Microsoft March Patch Tuesday

Overview of the March 2015 Microsoft patches and their status.

#	Affected	Contra Indications - KB	Known Exploits	Microsoft rating(**)	ISC rating(*)
#	Affected	Contra Indications - KB	Known Exploits	Microsoft rating(**)	clients	servers
MS15-018	Cumulative Security Update For Internet Explorer (Replaces MS15-009 ) (note that for IE8 and later, the VBScript vulnerability CVE-2015-0032 is addressed by MS15-019)
MS15-018	Internet Explorer CVE-2015-0032 CVE-2015-0056 CVE-2015-0072 CVE-2015-0099 CVE-2015-0100 CVE-2015-1622 CVE-2015-1623 CVE-2015-1624 CVE-2015-1625 CVE-2015-1626 CVE-2015-1627 CVE-2015-1634	KB 3040297	CVE-2015-1625 has been disclosed in public, but no exploits seen yet..	Severity:Critical Exploitability: 1	Critical	Critical
MS15-019	Remote Code Execution Vulnerability in VBScript Scripting Engine (Replaces MS14-084 )
MS15-019	VBScript CVE-2015-0032	KB 3040297	no known exploits.	Severity:Critical Exploitability: 1	Critical	Important
MS15-020	Remote Code Execution Via Loading Untrusted DLLs and Windows Text Service Memory Corruption (Replaces MS14-027 )
MS15-020	Windows Text Services CVE-2015-0081 CVE-2015-0096	KB 3041836	no known exploits.	Severity:Critical Exploitability: 2	Critical	Critical
MS15-021	Remote Code Execution Vulnerability in Adobe Font Drivers (Replaces MS13-081 )
MS15-021	Adobe Font Drivers CVE-2015-0074 CVE-2015-0087 CVE-2015-0088 CVE-2015-0089 CVE-2015-0090 CVE-2015-0091 CVE-2015-0092 CVE-2015-0093	KB 3032323	no known exploits.	Severity:Critical Exploitability: 2	Critical	Important
MS15-022	Remote Code Execution Vulnerability in Microsoft Office (Replaces MS13-072 MS14-022 MS14-023 MS14-050 MS14-073 MS15-012 )
MS15-022	Microsoft Office CVE-2015-0085 CVE-2015-0086 CVE-2015-0097 CVE-2015-1633 CVE-2015-1636	KB 3038999	no known exploits.	Severity:Critical Exploitability: 1	Critical	Important
MS15-023	Elevation of Privilege Vulnerability in Kernel Mode Drivers (Replaces MS15-010 )
MS15-023	Kernel Mode Drivers CVE-2015-0077 CVE-2015-0078 CVE-2015-0094 CVE-2015-0095	KB 3034344	no known exploits.	Severity:Important Exploitability: 2	Important	Important
MS15-024	Information Disclosure Vulnerability in PNG Processing (Replaces MS15-016 )
MS15-024	Windows CVE-2015-0080	KB 3035132	no known exploits.	Severity:Important Exploitability: 3	Important	Important
MS15-025	Elevation of Privilege / Impersonation Vulnerability in Windows Kernel (Replaces MS13-031 MS15-010 MS15-015 )
MS15-025	Windows Kernel CVE-2015-0073 CVE-2015-0075	KB 3038680	no known exploits.	Severity:Important Exploitability: 2	Important	Important
MS15-026	Cross Site Scripting Vulnerabilities in Microsoft Exchange Server
MS15-026	Microsoft Exchange Server CVE-2015-1628 CVE-2015-1629 CVE-2015-1630 CVE-2015-1631 CVE-2015-1632	KB 3040856	no known exploits.	Severity:Important Exploitability: 2	Important	Important
MS15-027	Spoofing Vulnerability in NETLOGON (Replaces MS10-101 )
MS15-027	Windows CVE-2015-0005	KB 3002657	no known exploits.	Severity:Important Exploitability: 2	Important	Important
MS15-028	Access Control List Bypass via Windows Task Scheduler
MS15-028	Windows CVE-2015-0084	KB 3030377	no known exploits.	Severity:Important Exploitability: 2	Important	Important
MS15-029	Information Disclosure in Windows Photo Decoder
MS15-029	Windows Photo Decoder CVE-2015-0076	KB 3035126	no known exploits.	Severity:Important Exploitability: 2	Important	Important
MS15-030	Denial of Service Vulnerability in RDP (Replaces MS14-030 )
MS15-030	Remote Desktop Protocol CVE-2015-0079	KB 3039976	no known exploits.	Severity:Important Exploitability: 3	Important	Important
MS15-031	Schannel Patch for FREAK
MS15-031	Schannel CVE-2015-1637	KB 3046049	yes.	Severity:Important Exploitability: 1	Important	Important

