Microsoft Security Bulletin MS15-025 - Important

Published: March 10, 2015 | Updated: March 16, 2015

Version: 2.0

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application. An attacker who successfully exploited the vulnerability could run arbitrary code in the security context of the account of another user who is logged on to the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts potentially with full user rights.

This security update is rated Important for all supported releases of Microsoft Windows. For more information, see the Affected Software section.

The security update addresses the vulnerabilities by correcting how Windows Registry Virtualization handles the virtual store of other users and how Windows validates impersonation levels. For more information about the vulnerabilities, see the Vulnerability Information section.

For more information about this update, see Microsoft Knowledge Base Article 3038680.

The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.

^[1]The 3035131 update for Windows 7 and Windows Server 2008 R2 has affected binaries in common with the update being released simultaneously via Security Advisory 3033929. See the Update FAQ entry in this bulletin to learn how this could impact customers who download and install updates manually.

^[2]This update is available via Windows Update only.

How is the 3035131 update related to Security Advisory 3033929?
For Windows 7 and Windows Server 2008 R2, the 3035131 update discussed in this bulletin shares affected binaries with the update being released simultaneously via Security Advisory 3033929. This overlap in affected binaries necessitates that one update supersede the other and in this case it is advisory update 3033929 that supersedes update 3035131. Customers with automatic updating enabled should experience no unusual installation behavior; both updates should install automatically and both should appear in the list of installed updates. However, for customers who download and install updates manually, the order in which the updates are installed will determine the observed behavior as follows:

1. Scenario 1 (preferred): Customer first installs update 3035131 and then installs advisory update 3033929. Result: Both updates should install normally and both updates should appear in the list of installed updates.

2. Scenario 2: Customer first installs advisory update 3033929 and then attempts to install update 3035131. Result: The installer notifies the user that the 3035131 update is already installed on the system; and the 3035131 update is NOT added to the list of installed updates.

The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the March bulletin summary.

An elevation of privilege vulnerability exists in the way that Windows Registry Virtualization improperly allows a user to modify the virtual store of another user. An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the account of another user who is logged on to the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts potentially with full user rights.

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control over the account of another user who is logged on to the affected system. The update addresses the vulnerability by correcting how Windows Registry Virtualization handles the virtual store of other users.

Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was originally issued Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.

The following mitigating factors may be helpful in your situation:

• Only processes that use Registry Virtualization are affected by this vulnerability.

  • Registry virtualization is enabled only for the following:

    • 32-bit interactive processes

    • Keys in HKEY_LOCAL_MACHINE\Software

    • Keys that an administrator can write to.

      (If an administrator cannot write to a key, then the application would have failed on previous versions of Windows even if it was run by an administrator.)

  • Registry virtualization is disabled for the following:

    • 64-bit processes that are not interactive, such as services.
      Note Using the registry as an inter-process communication (IPC) mechanism between a service (or any other process that does not have virtualization enabled) and an application will not work correctly if the key is virtualized. For instance, if an antivirus service updates its signature files based on a value set by an application, the service will never update its signature files because the service reads from the global store but the application writes to the virtual store. Processes that impersonate a user. If a process attempts an operation while impersonating a user, that operation will not be virtualized. Kernel-mode processes such as drivers.
    • Processes that have requestedExecutionLevel specified in their manifests.
    • Keys and subkeys of HKEY_LOCAL_MACHINE\Software\Classes, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows, and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT.
      See Registry Virtualization for more information.

The following workarounds may be helpful in your situation:

• Disable Registry Virtualization

Using Group Policy:

The User Account Control: Virtualize file and registry write failures to per-user locations policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software.

The options are:

• Enabled. (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry.
• Disabled. Applications that write data to protected locations fail.

Using registry settings:

In the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, set the DWORD value "EnableVirtualization" to 0 to disable file and registry virtualization, or 1 to enable (this is the default)

For more information, see User Account Control: Virtualize file and registry write failures to per-user locations.

Impact of workaround. Software that depends on being able to write to protected registry and file system locations may not work properly.

An elevation of privilege vulnerability exists when Windows fails to properly validate and enforce impersonation levels. An attacker who successfully exploited this vulnerability could bypass user account checks to gain elevated privileges.

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application designed to increase privileges. The update addresses the vulnerability by correcting how Windows validates impersonation levels.

Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was originally issued Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.

Microsoft has not identified any mitigating factors for this vulnerability.

Microsoft has not identified any workarounds for this vulnerability.

Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgments for more information.

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

• V1.0 (March 10, 2015): Bulletin published.
• V2.0 (March 16, 2015): To address a packaging issue for customers who are repeatedly reoffered security update 3033395 when installed on systems running supported editions of Windows Server 2003, Microsoft released update 3033395-v2 for all supported editions of Windows Server 2003. Customers who have not already installed the 3033395 update should install update 3033395-v2 to be fully protected from this vulnerability. To avoid the possibility of future detection logic problems, Microsoft recommends that customers running Windows Server 2003 who have already successfully installed the 3033395 update also apply update 3033395-v2 even though they are already protected from this vulnerability. Customers running other Microsoft operating systems are not affected by this rerelease and do not need to take any action. See Microsoft Knowledge Base Article 3033395 for more information.

Page generated 2015-03-16 14:59Z-07:00.