The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Windows Server 2008 R2

computer vulnerability announce CVE-2015-1635

Windows: code execution via HTTP.sys

Synthesis of the vulnerability

An attacker can send web queries to a service using HTTP.sys of Windows, such as IIS, in order to execute code.
Impacted products: IIS, Windows 2008 R2, Windows 2012, Windows 7, Windows 8.
Severity: 4/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights.
Provenance: internet client.
Creation date: 14/04/2015.
Revision date: 17/04/2015.
Identifiers: 3042553, CERTFR-2015-AVI-152, CVE-2015-1635, MS15-034, VIGILANCE-VUL-16597.

Description of the vulnerability

The Windows product uses the HTTP.sys driver to process HTTP queries.

However, a malicious query leads to code execution in HTTP.sys. The vulnerability is related to the processing of the Range header of HTTP.

An attacker can therefore send web queries to a service using HTTP.sys of Windows, such as IIS, in order to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert 16611

Microsoft Windows: credentials disclosure via HTTP redirections

Synthesis of the vulnerability

An attacker who controls both an HTTP server used by a application program based on urlmon.dll and a CIFS server can use HTTP redirections to get encrypted user credentials.
Impacted products: Windows 2008 R0, Windows 2008 R2, Windows 2012, Windows 7, Windows 8, Windows RT, Windows Vista, Windows XP.
Severity: 2/4.
Consequences: data reading.
Provenance: intranet client.
Creation date: 15/04/2015.
Identifiers: VIGILANCE-VUL-16611, VU#672268.

Description of the vulnerability

Microsoft Windows offers a library urlmon.dll that provides an HTTP client.

This client follows HTTP redirections. However, it does so even if the URL scheme is changed from "http" to "file". So, when the redirection target is a SMB/CIFS server, the client automatically sends the user credentials (user name and password hash) to the CIFS server.

An attacker who controls both an HTTP server used by a application program based on urlmon.dll and a CIFS server can therefore use HTTP redirections to get encrypted user credentials.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2015-1648

Microsoft .NET: information disclosure via customErrors

Synthesis of the vulnerability

An attacker can generate an error in a Microsoft .NET/ASP.NET application, in order to obtain sensitive information.
Impacted products: IIS, .NET Framework, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 2012, Windows 7, Windows 8, Windows RT, Windows Vista.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 14/04/2015.
Identifiers: 3048010, CERTFR-2015-AVI-159, CVE-2015-1648, MS15-041, VIGILANCE-VUL-16604.

Description of the vulnerability

The Microsoft .NET uses the ASP.NET customErrors directive to define the type of error messages to be displayed.

However, when the customErrors mode is disabled, an attacker can trigger an error in order to read details about the application.

An attacker can therefore generate an error in a Microsoft .NET/ASP.NET application, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2015-1646

Windows: file reading via MSXML3 DTD

Synthesis of the vulnerability

An attacker can create a malicious DTD, to read a file via MSXML3 of Windows, in order to obtain sensitive information.
Impacted products: Windows 2008 R0, Windows 2008 R2, Windows 7, Windows Vista.
Severity: 3/4.
Consequences: data reading.
Provenance: internet server.
Creation date: 14/04/2015.
Identifiers: 3046482, CERTFR-2015-AVI-157, CVE-2015-1646, MS15-039, VIGILANCE-VUL-16602.

Description of the vulnerability

The Microsoft XML Core Services (MSXML) library is used by Microsoft applications which process XML data.

It loads DTDs for XML files. However, an attacker can invite the victim to open a malicious DTD, to access to his local files.

An attacker can therefore create a malicious DTD, to read a file via MSXML3 of Windows, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2015-1643 CVE-2015-1644

Windows: two vulnerabilities of Impersonation

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Windows.
Impacted products: Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 2012, Windows 7, Windows 8, Windows RT, Windows Vista.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 2.
Creation date: 14/04/2015.
Identifiers: 3049576, CERTFR-2015-AVI-156, CVE-2015-1643, CVE-2015-1644, MS15-038, VIGILANCE-VUL-16601.

Description of the vulnerability

Several vulnerabilities were announced in Windows.

