|
Microsoft just released a special "out fo band" security bulletin with a patch for a remote code execution vulnerability in Windows' OpenType font drivers. The update replaces a patch released last week (MS15-077). Microsoft rates the vulnerability critical for all currently supported versions of Windows. Microsoft says in it's bulletin, that it had information that the vulnerability was public, but had no indication that it was actively exploited. MS15-077 had been exploited at the time the MS15-077 bulletin was released last week. As a workaround, users may remove the font driver, but this may cause applications that rely on it to not be able to display certain fonts.
We will update issues on this page for about a week or so as they evolve.
We appreciate updates US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY (*): ISC rating
--- |
Johannes 4510 Posts ISC Handler Jul 20th 2015 |
||||||||||||||||||||||
| Thread locked Subscribe |
Jul 20th 2015 6 years ago |
||||||||||||||||||||||
|
Does this only impact console display, or could things like document imaging and print servers also be affected?
|
Rich 2 Posts |
||||||||||||||||||||||
| Quote |
Jul 20th 2015 6 years ago |
||||||||||||||||||||||
|
I assume this also affects Windows Server 2003, but no patch is being released, is that correct?
|
Rich 5 Posts |
||||||||||||||||||||||
| Quote |
Jul 20th 2015 6 years ago |
||||||||||||||||||||||
|
From the sounds of things, yes, this also affects 2003.
Sounds as if this is different iteration of a issue patched with MS15-077 which was applicable to Server 2003 just a few days ago prior to the EoL support. Also, all other versions of Windows are impacted, so again, highly likely. |
Anonymous |
||||||||||||||||||||||
| Quote |
Jul 20th 2015 6 years ago |
||||||||||||||||||||||
|
Customers with extended support contracts will get a patch for Windows 2003 server, per our TAM.
|
Paul 47 Posts |
||||||||||||||||||||||
| Quote |
Jul 20th 2015 6 years ago |
||||||||||||||||||||||
|
Some say that this vulnerability is related to Hacking Team's exploit for Adobe's open type font manager. Even NIST says so https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2426.
However a reddit user says that it's a pool overflow bug, judging by bindiff results https://www.reddit.com/r/netsec/comments/3dyuwv/ms15078_remote_code_execution_in_all_versions_of/cta3lsx Does anyone know what is really going on? |
MD 11 Posts |
||||||||||||||||||||||
| Quote |
Jul 21st 2015 6 years ago |
||||||||||||||||||||||
|
Any news on Windows XP being vulnerable? Obviously everyone should have migrated away but it's always nice to know...
|
MD 2 Posts |
||||||||||||||||||||||
| Quote |
Jul 21st 2015 6 years ago |
||||||||||||||||||||||
|
Consensus seems to be this was a Hacking Team exploit. Unless something more substantial comes out I'll have to side with NIST, FireEye's and TrendMicros's word.
FireEye Reference = http://www.csoonline.com/article/2950239/vulnerabilities/microsoft-releases-out-of-band-patch-for-all-versions-of-windows.html TrendMicro Reference = http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-leak-uncovers-another-windows-zero-day-ms-releases-patch/ In the end, I don't think it really matters where it came from. It's a vulnerability that needs to be patched. I have a feeling us in the InfoSec community are going to be dealing with an influx of these vulnerabilities in the coming weeks due to the Hacking Team breach and new information coming to light. Suppose it's better than letting the vulnerabilities continue to run in the wild though. |
Anonymous |
||||||||||||||||||||||
| Quote |
Jul 21st 2015 6 years ago |
||||||||||||||||||||||
|
makes you wonder just how many 0-days are lurking out there, though. Ugh.
|
John 88 Posts |
||||||||||||||||||||||
| Quote |
Jul 21st 2015 6 years ago |
||||||||||||||||||||||
|
Nobody needs use to check whether XP is affected.
Everybody can query the Microsoft Update Catalog: https://catalog.update.microsoft.com/v7/site/ScopedViewInline.aspx?updateid=ce9ea6ce-981c-4812-8895-baae01efb307 |
Anonymous |
||||||||||||||||||||||
| Quote |
Jul 21st 2015 6 years ago |
||||||||||||||||||||||
|
Users of Windows Server 2003 should remove the registry entry which lets CSRSS.EXE load this font driver:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers] "Adobe Type Manager"=- |
Anonymous |
||||||||||||||||||||||
| Quote |
Jul 21st 2015 6 years ago |
||||||||||||||||||||||
|
Hey all,
I am a bit dumbfounded that with regard to this critical vulnerability. There's a lot of talking on how to patch, what to patch, when to patch, why to patch. What I can't find anywhere (at least in the top let's say 20 sites dedicated to CVE-2015-2426) is a how to on... how to assess a potentially malicious file in order to determine whether an attempt to compromise is taking place. I mean, something along the lines of: you have a user reporting a docx file, what to look for, where to look within the file in order to be able to draw a conclusion. I would really appreciate a bit of direction in this. Regards, |
Anonymous |
||||||||||||||||||||||
| Quote |
Jul 23rd 2015 6 years ago |
||||||||||||||||||||||
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
