Patch Tuesday Analysis - July 2015

Chris Goettl
Product Manager
Minimizing the Impact of Patch Tuesday
Wednesday, July 10th, 2015
Dial In: 1-855-749-4750 (US)
Attendees: 923 570 636

Shavlik Confidential
 Feel free to ask questions via the online Q&A link in the WebEx
interface.
 Questions may be answered during the presentation.
 Unanswered questions will be resolved via email after the
presentation is over.
 When asking a question, please include your email address so
we can answer you offline if we run out of time.
 A copy of this presentation will be available at
http://www.shavlik.com/webinars/ after the webinar.
2
Logistics

 July 2015 Patch Tuesday Overview
 Review July 2015 Security Bulletins
 Patch Recommendations
 Other patches released since last Patch Tuesday
3
Agenda

 14 Microsoft Security Bulletins / 59 Vulnerabilities Addressed
 Adobe Flash Bulletin / 2 Vulnerabilities Addressed
 Adobe Acrobat and Acrobat Reader / 46 Vulnerabilities Addressed
 Adobe Shockwave / 2 Vulnerabilities Addressed
 Oracle Java / 25 Vulnerabilities Addressed
 Google Chrome Release / Support for latest Flash Plug-In
 Affected Products:
 All supported Windows operating systems
 Internet Explorer
 Microsoft Office 2010, 2013
 SQL Server 2014, 2010, 2005
 Adobe Flash, Acrobat, Reader, Shockwave
 Google Chrome 43
 Oracle Java 8u51
4
Patch Tuesday Overview for July 2015

 Security Bulletins:
 5 bulletin is rated as Critical.
 9 bulletins are rated as Important.
 Vulnerability Impact:
 7 bulletin addresses vulnerabilities that could allow Remote Code Execution.
 7 bulletins address vulnerabilities that could allow Elevation of Privileges.
5
Overview for Microsoft July 2015

 Security Bulletins:
 Adobe Flash update for Flash Player (Priority 1)
 Adobe AcrobatReader (Priority 2)
 Adobe Shockwave (Priority 1)
 Oracle Java (Critical)
 Google Chrome update for Chrome 43 (No rating by Google, Flash plug-in Priority 1)
 Vulnerability Impact:
 Adobe Flash resolves 2 vulnerabilities including Remote Code Execution.
 Adobe Shockwave resolves 2 vulnerabilities including Remote Code Execution.
 Adobe AcrobatReader resolves 46 vulnerabilities including Remote Code Execution, Information
Disclosure, Privilege Escalation, DoS.
 Google Chrome support for latest Flash plug-in (2 vulnerabilities)
 Oracle Java resovles 25 vulnerabilities 23 of which can be executed remotely without authentication.
6
Overview for 3rd Party Vendors July 2015

 Maximum Severity: Priority 1
 Affected Products: Adobe Flash 13 and 18, Flash plug-ins for IE, Chrome, and FireFox
 Description: Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux.
These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected
system. Adobe is aware of reports that exploits targeting these vulnerabilities have been published publicly.
 Impact: Remote Code Execution
 Fixes 2 vulnerabilities:
 CVE-2015-5122, CVE-2015-5123
 Replaces: All previous Flash 13 and 18 versions
 Restart Required:
7
APSB15-18: Security updates available for Adobe Flash Player

 Affected Products: Adobe Shockwave Player 12
 Description: Adobe has released a security update for Adobe Shockwave Player for Windows and Macintosh. This
update addresses critical vulnerabilities that could potentially allow an attacker to take control of the affected system
 CVE-2015-5120, CVE-2015-5121
 Replaces: All previous Shockwave 12
8
APSB15-17: Security update available for Adobe Shockwave Player