An attacker can use an impersonation level in NtCreateTransactionManager, in order to escalate his privileges. [severity:2/4; CVE-2015-1643]

An attacker can use an impersonation level in a MS-DOS Device Name, in order to escalate his privileges. [severity:2/4; CVE-2015-1644]
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2015-0098

Windows: privilege escalation via Task Scheduler

Synthesis of the vulnerability

A local attacker can use the Task Scheduler of Windows, in order to escalate his privileges.
Impacted products: Windows 2008 R2, Windows 7.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user shell.
Creation date: 14/04/2015.
Identifiers: 3046269, CERTFR-2015-AVI-155, CVE-2015-0098, MS15-037, VIGILANCE-VUL-16600.

Description of the vulnerability

The Task Scheduler service of Windows runs programmed commands.

However, an attacker can use an invalid task present on some systems, in order to execute code with System privileges.

A local attacker can therefore use the Task Scheduler of Windows, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2015-1645

Windows: memory corruption via EMF

Synthesis of the vulnerability

An attacker can generate a memory corruption via EMF in Windows, in order to trigger a denial of service, and possibly to execute code.
Impacted products: Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 7, Windows Vista.
Severity: 4/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, denial of service on server, denial of service on service, denial of service on client.
Provenance: document.
Creation date: 14/04/2015.
Identifiers: 3046306, CERTFR-2015-AVI-153, CVE-2015-1645, MS15-035, VIGILANCE-VUL-16598.

Description of the vulnerability

The EMF (Enhanced Metafile) format stores images composed of objects (line, rectangle, text, etc.) and it is handled by gdiplus.dll.

However, when a malicious image is displayed, the memory is corrupted in MRSETDIBITSTODEVICE::bPlay(). An attacker can setup a malicious web site hosting this EMF image, and then invite victims to connect with Internet Explorer.

An attacker can therefore generate a memory corruption via EMF in Windows, in order to trigger a denial of service, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability 16460

Windows: fraudulent certificate emitted for Google

Synthesis of the vulnerability

An attacker, who owns the malicious "google.com" certificate, can use a Man-in-the-middle attack on a fake Google site, in order for example to obtain sensitive information.
Impacted products: Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 2012, Windows 7, Windows 8, Windows Mobile, Windows RT, Windows Vista.
Severity: 3/4.
Consequences: data reading, data creation/edition.
Provenance: internet server.
Creation date: 25/03/2015.
Identifiers: 3050995, VIGILANCE-VUL-16460.

Description of the vulnerability

The Windows system is installed with trusted certification authorities, such as "China Internet Network Information Center (CNNIC)".

However, this authority published a malicious certificate for "google.com", "gmail.com", "googleapis.com", etc.

An attacker, who owns the malicious "google.com" certificate, can therefore use a Man-in-the-middle attack on a fake Google site, in order for example to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert 16396

Windows: fraudulent certificate emitted for Live.fi

Synthesis of the vulnerability

An attacker, who owns the "www.live.fi" certificate, can use a Man-in-the-middle attack on a fake Live site, in order for example to obtain sensitive information.
Impacted products: Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 2012, Windows 7, Windows 8, Windows Mobile, Windows RT, Windows Vista.
Severity: 3/4.
Consequences: data reading, data creation/edition.
Provenance: internet server.
Creation date: 17/03/2015.
Identifiers: 3046310, VIGILANCE-VUL-16396.

Description of the vulnerability

The Windows system is installed with trusted certification authorities, such as "COMODO RSA Domain Validation Secure Serve CA".

However, this authority published a malicious certificate for "www.live.fi".

An attacker, who owns the malicious "www.live.fi" certificate, can therefore use a Man-in-the-middle attack on a fake Live site, in order for example to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2015-0076

Windows: information disclosure via JXR

Synthesis of the vulnerability

An attacker can invite the victim the display a malicious PNG image, to read a memory fragment of Windows, in order to obtain sensitive information.
Impacted products: Windows 2008 R0, Windows 2008 R2, Windows 2012, Windows 7, Windows 8, Windows RT, Windows Vista.
Severity: 2/4.
Consequences: data reading.
Provenance: document.
Creation date: 10/03/2015.
Identifiers: 3035126, CERTFR-2015-AVI-105, CVE-2015-0076, MS15-029, VIGILANCE-VUL-16373.

Description of the vulnerability

The Windows system analyzes JXR (JPEG XR) images before displaying them.

However, it does not initialize a memory area before returning it to the user.

An attacker can therefore invite the victim the display a malicious JXR image, to read a memory fragment of Windows, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Windows Server 2008 R2: