Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Microsoft Update Advisory for February 2015 - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Microsoft Update Advisory for February 2015

Overview of the February 2015 Microsoft patches and their status.

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*)
clients servers
MS15-009 Security Update for Internet Explorer
(ReplacesMS14-080 )

Microsoft Windows,Internet Explorer

 

(39 CVEs. Too many to list here)

KB 3034682 . Severity:Critical
Exploitability: 0
Critical Critical
MS15-010 Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution
(ReplacesMS13-006 MS14-066 MS14-074 MS14-079 )
Microsoft Windows

CVE-2015-0003
CVE-2015-0010
CVE-2015-0057
CVE-2015-0058
CVE-2015-0059
CVE-2015-0060
KB 3036220 vuln. public. Severity:Critical
Exploitability: 2
Critical Critical
MS15-011 Vulnerability in Group Policy Could Allow Remote Code Execution
(ReplacesMS13-031 MS13-048 MS15-001 )
Microsoft Windows

CVE-2015-0008
KB 3000483 . Severity:Critical
Exploitability: 1
Critical Critical
MS15-012 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution
(ReplacesMS13-085 MS14-023 MS14-081 MS14-083 )
Microsoft Office

CVE-2015-0063
CVE-2015-0064
CVE-2015-0065
KB 3032328 . Severity:Important
Exploitability: 1
Critical Important
MS15-013 Vulnerability in Microsoft Office Could Allow Security Feature Bypass
Microsoft Office

CVE-2014-6362
KB 3033857 vuln. public. Severity:Important
Exploitability: 1
Important Important
MS15-014 Vulnerability in Group Policy Could Allow Security Feature Bypass
Microsoft Windows

CVE-2015-0009
KB 3004361 . Severity:Important
Exploitability: 2
Important Important
MS15-015 Vulnerability in Microsoft Windows Could Allow Elevation of Privilege
(ReplacesMS15-001 )
Microsoft Windows

CVE-2015-0062
KB 3031432 . Severity:Important
Exploitability: 2
Important Important
MS15-016 Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure
(ReplacesMS14-085 )
Microsoft Windows

CVE-2015-0061
KB 3029944 . Severity:Important
Exploitability: 2
Important Important
MS15-017 Vulnerability in Virtual Machine Manager Could Allow Elevation of Privilege
Microsoft Server Software

CVE-2015-0012
KB 3035898 . Severity:Important
Exploitability:
Important Important
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urt practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.

 

Mark Baggett      Follow me on Twitter:@markbaggett

 Join me in Orlando Florida April 13th   Attackers and Defender will learn the essentials of Python, networking, regular expressions, interacting with websites, threading and much more.   Sign up soon for discounted pricing.

 

Mark

81 Posts
ISC Handler
A good TechNet article explaining MS15-011 and MS15-014:

http://blogs.technet.com/b/srd/archive/2015/02/10/ms15-011-amp-ms15-014-hardening-group-policy.aspx
T

31 Posts Posts
KB3001652 Visual Studio 2010 Tools patch from today's 'Patch Tuesday' set is not installing.

It hangs up the computer and cannot be stopped by choosing 'cancel'; WIndows 7 x64 and likely Win 8 according to various other reports.


You can find the active svchost.exe and kill it to regain control.


If a user tries to 'reboot' out of the hung install, they will get stuck at logoff; requiring a 'power cycle' ungraceful shutdown.


Microsoft, PLEASE PULL THIS PATCH!
AnAdmin

10 Posts Posts
Quoting AnAdmin:KB3001652 Visual Studio 2010 Tools patch from today's 'Patch Tuesday' set is not installing.
...


KB3001652 is from October 2014:

https://support.microsoft.com/kb/3001652
T

31 Posts Posts
It might have been 'published' in October but until about 30 minutes ago, it was being pushed out with this AM's updates and hanging up machines.

MS has pulled KB3001652 from current Windows Update.

KB3034196 for IE11 appeared after KB3001652 was pulled by MS.


