September 2015 Microsoft Patch Tuesday

Published: 2015-09-08
Last Updated: 2015-09-09 01:03:57 UTC
by Johannes Ullrich (Version: 1)
14 comment(s)

Overview of the September 2015 Microsoft patches and their status.

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*)
clients servers
MS15-094 Cumulative Security Update for Internet Explorer
(Replaces MS15-093)
CVE-2015-2483 , CVE-2015-2484, CVE-2015-2485, CVE-2015-2486, CVE-2015-2487, CVE-2015-2489, CVE-2015-2490, CVE-2015-2491, CVE-2015-2492, CVE-2015-2493, CVE-2015-2494, CVE-2015-2498, CVE-2015-2499, CVE-2015-2500, CVE-2015-2501, CVE-2015-2541, CVE-2015-2542 KB 3089548 . Severity:Critical
Exploitability: 1
Critical Critical
MS15-095 Cumulative Security Update for Microsoft Edge
KB 3089665 . Severity:Critical
Exploitability: 1
Critical Critical
MS15-096 Vulnerability in Active Directory Service Could Allow Denial of Service
(Replaces MS14-016)
CVE-2015-2535 KB 3072595 . Severity:Important
Exploitability: 3
Important Important
MS15-097 Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution
CVE-2015-2506 CVE-2015-2507 CVE-2015-2508 CVE-2015-2510 CVE-2015-2511 CVE-2015-2512 CVE-2015-2517 CVE-2015-2518 CVE-2015-2527 CVE-2015-2529 CVE-2015-2546 KB 3089656 exploit detected for CVE-2015-2546 Severity:Critical
Exploitability: 0
Critical Critical
MS15-098 Vulnerabilities in Windows Journal Could Allow Remote Code Execution
(Replaces MS15-045)
KB 3089669 . Severity:Critical
Exploitability: 3
Critical Critical
MS15-099 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution
(Replaces MS15-059 MS15-070 MS15-081)
KB 3089664 exploit in the wild Severity:Critical
Exploitability: 0
Critical Important
MS15-100 Vulnerability in Windows Media Center Could Allow Remote Code Execution
CVE-2015-2509 KB 3087918 no Severity:Important
Exploitability: 2
Critical Important
MS15-101 Vulnerabilities in .NET Framework Could Allow Elevation of Privilege
(Replaces MS12-025 )
KB 3089662   Severity:Important
Exploitability: 1
Important Important
MS15-102 Vulnerabilities in Windows Task Management Could Allow Elevation of Privilege
(Replaces MS14-054)
KB 3089657 . Severity:Important
Exploitability: 1
Important Important
MS15-103 Vulnerabilities in Microsoft Exchange Server Could Allow Information Disclosure
(Replaces MS15-064)
KB 3089250 . Severity:Important
Exploitability: 3
N/A Important
MS15-104 Vulnerabilities in Skype for Business Server and Lync Server Could Allow Elevation of Privilege
(Replaces MS14-055)
KB 3089952 . Severity:Important
Exploitability: 3
N/A Important
MS15-105 Vulnerability in Windows Hyper-V Could Allow Security Feature Bypass
CVE-2015-2534 KB 3091287 . Severity:Important
Exploitability: 2
N/A Important
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urt practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
    • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threatatches.


Johannes B. Ullrich, Ph.D.

Keywords: mspatchday
14 comment(s)

A Close Look at PayPal Overpayment Scams That Target Craigslist Sellers

Published: 2015-09-08
Last Updated: 2015-09-08 12:25:06 UTC
by Lenny Zeltser (Version: 1)
3 comment(s)

My hope is that when people become familiar with the tactics employed by scammers, they will be less likely to get ripped off. With this in mind, I'd like to describe my recent interactions with miscreants who target sellers on Craigslist. Perhaps the details I've gathered about the scammer's operation will help curtail such activities. This encounter, which involved SMS messages, emails and a click, is a variation of a PayPal-themed overpayment scam that has been quite prolific in the recent years.

"Working in a very rural area"

The text message from 731-907-0226 arrived in response to my Craigslist post that advertised a furniture item for sale. "Text me back at (7312777303 if you still have it, am interested. Text only". My ad included a temporary phone number I set up just for cases like this. Responding to the sender of this message produced no reply; however, when I texted 731-277-7303, I received a quick answer:

"My name is Rick Smith. I am buying this as a surprise,I work with Turner Construction,we are currently working at a very rural area which makes it very hard for me to make phone calls. I have a Mover who will come for the pickup, I will be making the payment via PayPal that is the only payment option."

