One of the most serious patches is one for a true remote code execution bug within the DNS implementation.
Identified as MS15-127, Microsoft indicates that a crafted DNS request can trigger an exploitable use-after-free condition to achieve code execution in the context of the local system account. Although Microsoft has indicated that we are not likely to see reliable exploits being developed any time soon, it is imperative that administrators deploy this patch to affected servers as soon as possible,” explains Craig Young, Cybersecurity researcher for Tripwire. Craig, Tyler Reguly – a manager of security research and Lane Thames of Tripwire below have the following opinion on it.
Craig Young, Cybersecurity Researcher for Tripwire :
“MS15-128 and MS15-129, are a reminder of the wide attack surface exposed by Silverlight. With malvertising on the rise, even reputable sites cannot always be assumed free from malicious content so patching these holes should be very high priority, along with the IE and Edge bulletins. Some administrators may wish to go a step further and consider the use of ad-blocking technology on corporate workstations.
For many, this is the time of year for gift giving but for many malware authors, it is also the time for giving malicious e-cards. Clients running vulnerable versions of Silverlight may be at an even greater risk for infection in light of CVE-2015-6166 which will likely have functional exploit code in the near future so this year please consider giving your Windows PC the gift of MS15-129.
In addition to the usual Office and IE code execution bugs, Microsoft’s final batch of updates for 2015 includes a true remote code execution bug within the DNS implementation. Identified as MS15-127, Microsoft indicates that a crafted DNS request can trigger an exploitable use-after-free condition to achieve code execution in the context of the local system account. Although Microsoft has indicated that we are not likely to see reliable exploits being developed any time soon, it is imperative that administrators deploy this patch to affected servers as soon as possible. Even without code execution, the potential loss of productivity from failed exploit attempts crashing DNS servers is tremendous as this is a fundamental technology for modern networking.”
Tyler Reguly, Manager of Security Research at Tripwire :
“While we’re wrapping up the year at MS15-135, given the number of times we’ve had a last minute Out of Band, it wouldn’t be surprising if we see MS15-136 added to the list. Either way this has been a record setting year for the number of bulletins issues by Microsoft.
MS15-127, a true remote code execution vulnerability, is a serious risk and it’s important that people understand the severity of this issue. The term ‘Remote Code Execution’ has been overused and misused by many vendors in recent years including Microsoft in this month’s MS15-132, which states: “could allow remote code execution if an attacker accesses a local system” — If you’re local, you’re no longer remote. This overuse among the vendors has led to people not paying as much attention to real remote code execution vulnerabilities. So when we say that MS15-127 is a remote code execution issue, we don’t mean that it’s a local issue (like MS15-132) or that it requires user interaction (like MS15-124), instead we mean that remote users without credentials can potentially execute code on your system. This is the true definition of a critical vulnerability and should be placed at the top of today’s patching queue for environments using Microsoft DNS.”
Lane Thames, Software Development Engineer and Security Researcher at Tripwire :
“Memory management issues and related memory misuse issues comprise the bulk of the December patches, but the issue with DNS request parsing, which is fixed in MS15-127, is the most critical. I’m not sure how often organizations utilize Microsoft DNS for their public facing DNS services, but it is used extensively within enterprise organizations who deploy Active Directory. With the amount of AD deployments across the globe, you can bet there are many servers that are currently affected by this remote code execution vulnerability. Administrators should place high priority on this particular patch.”
Adam Nowak, Active Lead Engineer, Rapid7 :
“December continues this quarter’s trend with 10 bulletins addressing remote code execution (RCE) vulnerabilities, while the remaining two address elevation of privilege. The vulnerabilities affect Internet Explorer (7 and onwards), Edge, Office, Silverlight, VBScript scripting engine and Windows (Vista and onwards). It is advisable for users and administrators to patch the affected platforms.
Specifically, MS15-124, MS15-125 and MS15-128 are the bulletins to watch out for this month, addressing 33 vulnerabilities. Since a wide range of products are affected this month almost all Microsoft users should be on alert. Microsoft’s update addresses the vulnerabilities by resolving underlaying issues with how certain functions in VBScript handle objects in memory, preventing cross site scripting (XSS) from incorrectly disabled HTML attributes, proper enforcement of content types and cross–domain policies.”
[su_box title=”About Tripwire” style=”noise” box_color=”#336588″]
Tripwire is a leading provider of advanced threat, security and compliance solutions that enable enterprises, service providers and government agencies to confidently detect, prevent and respond to cybersecurity threats. Tripwire solutions are based on high-fidelity asset visibility and deep endpoint intelligence combined with business-context and enable security automation through enterprise integration. Tripwire’s portfolio of enterprise-class security solutions includes configuration and policy management, file integrity monitoring, vulnerability management and log intelligence.[/su_box]
[su_box title=”About Rapid7″ style=”noise” box_color=”#336588″]
Rapid7 security data and analytics software and services help organizations reduce the risk of a breach, detect and investigate attacks, and build effective IT security programs. With comprehensive real-time data collection, advanced correlation, and insight into attacker techniques, Rapid7 strengthens an organization’s ability to defend against everything from opportunistic drive-by attacks to advanced threats. Unlike traditional vulnerability management and incident detection technologies, Rapid7 provides visibility, monitoring, and insight across assets and users from the endpoint to the cloud. Dedicated to solving the toughest security challenges, Rapid7 offers proprietary capabilities to spot intruders leveraging today’s #1 attack vector: compromised credentials. Rapid7 is trusted by more than 3,700 organizations across 90 countries, including 30% of the Fortune 1000.[/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.