Category Archives: Vulnerability Management

Microsoft December 2015 Patch Tuesday Review

Microsoft has release, December 8th 2015, during his December 2015 Patch Tuesday, two updated security advisory, one new security advisory and twelve security bulletins. On the twelve security bulletins eight of them have a Critical security rating.

Microsoft Security Advisory 2755801

MSA-2755801,released during September 2012, has been updated. The security advisory is concerning updates for vulnerabilities in Adobe Flash Player in Internet Explorer 10, Internet Explorer 11 and Microsoft Edge. KB3119147 has been released for supported editions of for:

  • Internet Explorer 10 on Windows 8, Windows Server 2012, and Windows RT;
  • Internet Explorer 11 on Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, and Windows 10;
  • Microsoft Edge on Windows 10.

The update addresses the vulnerabilities described in Adobe Security bulletin APSB15-32.

Microsoft Security Advisory 3057154

MSA-3057154, release during July 2015, has been updated. The security advisory is concerning harden scenarios in which Data Encryption Standard (DES) encryption keys are used with accounts to ensure that domain users, services, and computers that support other encryption types are not vulnerable to credential theft or elevation of privilege attacks.  KB3057154 has been released for:

  • Windows Server 2003 Service Pack 2
  • Windows Server 2003 R2 Service Pack 2
  • Windows Server 2003 x64 Edition Service Pack 2
  • Windows Server 2003 R2 x64 Edition Service Pack 2
  • Windows Server 2003 with SP2 for Itanium-based Systems
  • Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 for Itanium-based Systems Service Pack 2
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
  • Windows 8 for 32-bit Systems
  • Windows 8 for x64-based Systems
  • Windows 8.1 for 32-bit Systems
  • Windows 8.1 for x64-based Systems
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows RT
  • Windows RT 8.1
  • Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
  • Windows Server 2012 (Server Core installation)
  • Windows Server 2012 R2 (Server Core installation)

Microsoft Security Advisory 3123040

MSA-3123040 concerns an SSL/TLS digital certificate for *.xboxlive.com for which the private keys were inadvertently disclosed. The certificate could be used in attempts to perform man-in-the-middle attacks. It cannot be used to issue other certificates, impersonate other domains, or sign code. This issue affects all supported releases of Microsoft Windows. KB2677070 has been release for:

  • Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 for Itanium-based Systems Service Pack 2
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
  • Windows 8 for 32-bit Systems
  • Windows 8 for x64-based Systems
  • Windows 8.1 for 32-bit Systems
  • Windows 8.1 for x64-based Systems
  • Windows RT
  • Windows RT 8.1
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows 10
  • Windows 10 Version 1511
  • Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 R2 for x64-based Systems (Server Core installation)
  • Windows Server 2012 (Server Core installation)
  • Windows Server 2012 R2 (Server Core installation)
  • Windows Phone 8
  • Windows Phone 8.1
  • Windows 10 Mobile