 Maximum Severity: Critical
 Affected Products: Java 8
 Description: This patch will install Java 8 Runtime Environment Update 51.
 CVE-2015-4760, CVE-2015-2628, CVE-2015-4731, CVE-2015-2590 (Zero Day), CVE-2015-4732, CVE-2015-
4733, CVE-2015-2638, CVE-2015-4736, CVE-2015-4748, CVE-2015-2597, CVE-2015-2664, CVE-2015-2632,
CVE-2015-2601, CVE-2015-2613, CVE-2015-2621, CVE-2015-2659, CVE-2015-2619, CVE-2015-2637, CVE-
2015-2596, CVE-2015-4749, CVE-2015-4729, CVE-2015-4000, CVE-2015-2808, CVE-2015-2627, CVE-2015-
2625
 Replaces: All previous Java 8
9
JAVA8-51: Java 8 Update 51 (QJAVA8U51)

 Maximum Severity:
 Affected Products: Google Chrome
 Description: The stable channel has been updated to 43.0.2357.134 for Windows, Mac, and Linux.
 Impact: Supports update for Flash Plug-in including 2 security fixes
 Fixes ? vulnerabilities:
 Replaces: All previous versions
10
CHROME-138(QGC4302357132): Chrome 43.0.2357.132

 Affected Products: Internet Explorer
 Description: This security update resolves vulnerabilities in Internet Explorer. The most severe of the
vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.
An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user.
Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those
who operate with administrative user rights.
 Publicly disclosed CVE-2015-2398, CVE-2015-2419, CVE-2015-2421, CVE-2015-2413, CVE-2015-1729,
CVE-2015-1733, CVE-2015-1738, CVE-2015-1767, CVE-2015-2372, CVE-2015-2383, CVE-2015-2384, CVE-
2015-2385, CVE-2015-2388, CVE-2015-2389, CVE-2015-2390, CVE-2015-2391, CVE-2015-2397, CVE-2015-
2401, CVE-2015-2402, CVE-2015-2403, CVE-2015-2404, CVE-2015-2406, CVE-2015-2408, CVE-2015-2410,
CVE-2015-2411, CVE-2015-2412, CVE-2015-2414, CVE-2015-2422, CVE-2015-2425 (Exploited in Wild)
 Replaces: 3058515 in MS15-056,
 Restart Required: Requires Restart
11
MS15-065: Security Update for Internet Explorer (3076321)

 Affected Products: Windows (VBScript)
 Description: This security update resolves a vulnerability in the VBScript scripting engine in Microsoft Windows.
The vulnerability could allow remote code execution if a user visits a specially crafted website. An attacker who
successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is
logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete
control of an affected system. An attacker could then install programs; view, change, or delete data; or create new
accounts with full user rights.
 CVE-2015-2372
 Replaces: 3030403 in MS15-019,
 Restart Required: may Require Restart
12
MS15-066: Vulnerability in VBScript Scripting Engine Could Allow
Remote Code Execution (3072604)

 Affected Products: Windows (RDP)
 Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow
remote code execution if an attacker sends a specially crafted sequence of packets to a targeted system with Remote
Desktop Protocol (RDP) enabled. By default, RDP is not enabled on any Windows operating system. Systems that do
not have RDP enabled are not at risk.
 CVE-2015-2373
 Replaces: 2965788 and 3035017 in MS15-030,
13
MS15-067: Vulnerability in RDP Could Allow Remote Code Execution
(3073094)

 Affected Products: Windows (Hyper-V)
 Description: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow
remote code execution in a host context if a specially crafted application is run by an authenticated and privileged user
on a guest virtual machine hosted by Hyper-V. An attacker must have valid logon credentials for a guest virtual
machine to exploit this vulnerability.
 CVE-2015-2361, CVE-2015-2362
 Replaces: none,
14
MS15-068: Vulnerabilities in Windows Hyper-V Could Allow Remote
Code Execution (3072000)

