shavlik Confidential Maximum Severity: Priority 1 Affected Products: Adobe Flash Player Description: Adobe has released security updates for Adobe Acrobat and Reader for Windows and Macintosh. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Impact: Fixes 13 vulnerabilities: CVE-2015-5569, CVE-2015-7625, CVE-2015-7626, CVE-2015-7627, CVE-2015-7628, CVE-2015-7629, CVE-2015-7630, CVE-2015- 7631, CVE-2015-7632, CVE-2015-7633, CVE-2015-7634, CVE-2015-7643, CVE-2015-7644 Replaces: APSB15-23 Restart Required: 15 APSB15-25: Security updates available for Adobe Flash Player
- 16. Shavlik Confidential Maximum Severity: High Affected Products: Google Chrome Description: Chrome 46.0.2490.71 contains a number of fixes and improvements -- a list of changes is available in the log. Watch out for upcoming Chrome and Chromium blog posts about new features and big efforts delivered in 46. Impact: Security Feature Bypass, Use-after-free, Information Disclosure, Memory Corruption. Fixes 24 (+13 from Flash plug-in) vulnerabilities: CVE-2015-6755, CVE-2015-6756, CVE-2015-6757, CVE-2015-6758, CVE-2015-6759, CVE-2015-6760, CVE-2015-6761, CVE-2015- 6762, CVE-2015-6763 Replaces: CHROME-149 Restart Required: 16 CHROME-150: Security updates available for Adobe Flash Player
- 17. Shavlik Confidential Maximum Severity: Important Affected Products: Windows, Edge Description: This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow information disclosure if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. Impact: Information Disclosure Fixes 2 vulnerabilities: CVE-2015-6057, CVE-2015-6058 Replaces: 3081455, Restart Required: Requires Restart 17 MS15-107: Cumulative Security Update for Microsoft Edge (3096448)
- 18. Shavlik Confidential Opera 18 Other lower priority updates for October
- 19. Shavlik Confidential19 Review Patch Releases Since September Patch Tuesday • Microsoft: 53 (Non-Security), 3 (Security Advisories), 1 (Security Tool), 2 (Security) • Chrome: 1 (Security) • Opera: 1 (Security) • Box Sync: 2 (Non-Security) • Dropbox: 3 (Non-Security) • Splunk Universal Forwarder: 2 (Non-Security) • iTunes: 1 (Security) • Filezilla: 1 (Security) • PSPad: 2 (Non-Security) • TeamViewer: 1 (Non-Security) • VMware Horizon View Client: 1 (Non-Security) • Flash Player: 1 (Security) • Chrome: 2 (Security) • TortoiseSVN: 2 (Security) • Skype: 2 (Security) • FireFox: 3 (Security) • RealTimes: 1 (Non-Security) • Google Drive: 2 (Non-Security) • LibreaOffice: 1 (Non-Security) • HP System Management Homepage: 1 (Security) • Opera: 1 (Security) • SeaMonkey: 1 (Security) • CCleaner: 1 (Non-Security) • GotoMeeting: 1 (Non-Security) • Adobe Photoshop CC: 1 (Security) • Thunderbird: 1 (Security) • CoreFTP: 1 (Non-Security) • Citrix Studio: 1 (Non-Security) • Apache Tomcat: 1 (Non-Security) • Picasa: 1 (Security) • FoxIt Reader: 1 (Non-Security)
- 20. Q&A
- 21. Shavlik Confidential • Slide deck and video playback available here: www.shavlik.com/Webinars • Sign up for next months Patch Tuesday Webinar and view webinar playbacks: http://www.shavlik.com/webinars/ • Sign up for Content Announcements: • Email http://www.shavlik.com/support/xmlsubscribe/ • RSS http://protect7.shavlik.com/feed/ • Twitter @ShavlikXML • Follow us on: • Shavlik on LinkedIn • Twitter @ShavlikProtect • Shavlik blog -> www.shavlik.com/blog • Chris Goettl on LinkedIn • Twitter @ChrisGoettl 21 Resources and Webinars
Editor's Notes
- #6: 4 public disclosures (across 3 bulletins)
- #9: Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Public Disclosures: CVE-2015-6056 CVE-2015-2552 CVE-2015-2553
- #10: Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Public Disclosure: CVE-2015-6056 Remote code execution vulnerabilities exist in the way that the VBScript and JScript engines, when handling objects in memory in Internet Explorer, render. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerabilities through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerabilities. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerabilities could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- #11: Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Remote code execution vulnerabilities exist in the way that the VBScript and JScript engines, when handling objects in memory in Internet Explorer, render. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerabilities through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerabilities. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerabilities could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- #12: Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. A remote code execution vulnerability exists when Windows Shell improperly handles objects in memory. An attacker who successfully exploited this vulnerability could cause arbitrary code to execute in the context of the current user. If a user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. For an attack to be successful, this vulnerability requires that a user open a specially crafted toolbar object in Windows. In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted tool bar object to the user and by convincing the user to open it. The update addresses the vulnerability by modifying how Windows Shell handles objects in memory. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. Such websites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email or instant message that takes them to the attacker's website, or by opening an attachment sent through email. The update addresses the vulnerability by modifying how the Microsoft Tablet Input Band handles objects in memory.