MS15-124 Cumulative Security Update for Internet Explorer

MS15-124 security update, classified as Critical, allowing remote code execution, is the fix for 30 privately reported vulnerabilities in Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11. KB3116180 has been release for fixing the bellow vulnerabilities:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-60839.3NoNoHui Gao of Palo Alto Networks
CVE-2015-61349.3NoNoSkyLined, working with HP’s Zero Day Initiative
CVE-2015-61355.0NoNoSimon Zuckerbraun, working with HP’s Zero Day Initiative
CVE-2015-61369.3NoNo- Simon Zuckerbraun, working with HP’s Zero Day Initiative
- An anonymous researcher, working with HP’s Zero Day Initiative
- Yuki Chen of Qihoo 360Vulcan Team
CVE-2015-61384.3NoNoNone
CVE-2015-61399.3NoNoMichal Bentkowski
CVE-2015-61409.3NoNoBo Qu of Palo Alto Networks
CVE-2015-61419.3NoNoB6BEB4D5E828CF0CCB47BB24AAC22515, working with HP’s Zero Day Initiative
CVE-2015-61429.3NoNoSimon Zuckerbraun, working with HP’s Zero Day Initiative
CVE-2015-61439.3NoNoNone
CVE-2015-61444.3NoNoMasato Kinugawa
CVE-2015-61459.3NoNoCong Zhang and Yi Jiang, working with Beijing VRV Software Co., LTD.
CVE-2015-61469.3NoNoBo Qu of Palo Alto Networks
CVE-2015-61479.3NoNoB6BEB4D5E828CF0CCB47BB24AAC22515, working with HP’s Zero Day Initiative
CVE-2015-61489.3NoNoA3F2160DCA1BDE70DA1D99ED267D5DC1EC336192, working with HP’s Zero Day Initiative
CVE-2015-61499.3NoNoB6BEB4D5E828CF0CCB47BB24AAC22515, working with HP’s Zero Day Initiative
CVE-2015-61509.3NoNoB6BEB4D5E828CF0CCB47BB24AAC22515, working with HP’s Zero Day Initiative
CVE-2015-61519.3NoNoLi Kemeng of Baidu Security Team(x-Team) , working with HP’s Zero Day Initiative
CVE-2015-61529.3NoNoMoritz Jodeit of Blue Frost Security
CVE-2015-61539.3NoNoShi Ji (@Puzzor)
CVE-2015-61549.3NoNoChenDong Li and YunZe Ni of Tencent
CVE-2015-61559.3NoNoZheng Huang of the Baidu Scloud XTeam, working with VeriSign iDefense Labs
CVE-2015-61569.3NoNoAnonymous contributor, working with VeriSign iDefense Labs
CVE-2015-61574.3NoNoZheng Huang of the Baidu Scloud XTeam, working with VeriSign iDefense Labs
CVE-2015-61589.3NoNoZheng Huang of the Baidu Scloud XTeam, working with VeriSign iDefense Labs
CVE-2015-61599.3NoNoZheng Huang of the Baidu Scloud XTeam
CVE-2015-61609.3NoNoGarage4Hackers, working with HP’s Zero Day Initiative
CVE-2015-61614.3NoNoRh0
CVE-2015-61629.3NoNoWenxiang Qian of TencentQQBrowser
CVE-2015-61646.8NoNoNone

MS15-125 Cumulative Security Update for Microsoft Edge

MS15-125 security update, classified as Critical, allowing remote code execution, is the fix for 15 privately reported vulnerabilities in Microsoft Edge on Windows 10. KB3116184 has been released for fixing the bellow vulnerabilities:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-61399.3NoNoMichal Bentkowski
CVE-2015-61409.3NoNoBo Qu of Palo Alto Networks
CVE-2015-61429.3NoNoSimon Zuckerbraun, working with HP’s Zero Day Initiative
CVE-2015-61489.3NoNoA3F2160DCA1BDE70DA1D99ED267D5DC1EC336192, working with HP’s Zero Day Initiative
CVE-2015-61519.3NoNoLi Kemeng of Baidu Security Team(x-Team) , working with HP’s Zero Day Initiative
CVE-2015-61539.3NoNoShi Ji (@Puzzor)
CVE-2015-61549.3NoNoChenDong Li and YunZe Ni of Tencent
CVE-2015-61559.3NoNoZheng Huang of the Baidu Scloud XTeam, working with VeriSign iDefense Labs
CVE-2015-61589.3NoNoZheng Huang of the Baidu Scloud XTeam, working with VeriSign iDefense Labs
CVE-2015-61599.3NoNoZheng Huang of the Baidu Scloud XTeam
CVE-2015-61614.3NoNoRh0
CVE-2015-61689.3NoNoSkyLined, working with HP’s Zero Day Initiative
CVE-2015-61694.3NoNoNone
CVE-2015-61706.8NoNoMario Heiderich of Cure53
CVE-2015-61764.3NoNoMasato Kinugawa

