Microsoft Patch Tuesday - April 2015

Published: 2015-04-14. Last Updated: 2015-04-14 17:23:50 UTC
by Alex Stanford (Version: 1)
8 comment(s)

Overview of the April 2015 Microsoft patches and their status.

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*)
clients servers
MS15-032 Cumulative Security Update for Internet Explorer
(ReplacesMS15-018 )
CVE-2015-1652, CVE-2015-1657, CVE-2015-1659, CVE-2015-1660, CVE-2015-1661, CVE-2015-1662, CVE-2015-1665, CVE-2015-1666, CVE-2015-1667, CVE-2015-1668 KB 3038314 No Severity:Critical
Exploitability:
Critical Important
MS15-033 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution
(ReplacesMS14-081 MS15-022 )
CVE-2015-1639
CVE-2015-1641
CVE-2015-1649
CVE-2015-1650
CVE-2015-1651
KB 3048019 vuln. public. Severity:Critical
Exploitability:
Critical Important
MS15-034 Vulnerability in HTTP.sys Could Allow Remote Code Execution
CVE-2015-1635 KB 3042553 No Severity:Critical
Exploitability:
Critical Critical
MS15-035 Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution
CVE-2015-1645 KB 3046306 No Severity:Critical
Exploitability:
Critical Critical
MS15-036 Vulnerabilities in Microsoft SharePoint Server Could Allow Elevation of Privilege
(ReplacesMS15-022 )
CVE-2015-1640
CVE-2015-1653
KB 3052044 No Severity:Important
Exploitability:
N/A Important
MS15-037 Vulnerability in Windows Task Scheduler Could Allow Elevation of Privilege
CVE-2015-0098 KB 3046269 No Severity:Important
Exploitability:
Important Important
MS15-038 Vulnerabilities in Microsoft Windows Could Allow Elevation of Privilege
(ReplacesMS15-025 MS15-031 )
CVE-2015-1643
CVE-2015-1644
KB 3049576 No Severity:Important
Exploitability:
Important Important
MS15-039 Vulnerability in XML Core Services Could Allow Security Feature Bypass
(ReplacesMS14-067 )
CVE-2015-1646 KB 3046482 No Severity:Important
Exploitability:
Important Important
MS15-040 Vulnerability in Active Directory Federation Services Could Allow Information Disclosure
CVE-2015-1638 KB 3045711 No Severity:Important
Exploitability:
Important Important
MS15-041 Vulnerability in .NET Framework Could Allow Information Disclosure
(ReplacesMS14-009 )
CVE-2015-1648 KB 3048010 No Severity:Important
Exploitability:
Important Important
MS15-042 Vulnerability in Windows Hyper-V Could Allow Denial of Service
CVE-2015-1647 KB 3047234 No Severity:Important
Exploitability:
Important Important
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urt practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
    • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threatatches.

       

-- 
Alex Stanford - GIAC GWEB & GSEC,
Research Operations Manager,
SANS Internet Storm Center
/in/alexstanford

Keywords: mspatchday
8 comment(s)
ISC StormCast for Tuesday, April 14th 2015 http://isc.sans.edu/podcastdetail.html?id=4439

Odd POST Request To Web Honeypot

Published: 2015-04-14. Last Updated: 2015-04-14 02:11:17 UTC
by Johannes Ullrich (Version: 1)
8 comment(s)

I just saw this odd POST request to our honeypot's index page. Has anybody seen something like this? No idea what they are trying to accomplish.

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; EIE10;ENUSMSN)\r\n
Host: [IP Address of Honeypot]
Content-Length: 364
Cache-Control: no-cache

I2pA3cU8VSiuw2nCOwlrKN+K8jeDYiuG9stiEykFE1QDf9qZ+7DWSqt4nzWXnsjB1yXtBq8Ln7nj2FExhjmxJcRTYLCuDyBnRP8cpqOAlJrM68lEatjAS4O2bpQVbtVHAyfttd9LcsaDvkYDD9UaOVcnCnDZJxq0t4M5i9WaJusrSBNJri9br9CFjEM7IrLxS1ZUS4lR6ukW1yRvMMe1seSujBbfBqrZbijFHaH4eK5TcH6AJGkikgaiVLi6uABwhnX+VL9Nzfss+RRzC4n1hX6zHKn4+XfoCIHs3hFbgUOjqQx2vPvOek3+y2fAbsndiqz8SCzMJSzW0QxBW6Jju8aNr+n9+elCQ60vRM/SRIbl

The payload looks Base64 encoded, but decoding doesn't help much either. The payload also looks like the "+" (which would be a space if URL encoded) marks a deliminator. 

<u(..i.;.k( 0000010:="" df8a="" f237="" 8362="" 2b86="" f6cb="" 6213="" 2905="" 1354="" ...7.b+...b.)..t="" 0000020:="" 037f="" da99="" fbb0="" d64a="" ab78="" 9f35="" 979e="" c8c1="" .......j.x.5....="" 0000030:="" d725="" ed06="" af0b="" 9fb9="" e3d8="" 5131="" 8639="" b125="" .%........q1.9.%="" 0000040:="" c453="" 60b0="" ae0f="" 2067="" 44ff="" 1ca6="" a380="" 949a="" .s`...="" gd.......="" 0000050:="" cceb="" c944="" 6ad8="" c04b="" 83b6="" 6e94="" 156e="" d547="" ...dj..k..n..n.g="" 0000060:="" 0327="" edb5="" df4b="" 72c6="" 83be="" 4603="" 0fd5="" 1a39="" .'...kr...f....9="" 0000070:="" 5727="" 0a70="" d927="" 1ab4="" b783="" 398b="" d59a="" 26eb="" w'.p.'....9...&.="" 0000080:="" 2b48="" 1349="" ae2f="" 5baf="" d085="" 8c43="" 3b22="" b2f1="" +h.i.="" [....c;"..="" 0000090:="" 4b56="" 544b="" 8951="" eae9="" 16d7="" 246f="" 30c7="" b5b1="" kvtk.q....$o0...="" 00000a0:="" e4ae="" 8c16="" df06="" aad9="" 6e28="" c51d="" a1f8="" 78ae="" ........n(....x.="" 00000b0:="" 5370="" 7e80="" 2469="" 2292="" 06a2="" 54b8="" bab8="" 0070="" sp~.$i"...t....p="" 00000c0:="" 8675="" fe54="" bf4d="" cdfb="" 2cf9="" 1473="" 0b89="" f585="" .u.t.m..,..s....="" 00000d0:="" 7eb3="" 1ca9="" f8f9="" 77e8="" 0881="" ecde="" 115b="" 8143="" ~.....w......[.c="" 00000e0:="" a3a9="" 0c76="" bcfb="" ce7a="" 4dfe="" cb67="" c06e="" c9dd="" ...v...zm..g.n..="" 00000f0:="" 8aac="" fc48="" 2ccc="" 252c="" d6d1="" 0c41="" 5ba2="" 63bb="" ...h,.%,...a[.c.="" 0000100:="" c68d="" afe9="" fdf9="" e942="" 43ad="" 2f44="" cfd2="" 4486="" .......bc.="" d..d.="" 0000110:="" e5="" 

Any ideas?

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords: web honeypot
8 comment(s)

Comments


Diary Archives