Microsoft kills many critical flaws, some 0-days, un-trusts one wildcard cert
For this December Patch Tuesday, Microsoft has released twelve security bulletins, eight of which have been rated critical.
Those refer to the cumulative security updates for Internet Explorer, Microsoft Edge, JScript and VBScript, and updates for Microsoft Windows DNS, Microsoft Graphics Component, Silverlight, Microsoft Office, and Microsoft Uniscribe.
“MS15-127 looks particularly ‘nasty’. A remote code execution vulnerability in Microsoft’s DNS server. Microsoft rates the exploitability as ‘2’, but doesn’t provide much details as to the nature of the vulnerability other than the fact that it can be triggered by remote DNS requests, which is bad news in particular if you are using a Microsoft DNS server exposed to the public internet,” commented SANS ISC CTO Johannes Ullrich. “In this case, I would certainly expedite this patch. This is the vulnerability to look out for this time around.”
“While the other critical vulnerabilities would typically be exploited on a client platform running Microsoft software, many installations of Windows DNS will be exposed publicly on the Internet,” noted Karl Sigler, Threat Intelligence Manager, Trustwave.
“The vulnerability is a Use After Free memory bug that can give the attacker the ability to remotely execute arbitrary code in the context of the local system account. The vulnerability was responsibly disclosed to Microsoft by a third party, so it’s likely that technical details and a Proof of Concept will be released after users are given time to apply the patch.”
The update for Microsoft Office (MS15-131) fixes six vulnerabilities, and among them is a memory corruption vulnerability (one of five fixed) that could lead to remote code execution and that’s actively exploited in the wild.
The flaw can be exploited by making the user open specially crafted file with an affected version of Microsoft Office software. Such a file can be delivered via email, or can be offered for download on a website visited by the user.
The MS15-135 bulletin fixes four Windows kernel memory elevation of privilege vulnerabilities, one of which is being currently exploited by attackers.
In order to exploit these flaws, attackers need to have local access to the system and log on to it, then deploy a specially crafted application to exploit the vulnerabilities and take control over the vulnerable system.
Microsoft also released a security advisory announcing the removal of a digital certificate from the Certificate Trust list (CTL).
“Microsoft is aware of an SSL/TLS digital certificate for *.xboxlive.com for which the private keys were inadvertently disclosed. The certificate could be used in attempts to perform man-in-the-middle attacks. It cannot be used to issue other certificates, impersonate other domains, or sign code,” the company explained, and pointed out that no attacks using the certificate have been spotted. They did not share how the incident happened.