MS15-126 Cumulative Security Update for JScript and VBScript

MS15-126 security update, classified as Critical, allowing remote code execution, is the fix for 2 privately reported vulnerabilities in VBScript scripting engine in Microsoft Windows. KB3116178 has been released for fixing the bellow vulnerabilities:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-61355.0NoNoSimon Zuckerbraun, working with HP’s Zero Day Initiative
CVE-2015-61369.3NoNo- Simon Zuckerbraun, working with HP’s Zero Day Initiative
- An anonymous researcher, working with HP’s Zero Day Initiative
- Yuki Chen of Qihoo 360Vulcan Team

MS15-127 Security Update for Microsoft Windows DNS

MS15-127 security update, classified as Critical, allowing remote code execution, is the fix for 1 privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends specially crafted requests to a DNS server. KB3100465 has been released for fixing the bellow vulnerability:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-61259.3NoNoNone

MS15-128 Security Update for Microsoft Graphics Component

MS15-128 security update, classified as Critical, allowing remote code execution, is the fix for 3 privately reported vulnerabilities in Microsoft Windows, .NET Framework, Microsoft Office, Skype for Business, Microsoft Lync, and Silverlight. The vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a webpage that contains specially crafted embedded fonts. KB3104503 has been released for fixing the bellow vulnerabilities:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-61069.3NoNoSteven Vittitoe of Google Project Zero
CVE-2015-61079.3NoNoSteven Vittitoe of Google Project Zero
CVE-2015-61089.3NoNoNone

MS15-129 Security Update for Silverlight

MS15-129 security update, classified as Critical, allowing remote code execution, is the fix for 3 privately reported vulnerabilities in Microsoft Silverlight. KB3106614 has been released for fixing the bellow vulnerabilities:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-61144.3YesYesNone
CVE-2015-61654.3NoNoMarcin 'Icewall' Noga of Cisco Talos
CVE-2015-61669.3NoNoNone

CVE-2015-6114 vulnerability details have been disclosed publicly by @_Icewall from Cisco Talos vulndev team.

MS15-130 Security Update for Microsoft Uniscribe

MS15-130 security update, classified as Critical, allowing remote code execution, is the fix for 1 privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains specially crafted fonts. KB3108670 has been released for fixing the bellow vulnerability:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-61309.3NoNoHossein Lotfi, Secunia Research (now part of Flexera Software)

MS15-131 Security Update for Microsoft Office

MS15-131 security update, classified as Critical, allowing remote code execution, is the fix for 6 privately reported vulnerabilities in Microsoft Windows. Interesting to see that CVE-2015-6124 has been privately reported but seen as exploited in wild. KB3116111 has been released for fixing the bellow vulnerabilities:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-60409.3NoNoSteven Vittitoe of Google Project Zero
CVE-2015-61189.3NoNoKai Lu of Fortinet's FortiGuard Labs
CVE-2015-61229.3NoNoSteven Vittitoe of Google Project Zero
CVE-2015-61249.3NoYesNone
CVE-2015-61729.3NoNoHaifei Li of Intel Security IPS Research Team
CVE-2015-61779.3NoNoKai Lu of Fortinet's FortiGuard Labs

MS15-132 Security Update for Microsoft Windows

MS15-132 security update, classified as Important, allowing remote code execution, is the fix for 3 privately reported vulnerabilities in Microsoft Windows. KB3116162 has been released for fixing the bellow vulnerabilities:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-61287.2YesYes- Steven Vittitoe of Google Project Zero
- Parvez Anwar
CVE-2015-61327.2NoNoNone
CVE-2015-61337.2NoNoNone

CVE-2015-6128 vulnerability details have been disclosed publicly with a proof of concept.

MS15-133 Security Update for Windows PGM

MS15-133 security update, classified as Important, allowing elevation of privilege, is the fix for 1 privately reported vulnerability in Microsoft Windows. KB3116130 has been released for fixing the bellow vulnerability:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-61267.2NoNoNone

MS15-134 Security Update for Windows Media Center

MS15-134 security update, classified as Important, allowing remote code execution, is the fix for 2 privately reported vulnerabilities in Microsoft Windows. KB3108669 has been released for fixing the bellow vulnerabilities:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-61274.3YesYesFrancisco Falcon of Core Security
CVE-2015-61319.3YesYesZhang YunHai of NSFOCUS Security Team

CVE-2015-6127 vulnerability details have been disclosed publicly with a proof of concept.

CVE-2015-6131 vulnerability details have been disclosed publicly with a proof of concept.

MS15-135 Security Update for Windows Kernel-Mode Drivers

MS15-135 security update, classified as Important, allowing elevation of privilege, is the fix for 4 privately reported vulnerabilities in Microsoft Windows. Interesting to see that CVE-2015-6175 has been publicly reported and also seen exploited in wild. KB3119075 has been released for fixing the bellow vulnerabilities:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-61717.2NoNoNils Sommer of bytegeist, working with Google Project Zero
CVE-2015-61737.2NoNoNils Sommer of bytegeist, working with Google Project Zero
CVE-2015-61747.2NoNoNils Sommer of bytegeist, working with Google Project Zero
CVE-2015-61757.2YesYesNone

Oracle Java Critical Patch Update June 2013 Review

Oracle has provide his Java Critical Patch Update (CPU) for June 2013 who has been released on Tuesday, June 18. On the 40 security vulnerabilities fixed in this CPU, 37 of them may be remotely exploitable. The highest CVSS Base Score for vulnerabilities in this CPU is 10.0.

As you may know Oracle is using CVSS 2.0 (Common Vulnerability Scoring System) in order to score the reported vulnerabilities. But as you also may know security researchers disagree with the usage of CVSS by Oracle. Oracle play with CVSS score by creating a “Partial+” impact rating how don’t exist in CVSS 2.0, and by interpreting the “Complete” rating in a different way than defined in CVSS 2.0.

Affected products are:

  • JDK and JRE 7 Update 21 and earlier
  • JDK and JRE 6 Update 45 and earlier
  • JDK and JRE 5.0 Update 45 and earlier
  • JavaFX 2.2.21 and earlier

11 of the vulnerabilities have a CVSS base score of 10.0, 20 of the vulnerabilities have a high CVSS base score (CVSS => 7.0), 18 of the vulnerabilities have a medium CVSS base score (CVSS >= 4.0 < 7.0) and 2 of the vulnerabilities has a low CVSS base score (CVSS < 4.0). Also 33 of the vulnerabilities affects Java SE 6 and 38 of the vulnerabilities are affecting Java SE 7.

APSB13-16 – Adobe Flash June 2013 Security Bulletin Review

Adobe has release, the June 11th 2013, during his June Patch Tuesday, one Adobe Flash security bulletin dealing with one vulnerability. This security bulletin has a Critical severity rating. The associated vulnerability has a 10.0 CVSS base score.

APSB13-16 – Adobe Flash June 2013 Security Bulletin Review

APSB13-16 is concerning :

  • Adobe Flash Player 11.7.700.202 and earlier versions for Windows
  • Adobe Flash Player 11.7.700.203 and earlier versions for Macintosh
  • Adobe Flash Player 11.2.202.285 and earlier versions for Linux
  • Adobe Flash Player 11.1.115.58 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.54 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.7.0.1860 and earlier versions for Windows and Macintosh
  • Adobe AIR 3.7.0.1860 and earlier versions for Android
  • Adobe AIR 3.7.0.1860 SDK & Compiler and earlier versions

CVE-2013-3343 (10.0 CVSS base score), was discovered and privately reported by Mateusz Jurczyk and Ben Hawkes of the Google Security Team.

Microsoft June 2013 Patch Tuesday Review

Microsoft has release, June 11th 2013, during his June Patch Tuesday, one updated security advisory, one new security advisory and five security bulletins. On the five security bulletins one of them has a Critical security rating.

