Microsoft's Patch Tuesday updates, released this morning, continue the company's headaches over publicly disclosed security flaws in its products. Last month saw fixes for bugs that had been discovered and disclosed by Google's Project Zero.
This month's batch of nine updates includes three that are rated Critical, all with the potential to allow remote code execution on an unpatched system:
- MS15-009 This security update for Internet Explorer is a whopper, fixing one publicly disclosed vulnerability and 40 privately reported vulnerabilities in Internet Explorer. It does not include a fix for a recently reported cross-site-scripting (XSS) vulnerability that could allow attackers to steal credentials from visitors to a compromised website.
- MS15-010 This security update closes a half-dozen vulnerabilities, including one publicly disclosed issue, in Windows 7 and 8.x as well as Windows Server 2008 R2 and later editions. The flaws are in a Windows kernel-level component that handles TrueType fonts.
- MS15-011 Devices connected to Windows domains are at risk from the vulnerability patched in this update, which affects all supported versions of Windows, desktop and server. The flaw can be exploited by convincing a user to connect to an untrusted network, such as Wi-Fi hotspot.
The MS15-011 update was fixed more than a year after first being privately reported to Microsoft by researcher Jeff Schmidt, who discovered the bug while working under contract for ICANN. According to Schmidt, the circumstances around this vulnerability are "unusual, if not unprecedented, necessitating the very long remediation cycle. ... The fix required Microsoft to re-engineer core components of the operating system and to add several new features."
Microsoft has published a detailed explanation of the fix in this TechNet blog post.
Anyone still running Windows Server 2003 should pay special attention to that last update, which will not be released for that operating system. As the bulletin explains:
The architecture to properly support the fix provided in the update does not exist on Windows Server 2003 systems, making it infeasible to build the fix for Windows Server 2003. To do so would require re-architecting a very significant amount of the Windows Server 2003 operating system, not just the affected component. The product of such a re-architecture effort would be sufficiently incompatible with Windows Server 2003 that there would be no assurance that applications designed to run on Windows Server 2003 would continue to operate on the updated system.
Extended support for Windows Server 2003 ends July 14, 2015. Given this vulnerability it might be time for administrators to accelerate its demise in production environments.
There's also a fresh security update for Flash Player in Internet Explorer 10 and 11, the third release in the past two weeks.
The remaining five updates are all rated Important.
Two affect Microsoft Office, with MS15-012 repairing a flaw that can be triggered by a booby-trapped Office document and MS15-013 fixing a publicly reported "security feature bypass" in Office 2007 and later versions.
The fix in MS15-014 blocks man-in-the-middle attacks that attempt to change Group Policy settings back to their default (and possibly less secure) state, while MS15-015 prevents an escalation-of-privilege attack that could allow an authenticated user to acquire administrative credentials on an exploited system.
MS15-016 involves a fix for a vulnerability in a Microsoft graphics component that could be exploited with a specially crafted TIFF file.
Server administrators will want to pay special heed to MS15-017. This patch is rated Important for Microsoft System Center 2012 R2 Virtual Machine Manager Update Rollup 4. It doesn't affect desktop Windows users but could have huge implications for sites that use VMM to administer multiple virtual servers.
This month's already large pack of updates includes one re-released Security Bulletin, MS14-083, for Microsoft Excel.
Security Advisory 3009008, originally released in October of last year, was revised. The advisory, titled Vulnerability in SSL 3.0 Could Allow Information Disclosure, documents problems with the SSL 3.0 standard. Today's update prevents insecure fallback to SSL 3.0 in Internet Explorer 11 for Protected Mode sites; SSL 3.0 will be disabled in the default configuration of Internet Explorer 11 (and across Microsoft online services) in April.
More details on the SSL 3.0 changes are available in a post on the IE blog.
Finally, one optional update released today, an Update Rollup for Visual Studio 2010 Tools for Office Runtime, was pulled from distribution within two hours after widespread reports that the update was causing the update process to hang on some systems. That might be a record for fastest-ever response for a balky update.