 Maximum Severity: Important
 Affected Products: Microsoft Office
 Description: This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote
code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run
arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be
less impacted than those who operate with administrative user rights.
 CVE-2015-2375, CVE-2015-2376, CVE-2015-2377, CVE-2015-2378, CVE-2015-2379, CVE-
2015-2380, CVE-2015-2415, CVE-2015-2424 (Exploited in wild)
 Replaces: 2956103 in MS15-022,
 Restart Required: May Require Restart
15
MS15-070: Vulnerabilities in Microsoft Office Could Allow Remote
Code Execution (3072620)

 Affected Products: Windows
elevation of privilege if an attacker logs on to a target system and runs a specially crafted application. An attacker who
successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system.
An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
 Impact: Elevation of Privilege
 CVE-2015-2387 (exploited in wild)
 Replaces: 3032323 in MS15-021
16
MS15-077: Vulnerability in ATM Font Driver Could Allow
Elevation of Privilege (3077657)

 Affected Products: SQL 2014, 2010, 2005
 Description: This security update resolves vulnerabilities in Microsoft SQL Server. The most severe vulnerabilities
could allow remote code execution if an authenticated attacker runs a specially crafted query that is designed to
execute a virtual function from a wrong address, leading to a function call to uninitialized memory. To exploit this
vulnerability an attacker would need permissions to create or modify a database.
 CVE-2015-1761, CVE-2015-1762, CVE-2015-1763
 Replaces: none
17
MS15-058: Vulnerabilities in SQL Server Could Allow Remote Code
Execution (3065718)

Remote Code Execution if an attacker first places a specially crafted dynamic link library (DLL) file in the target user’s
current working directory and then convinces the user to open an RTF file or to launch a program that is designed to
load a trusted DLL file but instead loads the attacker’s specially crafted DLL file. An attacker who successfully
exploited the vulnerabilities could take complete control of an affected system. An attacker could then install programs;
view, change, or delete data; or create new accounts with full user rights.
 CVE-2015-2368 , CVE-2015-2369
 Replaces: none,
18
MS15-069: Vulnerabilities in Windows Could Allow Remote Code
Execution (3072631)

 Affected Products: Windows (NetLogon)
elevation of privilege if an attacker with access to a primary domain controller (PDC) on a target network runs a
specially crafted application to establish a secure channel to the PDC as a backup domain controller (BDC).
 CVE-2015-2374
 Replaces: 3002657 in MS15-027,
19
MS15-071: Vulnerability in Netlogon Could Allow Elevation of Privilege
(3068457)

elevation of privilege if Windows Graphics component fails to properly process bitmap conversions. An authenticated
attacker who successfully exploited this vulnerability could elevate privileges on a targeted system. An attacker could
then install programs; view, change, or delete data; or create new accounts with full administrative rights. An attacker
must first log on to the system to exploit this vulnerability.
 CVE-2015-2364
 Replaces: 3046306 in MS15-035, 2964736 in MS14-036 and 2965155 in MS14-036
20
MS15-072: Vulnerability in Windows Graphics Component Could
Allow Elevation of Privilege (3069392)

 Affected Products: Windwos (KMD)
elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application..
 Impact: Elevation of Privilege, Information Disclosure, DoS
 CVE-2015-2363, CVE-2015-2365, CVE-2015-2366, CVE-2015-2367, CVE-2015-2381, CVE-2015-2382
 Replaces: 3057839 in MS15-061,
21
MS15-073: Vulnerability in Windows Kernel-Mode Driver Could

elevation of privilege if the Windows Installer service improperly runs custom action scripts. An attacker must first
compromise a user who is logged on to the target system to exploit the vulnerability. An attacker could then install
programs; view, change, or delete data; or create new accounts with full administrative rights.
 CVE-2015-2371
 Replaces: 2918614 in MS14-049
22
MS15-074: Vulnerability in Windows Installer Service Could

elevation of privilege if used in conjunction with another vulnerability that allows arbitrary code to be run. Once the
other vulnerability has been exploited, an attacker could then exploit the vulnerabilities addressed in this bulletin to
cause arbitrary code to run at a medium integrity level
 CVE-2015-2416, CVE-2015-2417
 Replaces: 2876217 in MS13-070
23
MS15-075: Vulnerabilities in OLE Could Allow Elevation of
Privilege (3072633)

 Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability, which exists in
Windows Remote Procedure Call (RPC) authentication, could allow elevation of privilege if an attacker logs on to an
affected system and runs a specially crafted application. An attacker who successfully exploited this vulnerability could
take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or
create new accounts with full user rights.
 CVE-2015-2370
 Replaces: 3061518 in MS15-055
24
MS15-076: Vulnerability in Windows Remote Procedure Call
Could Allow Elevation of Privilege (3067505)

elevation of privilege if the Windows Installer service improperly runs custom action scripts. An attacker must first
compromise a user who is logged on to the target system to exploit the vulnerability. An attacker could then install
programs; view, change, or delete data; or create new accounts with full administrative rights.
 Impact: Code Execution, Information Disclosure, Elevation of Privilege, DoS
 CVE-2014-0566, CVE-2014-8450, CVE-2015-3095, CVE-2015-4435, CVE-2015-4438, CVE-2015-4441, CVE-2015-4443, CVE-2015-
4444, CVE-2015-4445, CVE-2015-4446, CVE-2015-4447, CVE-2015-4448, CVE-2015-4449, CVE-2015-4450, CVE-2015-4451, CVE-
2015-4452, CVE-2015-5085, CVE-2015-5086, CVE-2015-5087, CVE-2015-5088, CVE-2015-5089, CVE-2015-5090, CVE-2015-5091,
CVE-2015-5092, CVE-2015-5093, CVE-2015-5094, CVE-2015-5095, CVE-2015-5096, CVE-2015-5097, CVE-2015-5098, CVE-2015-
5099, CVE-2015-5100, CVE-2015-5101, CVE-2015-5102, CVE-2015-5103, CVE-2015-5104, CVE-2015-5105, CVE-2015-5106, CVE-
2015-5107, CVE-2015-5108, CVE-2015-5109, CVE-2015-5110, CVE-2015-5111, CVE-2015-5113, CVE-2015-5114, CVE-2015-5115
 Replaces: Previous AcrobatReader versions
25
APSB15-15: Security Updates Available for Adobe Acrobat and
Reader

 Opera
 iTunes
26
Other lower priority updates for July

Shavlik Confidential27
Review Patch Releases Since may Patch Tuesday
• Microsoft: 70 (Non-Security), 2 (Security
Advisories), 0 (Security Tool)
• FileZilla: 3 (Security)
• Thunderbird: 2 (Security)
• VMware Tools: 1 (Security)
• DropBox: 3 (non-Security)
• Google Drive: 1 (non-Security)
• Splunk Universal Forwarder: 1 (non-Security)
• Adobe Flash: 1 (ZeroDay), 1 (Security)
• Google Chrome: 2 (Security)
• FirefoxESR: 2 (Security)
• Apache Tomcat: 1 (Security), 2 (non-Security)
• Citrix VDA Core Services: 4 (non-Security)
• iTunes: 1 (Security)
• Quicktime: 1 (non-Security)
• Skype: 2 (Security)
• Ccleaner: 1 (non-Security)
• GoToMeeting: 1 (non-Security)
• LibreOffice: 1 (non-Security)
• Opera: 2 (Security)
• Notepad++: 3 (Security)
• Wireshark: 1 (Security)
• CDBurner XP: 1 (non-Security)
• HP Systems Management: 1 (non-Security)
• VMware Player: 2 (non-Security)
• WebEx Prod Tools: 1 (non-Security)
•