This message achieved two critical objectives for the scammer. First, the person began crafting a story that will later provide an excuse for asking the victim to wire funds to a third party. In addition, the scammer was establishing a reason why he could interact with me using voice calls. The supposed buyer was claiming to be in an area where voice calls didn't work. In another variation of a Craigslist-originating scam, scammers used the excuse of being on active duty in the military, which precluded non-text communications. Scammers might shy away from phone calls, in part because interacting with multiple targets this way is time-consuming; also, calls might reveal too many details about the scammer.

The scammer also requested my email address, so he could send me payment. He insisted that PayPal was the only payment method he could accommodate. As is common in schemes that target Craigslist users, the scammer didn't want to contact the victim using the Craigslist email relay, probably to avoid getting blocked by that system.

The scammer's phone numbers above were associated with the VoIP company, which makes its virtual numbers available to other providers, such as Google Voice according to Phone Validator.

"You are required to send the $680.00"

After I supplied my email address, which I set up for interactions like this, I received a reply:

"Please check your email for the notification and instructions,but if you don’t get the notification in your inbox please check the spam. PayPal must have sent you some emails by now, I think you need to follow some steps. please check both spam/junk and inbox and get back to me ASAP."

Indeed, my Hotmail inbox included a message with the subject "Notification Of An Instant Payment From Rick Smith(". Although it was designed to look like it came from PayPal, its headers told a different story:

Authentication-Results:; spf=pass (sender IP is; dkim=none; x-hmca=none
From: "" <>
Date: Sun, 30 Aug 2015 19:20:59 +0100
Subject: Notification Of An Instant Payment From Rick Smith(

The headers confirmed that the message was sent using Gmail ( belongs to Google). The actual sender was

All emails I received from the scammer had the Date: stamp that included the +0100 time zone designation, lending some credence to the hypothesis that the person was sending the messages from a Central European Time (CET) country.

The notice listed the buyer's as, which might be an artifact carelessly left from an earlier version of the scam. The email indicated that the supposed payment was significantly larger than what I had requested on Craigslist. It included an explanation for this overpayment:

"Rick Smith has made his intentions known to PayPal® that he will like $680.00 USD to be sent to the recipient's address below.You are required to send the $680.00 USD via Money Gram Money Transfer."

This was a setup for the overpayment scam, in which victims are persuaded to pay a third-party on behalf of the miscreant.

"We are working with Money Gram on this transaction."

Despite the (fake) email confirmation of payment, no funds were actually deposited into the PayPal account I set up for such interactions. When I asked the "buyer" about this discrepancy, he explained:

"As per the e-mail PayPal sent to me which is also similar to yours which i hope you receive, you will have to pay an upfront payment out of your pocket via Money Gram to the address given to you, and you will be given the information which is the Reference Number you will email to PayPal by replying to the confirmation mail from them regarding the details you have from Money Gram, you will receive the whole money in your account without any delay."

The fake PayPal message in my inbox clarified that I might not see the funds in my PayPal account until I sent money to the buyer's pickup agent using MoneyGram. The email provided further assurances:

"The money has now been deducted from the buyer's account and is ready to be deposited into your PayPal® account. Please reply this email directly with the Information needed from you. While funds are pending, the money belongs to you but is not available to spend or withdraw."

Soon, I received two more messages claiming to be from PayPal and impressing upon me of the safety of the transaction:

"My name is Mellisa and it is my pleasure to assist you in regards to the transaction between you and Rick Smith. We cannot credit your account until you send us the transfer details, but I am very happy to be assigned to tell you that the transaction is 100% secure and legitimate, we want to use this medium to tell you once again that the amount of $1,680.00 USD has been made to your account by Rick Smith."

The email stated that if I had any concerns, I should express them by responding to the message. The email software would make the victim believe that such queries would go to, while in reality they would be directed to

"Go to any Money Gram Outlet close to your home"

According to fake PayPal's emails, I had to take one last step to complete the transaction: I had to send money via Money Gram to the buyer's agent, who would be responsible for picking up the purchased item from my location. This step was explained in multiple emails, including the one from the supposed buyer, Rick Smith, which came from

"I want you to know that i added an extra fee of $680 to the total payment which i need you to help send to the agent coming for pick up and it needs to be sent via Money Gram as that's the only way they can get it. I am sorry i should have informed you but i only got the urgent message from the pick up agent that they will need the funds before they can come to pick up when i was about making the payment. [...] I also added $100 the Money Gram charges."

