Microsoft patches critical http.sys and RTF security flaws

Posted on Wednesday, April 15 2015 @ 11:24 CEST by Thomas De Maesschalck
Microsoft logo
As part of the company's monthly Patch Tuesday update cycle, Microsoft released a bunch of security updates for Windows and Office. This month there are 11 bulletins, including four critical updates and seven market as important.

One of the critical updates plugs a gaping hole into http.sys that could allow attackers to remotely execute code on systems running the ISS webserver by manipulating http requests. Other than that, one of the other critical bulletins fixes ten security flaws in Internet Explorer while another fixes a critical hole that allowed code execution when opening manipulated RTF or Office documents.

The Register compiled a handy list over here:
  • MS15-032 Critical bulletin containing patches for 10 vulnerabilities in Internet Explorer. The bulletin is a cumulative update for Internet Explorer versions 6-11. Opening a malicious webpage that exploits one of these bugs to pull off a remote-code execution attack will compromise your computer unless you patch.

  • MS15-033 Critical bulletin addressing five CVE-listed vulnerabilities (CVE-2015-1641, CVE-2015-1649, CVE-2015-1650, CVE-2015-1651, CVE-2015-1639) in Office 2007-2013 as well as Office for Mac. Opening a dodgy rich text file or Office document could lead to code execution with the privileges of the logged-in user.

  • MS15-034 Critical fix for a remote code execution vulnerability (CVE-2015-1635) in HTTP.sys for Windows 7 and 8 as well as Server 2008 and Server 2012. Sending a malicious HTTP request to a Windows box running the IIS web server can fool the system into executing your malicious code.

  • MS15-035 Critical update for CVE-2015-1645, a flaw in the Microsoft Graphics Component in Windows Server 2003, 2008, Windows Vista and Windows 7. Windows 8 and Windows Server 2012 are not listed as vulnerable to the flaw. Opening an EMF file can trigger remote-code execution.

  • MS15-036 Important update for two SharePoint Server elevation of privilege vulnerabilities (CVE-2015-1640 and CVE-2015-1653). Applies to SharePoint Server 2010 and 2013.

  • MS15-037 Important bulletin for an elevation of privilege flaw (CVE-2015-0098) in Windows Task Scheduler. The fix applies to Windows 7 and Server 2008 R2.

  • MS15-038 Important fix for a elevation of privilege vulnerabilities (CVE-2015-1643 and CVE-2015-1644) in Windows Vista, 7, 8, 8.1, RT and Windows Server 2003, 2008 and 2012.

  • MS15-039 Important bulletin to address a security bypass hole (CVE-2015-1646) in XML Core Services on Windows Vista and Windows 7 as well as Server 2003 and Server 2008.

  • MS15-040 Important bulletin for an information disclosure flaw (CVE-2015-1638) in Active Directory for Windows Server 2012 R2.

  • MS15-041 Important information disclosure vulnerability (CVE-2015-1648) in .Net Framework on Windows Vista through Windows 8.1 and Server 2003-2012.

  • MS15-042 Important denial of service vulnerability ((CVE-2015-1647) in Hyper-V for Windows 8.1 and Windows Server 2012 R2.

  • About the Author

    Thomas De Maesschalck

    Thomas has been messing with computer since early childhood and firmly believes the Internet is the best thing since sliced bread. Enjoys playing with new tech, is fascinated by science, and passionate about financial markets. When not behind a computer, he can be found with running shoes on or lifting heavy weights in the weight room.

    Loading Comments