July 2015 Microsoft Patch Tuesday - SANS Internet Storm Center

Overview of the July 2015 Microsoft patches and their status.

#	Affected	Contra Indications - KB	Known Exploits	Microsoft rating(**)	ISC rating(*)
#	Affected	Contra Indications - KB	Known Exploits	Microsoft rating(**)	clients	servers
MS15-058	Remote Code Execution Vulnerabilities in SQL Server (This bulletin was supposed to be part of the June 2015 patch Tuesday, but got delayed until today)
MS15-058	SQL Server CVE-2015-1761 CVE-2015-1762 CVE-2015-1763	KB 3065718	no.	Severity:Important Exploitability: 2	N/A	Important
MS15-065	Internet Explorer Rollup Patch (Replaces MS15-056 )
MS15-065	Internet Explorer CVE-2015-1729 CVE-2015-1733 CVE-2015-1738 CVE-2015-1767 CVE-2015-2372 CVE-2015-2383 CVE-2015-2384 CVE-2015-2385 CVE-2015-2388 CVE-2015-2389 CVE-2015-2390 CVE-2015-2391 CVE-2015-2397 CVE-2015-2398 CVE-2015-2401 CVE-2015-2403 CVE-2015-2404 CVE-2015-2405 CVE-2015-2406 CVE-2015-2408 CVE-2015-2410 CVE-2015-2411 CVE-2015-2412 CVE-2015-2413 CVE-2015-2414 CVE-2015-2419 CVE-2015-2421 CVE-2015-2422 CVE-2015-2425	KB 3076321	CVE-2015-2398 has been publicly disclosed..	Severity:Critical Exploitability: 0	Critical	Important
MS15-066	Remote Code Execution Vulnerability in VBScript Scripting Engine (Replaces MS15-019 )
MS15-066	VBScript CVE-2015-2372	KB 3072604	no.	Severity:Critical Exploitability: 1	Critical	Important
MS15-067	Remote Code Execution Vulnerability in RDP (Replaces MS15-030 )
MS15-067	RDP CVE-2015-2373	KB 3073094	no.	Severity:Critical Exploitability: 3	Critical	Critical
MS15-068	Remote Code Execution Vulnerabilities in Hyper-V
MS15-068	Hyper-V CVE-2015-2361 CVE-2015-2362	KB 3072000	no.	Severity:Critical Exploitability: 2	N/A	Critical
MS15-069	Remote Code Execution Vulnerabilities in Windows
MS15-069	Windows and Windows Media Device Manager CVE-2015-2368 CVE-2015-2369	KB 3072631	unauthorized DLL loading is an ongoing issue.	Severity:Important Exploitability: 1	Critical	Important
MS15-070	Remote Code Execution Vulnerabilities in Office (Replaces MS13-084 MS15-022 MS15-033 MS15-046 )
MS15-070	Microsoft Office (including Mac and Sharepoint) CVE-2015-2376 CVE-2015-2377 CVE-2015-2379 CVE-2015-2380 CVE-2015-2415 CVE-2015-2424 CVE-2015-2375 CVE-2015-2378	KB 3072620	CVE-2015-2424 has been used in exploits..	Severity:Important Exploitability: 1	Critical	Important
MS15-071	Spoofing Vulnerability in Netlogon (Replaces MS15-027 )
MS15-071	Netlogon CVE-2015-2374	KB 3068457	no.	Severity:Important Exploitability: 3	Important	Important
MS15-072	Elevation of Privilege Vulnerability in Windows Graphics Component (Replaces MS15-035 )
MS15-072	Windows Graphics component CVE-2015-2364	KB 3069392	no.	Severity:Important Exploitability: 1	Important	Important
MS15-073	Elevation of Privilege Vulnerability in Kernel Mode Drivers (Replaces MS15-061 )
MS15-073	Kernel Mode Drivers CVE-2015-2363 CVE-2015-2365 CVE-2015-2366 CVE-2015-2367 CVE-2015-2381 CVE-2015-2382	KB 3070102	no.	Severity:Important Exploitability: 2	Important	Important
MS15-074	Elevation of Privilege Vulnerability in Windows Installer Service (Replaces MS49-049 )
MS15-074	Windows Installer Service CVE-2015-2371	KB 3072630	no.	Severity:Important Exploitability: 1	Important	Important
MS15-075	Elevation of Privilege Vulnerability in OLE (Replaces MS13-070 )
MS15-075	OLE CVE-2015-2416 CVE-2015-2417	KB 3072633	no.	Severity:Important Exploitability: 1	Critical	Important
MS15-076	Elevation of Privilege in Windows RPC (Replaces MS15-055 )
MS15-076	Windows RPC CVE-2015-2370	KB 3067505	no.	Severity:Important Exploitability: 2	Important	Important
MS15-077	Elevationof Privilege Vulnerability in ATM Font Driver (Replaces MS15-021 )
MS15-077	ATM Font Driver (ATMFD.DLL) CVE-2015-2387	KB 3077657	Exploits Detected.	Severity:Important Exploitability: 0	Important	Important

We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

We use 4 levels:
- PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
- Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
- Important: Things where more testing and other measures can help.
- Less Important patches for servers that do not use outlook, MSIE, word etc. to do traditional office or leisure work.
- The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threats.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANSFIRE 2022

Johannes

4510 Posts
ISC Handler

Jul 15th 2015

Two things people need to remember: First, this is the last month for Windows 2003 patches. Second, beginning in January 2016, Microsoft will only patch the most recent version of IE so the time to upgrade is now.

Anonymous

MS link is incorrect, should be: https://technet.microsoft.com/library/security/ms15-jul

JRD

1 Posts

No mention in the MS15-067 notices as to whether NLA-only RDP access (network layer authentication) mitigates the RDP vulnerability. Generally this has been the case. Does anyone know for certain?

Starlight

34 Posts

According to the bulletin, MS15-071 (Netlogon) only affects servers so your table should show N/A for clients ( https://technet.microsoft.com/en-us/library/security/ms15-071.aspx ).

patermann

35 Posts

Microsoft has information in KB 2264107 about mitigating DLL search-path exploitation, titled "A new CWDIllegalInDllSearch registry entry is available to control the DLL search path algorithm." Since this month's batch included such an issue, I was surprised they didn't mention it as a workaround.

In my case, setting the system-wide CWDillegalinDLLsearch to its strictest setting, FFFFFFFF, did break one app, an old image editor, which I had to make an exemption for in the Registry. So test carefully if you decide to use this.

patermann
12 Posts

Updates trashed the virtual switch on one of my Hyper-V 2012R2 servers, resulting in a visit to the datacenter to fix. Proceed with caution! I don't know which update caused it but suspect the MS15-068 Remote Code Execution Vulnerabilities in Hyper-V.

RichH

9 Posts

Finished updating my 2012R2 server, and nothing happened with the Virtual Switch on that Hyper-V host.

K-Dee

68 Posts