We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

We use 4 levels:
- PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
- Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
- Important: Things where more testing and other measures can help.
- Less Urt practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
- The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threatatches.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Defending Web Applications Security Essentials - SANS London August 2021

Johannes

4191 Posts
ISC Handler

Mar 10th 2015

Thread locked Subscribe

Mar 10th 2015
6 years ago

It appears MS is doing some fancy stuff with the bulletin URLs. They all dump back to the technet security bulletin page.

TexISO

19 Posts

Quote

Mar 10th 2015
6 years ago

I adjusted the URLs. They should work now. Looks like I used an older scheme.

Johannes

4191 Posts
ISC Handler

Quote

Mar 10th 2015
6 years ago

Exploit for MS15-027 is available at https://code.google.com/p/impacket/source/browse/trunk/examples/smbrelayx.py

Johannes
1 Posts

Quote

Mar 10th 2015
6 years ago

FYI: I dont see MS15-019 in my WSUS server yet. I do see MS15-018 and MS-020.

TuggDougins

37 Posts

Quote

Mar 10th 2015
6 years ago

Note that MS15-019 does not apply to all browsers. Some will receive the VBScript patch via MS15-018.

Johannes

4191 Posts
ISC Handler

Quote

Mar 10th 2015
6 years ago

And MS15-020 fixes a faied Stuxnet patch MS10-046.

http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/CVE-2015-0096-issue-patched-today-involves-failed-Stuxnet-fix/ba-p/6718402#.VP9GQFV4o50

Anonymous

Quote

Mar 10th 2015
6 years ago

Bad news ... if for real ... CVE-2015-0096 issue patched today involves failed Stuxnet fix

http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/CVE-2015-0096-issue-patched-today-involves-failed-Stuxnet-fix/ba-p/6718402

k4l4m4r1s

7 Posts

Quote

Mar 10th 2015
6 years ago

Minor note: MS15-018 references KB 3032359, not 3040297 as listed in the chart.

IMFerret

10 Posts

Quote

Mar 11th 2015
6 years ago

Hi, this is Peter from Berlin/Germany. My first reply. Update KB3033929 fails with error code 80004005. Confirmed on two standalone machines, both Lenovo (ThinkCentre Edge and ThinkPad E-Series, both 64-bit-dual-boot-systems with Windows 7 and Suse Linux). Tested on two different desktop-machines in our enterprise faultlessly, but I'm not feeling comfortable for a broader test already. (Hope my Englisch is good enough for you to follow.)

Does anyone experienced this behaviour?

Thanks, greetings
Peter

URLs:
- https://social.technet.microsoft.com/Forums/en-US/a08ad884-6b05-4632-8f28-2568eb97b636/update-kb3033929-fails-with-error-code-80004005?forum=w7itprosecurity
- http://answers.microsoft.com/en-us/windows/forum/windows_7-windows_update/kb3033929-important-update-failed-reverted-changes/5a902e57-515d-4f15-91e6-eb73781ec382

Peter

2 Posts

Quote

Mar 11th 2015
6 years ago

That's a fairly non-specific Windows Update error number - try these 2 urls?

windows.microsoft.com/en-us/windows7/…
support.microsoft.com/kb/…

Rob VandenBrink

563 Posts
ISC Handler

Quote

Mar 11th 2015
6 years ago

Total of 15 T-440 7 Pro 64 bit on 2012 network, no complaints.

ICI2I

63 Posts

Quote

Mar 12th 2015
6 years ago

Thanks. KB3033929 seems to cause at least some problems:

- http://krebsonsecurity.com/2015/03/ms-update-3033929-causing-reboot-loop/

Peter

2 Posts

Quote

Mar 12th 2015
6 years ago

MS15-018
Internet Explorer Elevation of Privilege Vulnerability
CVE-2015-0072
0 - Exploitation Detected
0 - Exploitation Detected

(According to tech net mar summary)

The IE UXSS is also fixed by ms15-018
Haven't seen much coverage here, but definitely a nice phishing vector and covered on Fdisclosure(over a month)

Mallory Bobalice

28 Posts

Quote

Mar 15th 2015
6 years ago