- #13: Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Public Disclosure: CVE-2015-6039 A security feature bypass vulnerability exists in Microsoft SharePoint. The vulnerability is caused when Office Marketplace is allowed to inject JavaScript code that persists onto a SharePoint page, because SharePoint does not enforce the appropriate permission level for an application or user. An attacker who successfully exploited this vulnerability could perform persistent cross-site scripting attacks and run script (in the security context of the logged-on user) with malicious content that appears authentic. This could allow the attacker to steal sensitive information, including authentication cookies and recently submitted data. To exploit this vulnerability, an attacker must have the ability to update the Marketplace instance. The attacker could add malicious code to the Marketplace app that could then be pushed to the consuming SharePoint instances. The malicious script would enable the attacker to update code without having to go through the SharePoint farm/instance-level permissions.
- #14: Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Public Disclosure: CVE-2015-2552 CVE-2015-2553 A security feature bypass vulnerability exists when Windows fails to properly enforce the Windows Trusted Boot policy. An attacker who successfully exploited this vulnerability could disable code integrity checks, allowing test-signed executables and drivers to be loaded on a target device. Furthermore, an attacker could bypass Trusted Boot integrity validation for BitLocker and Device Encryption security features. An attacker who has gained administrative privileges or who has physical access to a target device could exploit the vulnerability by applying a maliciously crafted Boot Configuration Data (BCD) setting. The security update addresses the vulnerability by improving how Windows parses BCD. An elevation of privilege vulnerability exists when Windows improperly validates junctions in certain scenarios in which mount points are being created. An attacker who successfully exploited this vulnerability could potentially run arbitrary code in the security context of the user running a compromised application. To exploit this vulnerability, an attacker would most likely have to leverage another vulnerability that allows them to run arbitrary code in a sandboxed application. The update addresses the vulnerability by correcting how Windows handles certain scenarios involving junction and mount-point creation.
- #15: Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. This is bumped up to Priority 1 because of the huge number of vulnerabilities in the release.
- #16: Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Flash player requires 4 updates to completely resolve all vulnerabilities. Flash Player and the Flash Plug-In for IE, Chrome and Firefox.
- #17: Shavlik Priority: Shavlik rates this bulletin as a Priority 1. This means you should update as soon as possible on all systems. Flash player requires 4 updates to completely resolve all vulnerabilities. Flash Player and the Flash Plug-In for IE, Chrome and Firefox.
- #18: Shavlik Priority: Shavlik rates this bulletin as a Priority 2. This means the update should be implemented in a reasonable timeframe after adequate testing. XSS Filter Bypass - CVE-2015-6058 A cross-site scripting (XSS) filter bypass exists in the way that Microsoft Edge disables an HTML attribute in otherwise appropriately filtered HTTP response data. The bypass could allow initially disabled scripts to run in the wrong security context, leading to information disclosure. An attacker could post on a website specially crafted content that is designed to exploit this bypass. The attacker would then have to convince the user to view the content on the affected website. If the user then browses to the website, the XSS filter disables HTML attributes in the specially crafted content, creating a condition that could allow malicious script to run in the wrong security context, leading to information disclosure. An attacker who successfully exploited this bypass could cause script to run on another user's system in the guise of a third-party website. Such script would run inside the browser when visiting the third-party website, and could take any action on the user's system that the third-party website was permitted to take. The bypass could only be exploited if the user clicked a hypertext link, either in an HTML email or if the user visited an attacker's website or a website containing content that is under the attacker’s control. Any systems where Microsoft Edge is used frequently, such as workstations and terminal servers, are at the most risk from this bypass.
- #19: Shavlik Priority: Shavlik rates this bulletin as a Priority 3. Consider this update for testing and rollout when convenient. Note: Some 3rd party updates may be non-security, but are still classified in Protect as Security. This is due to the fact that the step from current to this version October include security fixes based on the version currently on a machine. It would only be considered non-security if you were up to the latest version before the non-security release was made available.
- #20: Windows 10 Cumulatives: CSWU-008 – Includes feature changes. CSWU-009 – Includes feature changes. Server 2003 Custom Content Feed: **Added support for MS15-082, MS15-083, MS15-084, MS15-087, MS15-096, MS15-097 and MS15-101 **Added support for KB3072308 **Added support for MS15-094 Added support for products: PSPad, TeamViewer, Adobe After Effects CC, Dreamweaver CC, Photoshop CC, Exchange 2016