-------------
Links to others reporting this AM's 'horror':
-------------

http://stackoverflow.com/questions/9188447/visual-studio-2010-service-pack-1-is-not-installing

http://forums.overclockers.co.uk/showthread.php?p=27612025

http://www.eightforums.com/installation-setup/61425-update-failure-kb3001652.html

http://boards.4chan.org/g/thread/46506369
AnAdmin

10 Posts Posts
Odd. KB 3001652 does not appear on the current WU/WSUS release list, https://support2.microsoft.com/kb/894199/en-us
WoodyLeonhard

8 Posts Posts
If it is from October why did it wait to install until today on my fully patched 7 & 8.1 machines?

It does this on both Windows 7 and 8.1 machines. The 8.1 machine tried to continue the install when it was shut down normally and had to be powered down the hard way. It took longer to reboot. When the 7 machine was rebooted normally it immediately restarted the installation again during the reboot process.
KBR

63 Posts Posts
Quoting AnAdmin:KB3001652 Visual Studio 2010 Tools patch from today's 'Patch Tuesday' set is not installing.

It hangs up the computer and cannot be stopped by choosing 'cancel'; WIndows 7 x64 and likely Win 8 according to various other reports.


You can find the active svchost.exe and kill it to regain control.


If a user tries to 'reboot' out of the hung install, they will get stuck at logoff; requiring a 'power cycle' ungraceful shutdown.


Microsoft, PLEASE PULL THIS PATCH!



Same here on Win7/64bit... waited for an hour for this patch to install. during reboot of the hung install it got stuck on "Configuring Windows updates 30% complete Do not turn off your computer."
K-Dee

64 Posts Posts
Hey guys, MS15-011 lists Server 2003 as affected, but no patch due to the magnitude of changes required. Since WinXP is so similar, I'm guessing that Windows XP is affected as well. My current employer has a bunch of XP laptops and we pay royally for support. I've asked our MSFT rep to find out of there's going to be a WinXP patch. There's no answer yet. Has anyone else heard?

As far as mitigating controls, I'm thinking that we only allow use of those laptops at our own facilities; no use on hostile networks (coffee shops, bakeries, fast food joints, hotels, etc).

What are other people doing?

MJ
MarkJx

5 Posts Posts
After installing all but one patch -- the one patch I "hid" had something to do with whether I would be upgrading to Windows 8 or something like that; it was unchecked by default -- I rebooted a Windows Vista Home Premium PC. I panicked when I loaded Mathematica (which is running 24/7 on this PC, and is used very heavily, and is part of the normal post-reboot sequence) and the fonts were goofed up. All text in any Mathematica notebook looked like grayed-out text in a disabled Windows control. All the text and graphics in the whole screen looked like that. I tried looking around for relevant support options -- found none. I started browsing "just what was fixed" in the Windows Update -- nothing that jumped out. So I did a System Restore. That fixed the problem! Now, I realize I probably should have at least tried rebooting first. But like I said, I was panicking. Next time (if) I'll try a reboot, but I have to wonder why that would "fix" this problem: what happened on the first reboot?

Now 16 updates are available to install. Frankly, I don't know what to install. I already know to steer clear of the C++ update, at least for now. I'll muddle through this somewhere along the line. The last thing I want to do is lose the use of Mathematica! What if I do an install and System Restore doesn't fix it?

See also post below.
robv

8 Posts Posts
Microsoft update KB3013455 part of Security bulletin MS15-10 is causing font rendering issues on Server 2003 SP2.

See attached screenshot for a comparison: http://snag.gy/263Zf.jpg
Anonymous
Posts
Thanks, anon. That screenshot could describe what I was seeing (NOTE: what I actually saw seemed a little worse, but I was panicking, used to seeing beautifully crisp text and graphics). I've now installed all recommended Windows Update changes EXCEPT for the one you pointed out ("Microsoft update KB3013455 part of Security bulletin MS15-10 is causing font rendering issues on Server 2003 SP2"), and I am happy to report Mathematica is still rendering fonts properly. Notice mine was a Windows Vista Home Premium system. I currently have this Windows Update change "hidden." I did install the C++ run-time update, since it didn't seem to be a problem on my PC.
robv

8 Posts Posts
FYI: Just heard from our Microsoft representative. He is still confirming this, but it looks like Microsoft /will not/ be publishing a patch for WinXP for MS15-011, even for those people that are paying for support. This is not yet final.
MarkJx

5 Posts Posts
In case this is related - it probably is - I had a critical update downloaded (Windows 7), despite having updates turned off, which blocked many of my gaming exe files including for games I was developing. It even deleted the desktop icons of some of the files. Unfortunately my last restore point seems of no use, probably because the update had been downloaded before February but activated after my February 1st last restore point date.

This update was critical enough for me as it made that computer next to useless, since I practically only used it for gaming. Please Microsoft do not do that!
Anonymous
Posts

Sign Up for Free or Log In to start participating in the conversation!