Tuesday, March 10, 2015

Microsoft Security Bulletin Release for March 2015


Microsoft released fourteen (14) bulletins.  Five (5) bulletins are identified as Critical and the remaining nine (9) are rated Important in severity.

The updates address vulnerabilities in Microsoft Windows, Microsoft Office, Microsoft Exchange and Internet Explorer.  Details about the CVEs can be found in the below-referenced TechNet Security Bulletin.

Security Bulletin MS15-031 addresses the vulnerability in Security Advisory 3046015 which relates to the SSL/TLS issue referred being referred to as “FREAK” (Factoring attack on RSA-EXPORT Keys).


In addition to providing information about the additional families added to the MSRT, information regarding Superfish and steps by Microsoft, Lenovo and others is available in the MMPC blog post, MSRT March: Superfish cleanup.



Updates:

Critical:
  • MS15-022 -- Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3038999)
  • MS15-021 -- Vulnerabilities in Adobe Font Driver Could Allow Remote Code Execution (3032323) 
  • MS15-020 -- Vulnerability in Microsoft Windows Could Allow Remote Code Execution (3041836) 
  • MS15-019 -- Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (3040297) 
  • MS15-018 -- Cumulative Security Update for Internet Explorer (3032359) 

Important:
  • MS15-031 -- Vulnerability in Schannel Could Allow Security Feature Bypass (3046049) 
  • MS15-030 -- Vulnerability in Remote Desktop Protocol Could Allow Denial of Service (3039976) 
  • MS15-029 -- Vulnerability in Windows Photo Decoder Component Could Allow Information Disclosure (3035126) 
  • MS15-028 -- Vulnerability in Windows Task Scheduler Could Allow Security Feature Bypass (3030377)
  • MS15-027 -- Vulnerability in NETLOGON Could Allow Spoofing (3002657)
  • MS15-026 -- Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (3040856) 
  • MS15-025 -- Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (3038680) 
  • MS15-024 -- Vulnerability in PNG Processing Could Allow Information Disclosure (3035132) 
  • MS15-023 -- Vulnerabilities in Kernel-Mode Driver Could Allow Elevation of Privilege (3034344) 

Additional Update Notes

  • MSRT -- Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center. 

    The updated version includes the Win32/CompromisedCert and Win32/Alinaos malware families.  Additional details ave available in the MMPC blog post.

  • Internet Explorer -- For additional information about the blocking of out-of-date ActiveX controls see the TechNet article, Out-of-date ActiveX control blocking.  Additional changes introduced this month include the blocking of outdated Silverlight.  Additional information is available in the IE Blog.

  • Windows 8.x -- Non-security new features and improvements for Windows 8.1 are now included with the second Tuesday of the month updates.  Additional information about this change is available here.

  • Windows XP -- Although Microsoft has stopped providing Microsoft Security Essentials for Windows XP, definitions will be available until July 15, 2015.  See Microsoft antimalware support for Windows XP.  The MSRT still works on Windows XP.

References




    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...







    1 comment:

    Anonymous said...

    On March 16th additional IE 11 updates were available for my system. Much to my surprise an IE 11 fault was corrected after MS admitted to the flaw two years earlier.

    The flaw was after updating from IE 10, the upper tool bar auto hide/appear function when the cursor was placed at the top of the page stopped working. MS admitted to this fault but said since three was a work around they would not fix it.

    Well, MS must have changed their minds as the updates this morning has fixed the flaw.

    Two plus years is way too long to fix a flaw and it was disappointing when MS said they had no intention of fixing it.

    The flaw only applied to IE 11 after updating from IE 10.