==================================================================== CERT-Renater Note d'Information No. 2015/VULN153 _____________________________________________________________________ DATE : 15/07/2015 OLE objects HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Windows version Server 2003, Vista, Server 2008, 7, 8, 8.1, Server 2012, RT, RT 8.1 running Windows OLE objects . ====================================================================== KB3072633 https://technet.microsoft.com/en-us/library/security/MS15-075 ______________________________________________________________________ Microsoft Security Bulletin MS15-075 Important: Vulnerabilities in OLE Could Allow Elevation of Privilege (3072633) Bulletin Number: MS15-075 Bulletin Title: Vulnerabilities in OLE Could Allow Elevation of Privilege Severity: Important KB Article: 3072633 Version: 1.0 Published Date: July 14, 2015 OLE objects Executive Summary This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker convinces a user to open a file that contains a specially crafted OLE component. This security update is rated Important for all supported releases of Microsoft Windows. For more information, see the Affected Software section. Affected Software Windows Server 2003 OLE objects Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 Windows Server 2008 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 R2 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows 8 and Windows 8.1 Windows 8 for 32-bit Systems Windows 8 for x64-based Systems Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2012 and Windows Server 2012 R2 Windows Server 2012 Windows Server 2012 R2 Windows RT and Windows RT 8.1 Windows RT[1] Windows RT 8.1[1] Server Core installation option Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2012 (Server Core installation) Windows Server 2012 R2 (Server Core installation) [1]This update is available via Windows Update only. Vulnerability Information Multiple OLE Elevation of Privilege Vulnerabilities Elevation of privilege vulnerabilities exists when OLE objects are improperly handled in memory. An attacker who successfully exploited the vulnerabilities could elevate privileges on a targeted system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights. An attacker could exploit the vulnerabilities by convincing a user to open a file that contains a specially crafted OLE object. However, an attacker would have to convince a user to open the file by way of enticements in a webpage or email containing an attachment. The security update addresses the vulnerabilities by modifying how OLE objects are handled in memory. Vulnerability title CVE number OLE Elevation of Privilege Vulnerability CVE-2015-2416 OLE Elevation of Privilege Vulnerability CVE-2015-2417 ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================