Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.2069 Microsoft Security Bulletin MS15-084: Vulnerabilities in XML Core Services Could Allow Information Disclosure (3080129) 12 August 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Microsoft Windows Microsoft Office Publisher: Microsoft Operating System: Windows Impact/Access: Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2015-2471 CVE-2015-2440 CVE-2015-2434 Original Bulletin: https://technet.microsoft.com/en-us/library/security/MS15-084 - --------------------------BEGIN INCLUDED TEXT-------------------- Microsoft Security Bulletin MS15-084: Vulnerabilities in XML Core Services Could Allow Information Disclosure (3080129) Bulletin Number: MS15-084 Bulletin Title: Vulnerabilities in XML Core Services Could Allow Information Disclosure Severity: Important KB Article: 3080129 Version: 1.0 Published Date: August 11, 2015 Executive Summary This security update resolves vulnerabilities in Microsoft Windows and Microsoft Office. The vulnerabilities could allow information disclosure by either exposing memory addresses if a user clicks a specially crafted link or by explicitly allowing the use of Secure Sockets Layer (SSL) 2.0. However, in all cases an attacker would have no way to force users to click a specially crafted link. An attacker would have to convince users to click the link, typically by way of an enticement in an email or Instant Messenger message. This security update is rated Important for the following software: Microsoft XML Core Services 3.0 and Microsoft XML Core Services 6.0 on all supported releases of Microsoft Windows except Windows 10, which is not affected. Microsoft XML Core Services 5.0 on Microsoft Office 2007 Service Pack 3 Microsoft XML Core Services 5.0 on Microsoft InfoPath 2007 Service Pack 3 For more information, see the Affected Software section. Affected Software Windows Vista Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 Windows Server 2008 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 R2 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows 8 and Windows 8.1 Windows 8 for 32-bit Systems Windows 8 for x64-based Systems Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2012 and Windows Server 2012 R2 Windows Server 2012 Windows Server 2012 R2 Windows RT and Windows RT 8.1 Windows RT[1] Windows RT 8.1[1] Server Core installation option Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2012 (Server Core installation) Windows Server 2012 R2 (Server Core installation) Microsoft Office Microsoft Office Suites and Components Microsoft Office 2007 Service Pack 3 Other Microsoft Office Software Microsoft InfoPath 2007 Service Pack 3 Vulnerability Information Multiple MSXML Information Disclosure Vulnerabilities Information disclosure vulnerabilities exist when Microsoft XML Core Services (MSXML) explicitly allows the use of Secure Sockets Layer (SSL) 2.0. An attacker who successfully exploited these vulnerabilities could decrypt portions of encrypted network information traffic. In a man-in-the-middle (MiTM) attack scenario, an attacker could force an encrypted SSL 2.0 session and then decrypt portions of encrypted network information traffic. This update resolves the issue by configuring MSXML to use more secure network protocols by default instead of SSL 2.0. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited MSXML Information Disclosure Vulnerability CVE-2015-2434 No No MSXML Information Disclosure Vulnerability CVE-2015-2471 No No MSXML Information Disclosure Vulnerability - CVE-2015-2440 An information disclosure vulnerability exists when Microsoft XML Core Services (MSXML) exposes memory addresses not intended for public disclosure. An attacker could combine this information disclosure vulnerability to bypass Address Space Layout Randomization (ASLR). An attacker who successfully exploited this vulnerability could potentially read private data. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but the attacker could use it to obtain information in an attempt to further compromise the affected system. To exploit the vulnerability, an attacker could host a specially-crafted website that is designed to invoke MSXML through Internet Explorer. However, an attacker would have no way to force a user to visit such a website. Instead, an attacker would typically have to convince a user to either click a link in an email message or a link in an Instant Messenger request that would then take the user to the website. The update addresses the vulnerability by modifying how Microsoft XML Core Services returns data requests. Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVcqJ936ZAP0PgtI9AQKt8w//RT23AxVIyv9CUCLSfBMrGMt5vtPj4FGF ZbHYTsUVFuPqOjKhx3QpJpi7/L6bNfXHvKFH0GBamKLGGXA7oFABRJDd/z0dwxi5 HdbjLSFfev7oUmfmi2yaBE3wPlOREMObtbvZGqBUGTfoEVc6IlrveMyVdZr2ih5t 4/ib2TW40krsEss1Kwgmts+0T/oa8oojMitNqyN1jlpJbEMISgs0JvBuF7Hcz0XV 4t7jGqmCjetfrrjAq8rG1mB+wWxKWqlbUf7ZhsulRTD0vwzPMpirwYPBjVzPK0Gx ltb7nVyhK9Zn67dPxJmmIEve1pwR2ZHumS07Sl1eME51g6oQ3pYb4IhcaEkb3O1H KdB5VHjVul19FeQ4TnqgHkXZHNWvLW1xhFKQhAWnnZc+FsNT3E4yEFycpvRk1KoS W2yoA8c4OE3U6P+ah60v0tcktUQp7ntTGCS4HUpp0rkg0RkTlDaD8c+MKZmpEWTL EN3KTYuSURAzp0SS4kWC6rwA8VJJQ95bM0NGxFl4BfjkWeFXOwXm2pkV7QfnObUG 6pb/ZOjHFKDS6JXu3G2WG95vC3kFCvmE9uWBtBR1bTReKN/MDWzqwuUGq51lVYC1 OR5XE1bSwJxjU6FWvklbp6dRxySYo6lgwgjfSSfGe+c8irF9Ze2uhqXZmaL1xcjZ ZWkilWaXRfc= =4bPb -----END PGP SIGNATURE-----