One of the messages specified the name of the person who would pick up the money in Bangor, PA in the US. In the context of this scam, this person was acting as a money mule.

Though my emails to the fake PayPal account went unanswered, the scammer did respond from when I asked why he couldn't pay the pick-up agent directly:

"There is no money gram here to make the transfer and I tried more that 4 times making the transfer online but they keep on rejecting my card."

So, to receive payment for the item I was selling, I had to first send irrevocable funds to someone in Pennsylvania. In this case, the scammer requested funds via MoneyGram. Other variations of the scam that I've seen asked the victim to transfer funds using Western Union. Supposedly the money I would receive via PayPal would reimburse me for that expense.

"Surf anonymously"

Curious whether I could gather any information about the scammer, I emailed him (or her) a link to a benign image that resided on my temporary web server. In my email message to the scammer I asked for help making sense of MoneyGram's website and provided a URL to the screenshot. The scammer initially told me to visit MoneyGram in person, but after I threatened to give up on the transaction, I saw someone retrieving the image from my server:

GET /images/screenshot15.jpg HTTP/1.1
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8

If these headers are to be believed, the scammer was using an up-to-date version of Google Chrome on Windows 7.

The connection came from This IP is on a /24 subnet assigned to Kaia Global Networks in the US, on the Sprint network according to Robtex. One Wikipedia page I found indicated that this subnet hosted CyberGhost VPN exit nodes. I downloaded this provider's VPN client and was able to confirm that is, indeed, one of the IPs associated with the paid version of the service.

Alas, the scammer was careful to obscure his origins by tunneling through the this Romania-based VPN service, which is designed "protect your online privacy, surf anonymously and access blocked or censored content." According to my testing, CyberGhost's VPN doesn't modify browser headers, though the scammer could have tweaked them using other means.

"The nature of my work"

I searched the web for the artifacts exhibited by the scammer in the interactions above to assess the scope of the malevolent activities. I found a few complaints associated with the two phone numbers. They dated to 2014, possibly because these VoIP numbers were misused for other shady machinations (1, 2, 3) at the time. I saw no mention of, though was associated with several complaints that began in April 2014 and matched the pattern of this scam. At the time, "Rick Smith" was using other phone numbers, including 610-455-5663 and 914-268-3815.

When I pivoted my search on "Rick Smith," I came across numerous reports (1, 2, 3, 4) from Craigslist sellers who were targeted in the manner described above. The phone numbers in these complaints were too numerous to list here. The reports mentioned other names and email addresses employed in the scam, including:, Anthony Smith,, Richard Johnson,,,,,,,,,,, Frank Rick,,,, etc.

The scammer's pickup agentsmoney mules mentioned in the discussion forums above included: Levon Rivers, Columbus, OH 43227; David. Jacobo, Federal Way, WA 98003; Rob Frazier, Brooklyn, NY 11212; Terry Dunn, Lebanon, OH 45036; and Billy Ray Mayo, Livingston, LA 70754.

The earliest mention of the activities I observed and attributed to this scammer date to January 2012. At the time, the scammer used the email address—the same address included in the body of the fake PayPal notification email that I received. The scammer's target wrote that the scammer claimed to be on active duty in the military, using that excuse to explain why he could not speak on the phone or pick up the item in person. The scammer reportedly stated, "Am not available to talk through phone due to the nature of my work."

This set of scams might be the work of a single miscreant. It's also possible that a group of scammers is using a common toolkit to prey on Craigslist sellers. Regardless, I'm disheartened to see the volume of complaints associated with these activities. The person or people behind them seem to be operating with apparent impunity for years. Perhaps some of the details above can assist law enforcement with weaving these malicious actions into a pattern that helps identify the individual(s) responsible for them.

For more of my articles about online scams, take a look at How Victims Are Redirected to IT Support Scareware Sites and Conversation With a Tech Support Scammer.

-- Lenny Zeltser

Lenny Zeltser focuses on safeguarding customers' IT operations at NCR Corp. He also teaches how to analyze malware at SANS Institute. Lenny is active on Twitter and Google+. He also writes a security blog.

3 comment(s)


What's this all about ..?
password reveal .
<a hreaf="">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
<a hreaf=""> public bathroom near me</a>
<a hreaf=""> nearest public toilet to me</a>
<a hreaf=""> public bathroom near me</a>
<a hreaf=""> public bathroom near me</a>
<a hreaf=""> nearest public toilet to me</a>
<a hreaf=""> public bathroom near me</a>
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
Enter corthrthmment here...

Diary Archives