MS15-097: Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (3089656)

high Nessus Plugin ID 85877

Synopsis

The remote host is affected by multiple vulnerabilities.

Description

The remote Windows host is missing a security update. It is, therefore, affected by multiple vulnerabilities :

- An elevation of privilege vulnerability exists in the Windows Adobe Type Manager Library due to improper handling of specially crafted OpenType fonts. An authenticated, remote attacker can exploit this vulnerability, via a specially crafted application, to elevate privileges and execute arbitrary code.
(CVE-2015-2506)

- Multiple elevation of privilege vulnerabilities exist in the Windows Adobe Type Manager Library due to improper handling of objects in memory. A local attacker can exploit these vulnerabilities, via a specially crafted application, to execute arbitrary code. (CVE-2015-2507, CVE-2015-2508, CVE-2015-2512)

- A remote code execution vulnerability exists in components of Windows, Office, and Lync due to improper handling of specially crafted OpenType fonts. An unauthenticated, remote attacker can exploit this vulnerability by convincing a user to open a file or visit a website containing specially crafted OpenType fonts, resulting in execution of arbitrary code in the context of the current user. (CVE-2015-2510)

- Multiple elevation of privilege vulnerabilities exist in the Windows kernel-mode driver due to improper handling of objects in memory. A local attacker can exploit these vulnerabilities, via a specially crafted application, to execute arbitrary code in kernel mode. (CVE-2015-2511, CVE-2015-2517, CVE-2015-2518, CVE-2015-2546)

- An elevation of privilege vulnerability exists in the Windows kernel-mode driver due to improper validation and enforcement of integrity levels during certain process initialization scenarios. A local attacker can exploit this vulnerability, via a specially crafted application, to execute arbitrary code in kernel mode.
(CVE-2015-2527)

- A security feature bypass vulnerability exists due to a failure by the Windows kernel to properly initialize a memory address. A local attacker can exploit this, via a specially crafted application, to bypass Kernel Address Space Layout Randomization (KASLR) and retrieve the base address of the kernel driver. (CVE-2015-2529)

Solution

Microsoft has released a set of patches for Windows Vista, 2008, 7, 2008 R2, 8, RT, 2012, 8.1, RT 8.1, 2012 R2, and 10. Additionally, Microsoft has released a set of patches for Office 2007, Office 2010, Lync 2010, Lync 2010 Attendee, Lync 2013 (Skype for Business), Lync Basic 2013, and Live Meeting 2007.

See Also

https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2015/ms15-097

Plugin Details

Severity: High

ID: 85877

File Name: smb_nt_ms15-097.nasl

Version: 1.14

Type: local

Agent: windows

Published: 9/9/2015

Updated: 3/28/2022

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.0

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 8.1

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2015-2510

Vulnerability Information

CPE: cpe:/a:microsoft:live_meeting_console, cpe:/a:microsoft:lync, cpe:/a:microsoft:lync_basic, cpe:/a:microsoft:office, cpe:/a:microsoft:skype_for_business, cpe:/o:microsoft:windows

Required KB Items: SMB/MS_Bulletin_Checks/Possible

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/8/2015

Vulnerability Publication Date: 9/8/2015

CISA Known Exploited Vulnerability Due Dates: 4/5/2022

Reference Information

CVE: CVE-2015-2506, CVE-2015-2507, CVE-2015-2508, CVE-2015-2510, CVE-2015-2511, CVE-2015-2512, CVE-2015-2517, CVE-2015-2518, CVE-2015-2527, CVE-2015-2529, CVE-2015-2546

BID: 76563, 76589, 76591, 76592, 76593, 76597, 76599, 76602, 76606, 76607, 76608

IAVA: 2015-A-0212

MSFT: MS15-097

MSKB: 3081087, 3081088, 3081089, 3081090, 3081455, 3085500, 3085529, 3085546, 3087039, 3087135