===================================================================== CERT-Renater Note d'Information No. 2015/VULN036 _____________________________________________________________________ DATE : 15/04/2015 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Windows versions 7, Server 2003 Server 2008, Vista running Microsoft Graphics Component. ====================================================================== KB3046306 https://technet.microsoft.com/en-us/library/security/MS15-035 ______________________________________________________________________ Microsoft Security Bulletin MS15-035 - Critical Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution (3046306) Published: April 14, 2015 Version: 1.0 Executive Summary This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker successfully convinces a user to browse to a specially crafted website, open a specially crafted file, or browse to a working directory that contains a specially crafted Enhanced Metafile (EMF) image file. In all cases, however, an attacker would have no way to force users to take such actions; an attacker would have to convince users to do so, typically by way of enticements in email or Instant Messenger messages. This security update is rated Critical for all supported editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. For more information, see the Affected Software section. Affected Software Windows Server 2003 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 Windows Server 2008 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 R2 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Server Core installation option Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Vulnerability Information EMF Processing Remote Code Execution Vulnerability - CVE-2015-1645 A remote code execution vulnerability exists in the way that Microsoft Windows improperly processes certain, specially crafted Enhanced Metafile (EMF) image format files. An attacker who successfully exploited the vulnerability could run arbitrary code as the logged-on user. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince users to view the website. This could also include compromised websites or websites that accept or host user-provided content or banner advertisements; such websites could contain specially crafted content that is designed to exploit the vulnerability. In all cases, however, an attacker would have no way to force users to visit such websites. Instead, an attacker would have to convince users to do so, typically by getting them to click a link in an email or Instant Messenger request. In an email attack scenario, an attacker could exploit the vulnerability by sending Outlook users a specially crafted email, or sending them a specially crafted Office document as an attachment, and convincing the user to read the message or open the file. An attacker could also exploit this vulnerability by hosting a malicious image file on a network share and convincing users to navigate to the folder in Windows Explorer. The security update addresses the vulnerability by correcting how Windows processes EMF files. Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers. ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================