Microsoft Security Advisory 2755801

MSA-2755801,released during September 2012, has been updated. The security advisory is regarding updates for vulnerabilities in Adobe Flash Player in Internet Explorer 10. KB2847928 has been released for supported editions of Windows 8, Windows Server 2012, and Windows RT. The update addresses the vulnerabilities described in Adobe Security bulletin APSB13-16.

Microsoft Security Advisory 2854544

MSA-2854544 concern improvements of cryptography and digital certificate handling in Windows. KB2813430 expand Certificate Trust List (CTL) functionality for managing private PKI environments on Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, and Windows RT.

MS13-047 Cumulative Security Update for Internet Explorer

MS13-047 security update, classified as Critical, allowing remote code execution, is the fix for nineteen privately reported vulnerabilities in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, and Internet Explorer 10. CVE-2013-3126 (2.0 CVSS base score) and CVE-2013-3123 (9.3 CVSS base score) were discovered and privately reported by [email protected], working with HP’s Zero Day Initiative. CVE-2013-3110 (9.3 CVSS base score) was discovered and privately reported by Scott Bell of Security-Assessment.com. CVE-2013-3111 (9.3 CVSS base score) and CVE-2013-3120 (9.3 CVSS base score) were discovered and privately reported by SkyLined, working with HP’s Zero Day Initiative. CVE-2013-3112 (9.3 CVSS base score), CVE-2013-3121 (9.3 CVSS base score), CVE-2013-3122 (9.3 CVSS base score) and CVE-2013-3141 (9.3 CVSS base score) were discovered and privately reported by anonymous researcher’s, working with HP’s Zero Day Initiative. CVE-2013-3113 (9.3 CVSS base score), CVE-2013-3114 (9.3 CVSS base score), CVE-2013-3116 (9.3 CVSS base score) and CVE-2013-3117 (9.3 CVSS base score) were discovered and privately reported by Ivan Fratric and Ben Hawkes of the Google Security Team. CVE-2013-3118 (9.3 CVSS base score) and CVE-2013-3125 (9.3 CVSS base score) were discovered and privately reported by Omair, working with HP’s Zero Day Initiative. CVE-2013-3119 (9.3 CVSS base score) was discovered and privately reported by Stephen Fewer of Harmony Security, working with HP’s Zero Day Initiative. CVE-2013-3124 (9.3 CVSS base score) and CVE-2013-3125 (9.3 CVSS base score) were discovered and privately reported by Omair, working with HP’s Zero Day Initiative, and by Amol Naik also working with HP’s Zero Day Initiative. CVE-2013-3139 (9.3 CVSS base score) was discovered and privately reported by an unknown security researcher. CVE-2013-3142 (9.3 CVSS base score) was discovered and privately reported by Toan Pham Van, working with HP’s Zero Day Initiative.

MS13-048 Vulnerability in Windows Kernel Could Allow Information Disclosure

MS13-048 security update, classified as Important, allowing information disclosure, is the fix for one privately reported vulnerability in Windows Kernel. CVE-2013-3136 (4.4 CVSS base score) was discovered and privately reported by Mateusz “j00ru” Jurczyk of Google Inc.

MS13-049 Vulnerability in Kernel-Mode Driver Could Allow Denial of Service

MS13-049 security update, classified as Important, allowing denial of service, is the fix for one privately reported vulnerability in Windows Kernel-Mode Driver. CVE-2013-3138 (7.1 CVSS base score) was discovered and privately reported by an anonymous security researcher.

MS13-050 Vulnerability in Windows Print Spooler Components Could Allow Elevation of Privilege

MS13-050 security update, classified as Important, allowing elevation of privilege, is the fix for one privately reported vulnerability in Windows Print Spooler Components. CVE-2013-1339 (9.0 CVSS base score) was discovered and privately reported by an anonymous security researcher.

MS13-051 Vulnerability in Microsoft Office Could Allow Remote Code Execution

MS13-051 security update, classified as Important, allowing remote code execution, is the fix for one privately reported vulnerability in Microsoft Office. CVE-2013-1331 (9.3 CVSS base score) was discovered and privately reported by Andrew Lyons and Neel Mehta of Google Inc.