Shavlik Confidential2
Patch Day SummaryCompany Bulletin Software Affected CVE Count Vulnerability Impact Vendor Severity Threat Risk Notes
Microsoft MS15-058 SQL 3 Remote Code Execution Important Moderate Was the missing bulletin from last month.
Microsoft
MS15-065 Internet Explorer 29 Remote Code Execution Critical High
Publicly disclosed CVE-2015-2398, CVE-2015-2419, CVE-2015-
2421, CVE-2015-2413. Public disclosure drastically increases the
chance a vulnerability will be exploited. Exploited in Wild: CVE-
2015-2425
Microsoft MS15-066 Windows (VBScript) 1 Remote Code Execution Critical Moderate-High
Microsoft MS15-067 Windows (RDP) 1 Remote Code Execution Critical Moderate-High
Microsoft MS15-068 Windows (Hyper-V) 2 Remote Code Execution Critical Moderate-High
Microsoft MS15-069 Windows 2 Remote Code Execution Important Low-Moderate
Microsoft MS15-070 Office 8 Remote Code Execution Important High Exploited in wild CVE-2015-2424
Microsoft MS15-071 Windows (NetLogon) 1 Elevation of Privilege Important Low-Moderate
Microsoft MS15-072 Windows 1 Elevation of Privilege Important Low-Moderate
Microsoft MS15-073 Windows (KMD) 6 Elevation of Privilege Important Low-Moderate
Microsoft MS15-074 Windows (Installer) 1 Elevation of Privilege Important Low-Moderate
Microsoft MS15-075 Windows (OLE) 2 Elevation of Privilege Important Low-Moderate
Microsoft MS15-076 Windows (RPC) 1 Elevation of Privilege Important Low-Moderate
Microsoft MS15-077 Windows (ATM Font Driver) 1 Elevation of Privilege Important Moderate-High Publicly disclosed, Exploited in wild CVE-2015-2387
Adobe
APSB15-15 Acrobat and Reader 46
Code Execution, privilege
escalation, security feature
bypass, DoS, Information
Disclosure
Priority 2 Low-Moderate
Adobe APSB15-17 Shockwave 2 Code Execution Priority 1 Moderate-High
Adobe
APSB15-18 Flash Player 2 Code Execution Priority 1 High
CVE-2015-5122 and CVE-2015-5123 are both publicly disclosed
as part of the Hacking Team breach that occurred recently.
Likliehood of these exploits to be used is very high and could already
be in progress.
Google
Chrome-43 Chrome 0* Critical High
Supports the latest Adobe Flash Player update. This update should
be applied as soon as possible.
Apple
iTunes
Release expected, but had not yet dropped at the time this was sent
out.
Oracle Java7u75
Java8u33
Java 25 Remote Code Execution Critical High
23 of the 25 CVEs are remotely exploitable without authentication.
Includes first zero day for Java in two years. http://java-0day.com/

• Server 2003 End of Life - http://blog.shavlik.com/server-2003-end-life-july-14-2015-whats-
plan/
• We are looking for Protect 9.2 Field Test and Beta Test customers. If you are interested in a
demo of what is coming and participating in the test process contact Beta@Shavlik.com.
• Slide deck and video playback available here: www.shavlik.com/Webinars
• Sign up for next months Patch Tuesday Webinar and view webinar playbacks:
http://www.shavlik.com/webinars/
• Sign up for Content Announcements:
• Email http://www.shavlik.com/support/xmlsubscribe/
• RSS http://protect7.shavlik.com/feed/
• Twitter @ShavlikXML
• Follow us on:
• Shavlik on LinkedIn
• Twitter @ShavlikProtect
• Shavlik blog -> www.shavlik.com/blog
• Chris Goettl on LinkedIn
• Twitter @ChrisGoettl
30
Resources and Webinars

Patch Tuesday Analysis - July 2015

Patch Tuesday Analysis - July 2015

Recommended

Recommended

More Related Content

What's hot

What's hot (17)

Viewers also liked

Viewers also liked (12)

Similar to Patch Tuesday Analysis - July 2015

Similar to Patch Tuesday Analysis - July 2015 (20)

More from Ivanti

More from Ivanti (20)

Recently uploaded

Recently uploaded (20)

Patch Tuesday Analysis - July 2015

Editor's Notes