Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (3036220)
Published: February 10, 2015 | Updated: February 18, 2015
Version: 1.1
Executive Summary
This security update resolves one publicly disclosed and five privately reported vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker convinces a user to open a specially crafted document or visit an untrusted website that contains embedded TrueType fonts.
This security update is rated Critical for all supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1; it is rated Important for all supported editions of Windows Server 2003, Windows Vista, and Windows Server 2008. For more information, see the Affected Software section.
The security update addresses the vulnerabilities by correcting how the Windows kernel-mode driver validates certain parameters against registered objects, validates and enforces impersonation levels, handles objects in memory, validates data returned from user mode functions before being executed, handles TrueType Font error checking, and checks font widths prior to loading fonts into memory. For more information about the vulnerability, see the Vulnerability Information section.
The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.
Note The 3013455 update is available for Windows Technical Preview and Windows Server Technical Preview. Customers running these operating systems are encouraged to apply the update via Windows Update.
[1]This update is available via Windows Update only.
Update FAQ
For the 3013455 update, why are there two packages on the Microsoft Download Center pages for affected editions of Windows Server 2003, Windows Server 2008, and Windows Vista?
An additional, non-security update was implemented for affected editions of Windows Server 2003, Windows Server 2008, and Windows Vista to address problems with text quality degradation that some customers experienced after installing the 3013455 update. Note that the additional package (3037639) is not needed to be protected from the vulnerabilities addressed by the 3013455 update; it simply corrects the text quality problem. Customers should also be aware that the 3037639 update does require a system restart after installation.
Severity Ratings and Vulnerability Identifiers
The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the February bulletin summary.
Vulnerability Severity Rating and Maximum Security Impact by Affected Software
Win32k Elevation of Privilege Vulnerability - CVE-2015-0003
An elevation of privilege vulnerability exists in the Windows kernel-mode driver (Win32k.sys) that is caused when it improperly handles objects in memory. An attacker who successfully exploited this vulnerability could gain elevated privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights. The update addresses the vulnerability by correcting how the kernel-mode driver validates certain parameters against registered objects.
Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was originally issued Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.
An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
Workarounds
The following workarounds may be helpful in your situation:
Set up a Registry entry to disable NULL page mapping (Windows 7 only)
Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.
Open Registry Editor.
Locate and then click the following registry sub key:
A security feature bypass vulnerability exists in the Cryptography Next Generation (CNG) kernel-mode driver (cng.sys) when it fails to properly validate and enforce impersonation levels. An attacker could exploit this vulnerability by convincing a user to run a specially crafted application that is designed to cause CNG to improperly validate impersonation levels, potentially allowing the attacker to gain access to information beyond the access level of the local user. The security update addresses the vulnerability by correcting how the kernel-mode driver validates and enforces impersonation levels.
This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CVE-2015-2010. When this security bulletin was originally issued Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.
Mitigating Factors
Microsoft has not identified any mitigating factors for this vulnerability.
Workarounds
Microsoft has not identified any workarounds for this vulnerability.
Win32k Elevation of Privilege Vulnerability - CVE-2015-0057
An elevation of privilege vulnerability exists in the Windows kernel-mode driver (Win32k.sys) that is caused when it improperly handles objects in memory. An attacker who successfully exploited this vulnerability could gain elevated privileges and read arbitrary amounts of kernel memory. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.
To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application designed to elevate privileges. The update addresses the vulnerability by correcting how the kernel-mode driver handles objects in memory.
Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was originally issued Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.
Mitigating Factors
Microsoft has not identified any mitigating factors for this vulnerability.
Workarounds
Microsoft has not identified any workarounds for this vulnerability.
Windows Cursor Object Double Free Vulnerability - CVE-2015-0058
An elevation of privilege vulnerability exists in the Windows kernel-mode driver (win32k.sys) due to a double-free condition. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.
An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights. To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application designed to elevate privileges. The update addresses the vulnerability by correcting how the kernel-mode driver validates data returned from user mode functions before being executed.
Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was originally issued Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.
Mitigating Factors
Microsoft has not identified any mitigating factors for this vulnerability.
Workarounds
Microsoft has not identified any workarounds for this vulnerability.
TrueType Font Parsing Remote Code Execution Vulnerability - CVE-2015-0059
A remote code execution vulnerability exists in the Windows kernel-mode driver (Win32k.sys) that is caused when it improperly handles TrueType fonts.
An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights. To exploit the vulnerability, an attacker would need to convince a user to open a specially crafted document or visit an untrusted website that contains embedded TrueType Fonts. The update addresses the vulnerability by correcting how the kernel-mode driver handles TrueType fonts.
Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was originally issued Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.
Mitigating Factors
Microsoft has not identified any mitigating factors for this vulnerability.
Workarounds
The following workarounds may be helpful in your situation:
Deny access to T2EMBED.DLL
For 32-bit systems, enter the following commands at an administrative command prompt:
Windows Font Driver Denial of Service Vulnerability - CVE-2015-0060
A denial of service vulnerability exists in the Windows kernel-mode driver (Win32k.sys) that is caused when the Windows font mapper attempts to scale a font.
An attacker who successfully exploited this vulnerability could cause the user’s computer to stop responding. An attacker could attempt to exploit this vulnerability by convincing a user to open a malicious file or visit a malicious website link. The update addresses the vulnerability by correcting how the kernel-mode driver checks font widths prior to loading fonts into memory.
Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was originally issued Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.
Mitigating Factors
Microsoft has not identified any mitigating factors for this vulnerability.
Workarounds
The following workarounds may be helpful in your situation:
Deny access to T2EMBED.DLL
For 32-bit systems, enter the following commands at an administrative command prompt:
For 64-bit systems, enter the following commands at an administrative command prompt:
Icacls.exe %WINDIR%\system32\t2embed.DLL /remove:d everyone
IIcacls.exe %WINDIR%\syswow64\t2embed.DLL /remove:d everyone
```
Security Update Deployment
--------------------------
For Security Update Deployment information, see the Microsoft Knowledge Base article referenced in the Executive Summary.
Acknowledgments
---------------
Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See [Acknowledgments](https://technet.microsoft.com/library/security/dn903755.aspx) for more information.
Disclaimer
----------
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions
---------
- V1.0 (February 10, 2015): Bulletin published.
- V1.1 (February 18, 2015): Bulletin revised to add an Update FAQ that explains why there are two packages on the Microsoft Download Center pages for affected editions of Windows Server 2003, Windows Server 2008, and Windows Vista. The additional package (3037639) is not needed to be protected from the vulnerabilities addressed by the 3013455 update; it simply corrects a text quality problem that some customers experienced after installing the 3013455 update on the indicated systems.
*Page generated 2015-02-18 15:39Z-08:00.*
Protect your Active Directory environment by securing user accounts to least privilege and placing them in the Protected Users group. Learn how to limit authentication scope and remediate potentially insecure accounts.