다음을 통해 공유


Microsoft Security Bulletin: April 2015 Release!

3823_7103_securitybulletin_thumb_32407BF9_thumb_12CC8186

That time is upon us again when it’s time to review our servers and apply updates where needed. Please see the details below for the list of security bulletins for this month. This month we have 11 bulletins to consider.

Bulletin ID

Bulletin Title and Executive Summary

Maximum Severity Ratingand Vulnerability Impact

Restart Requirement

KnownIssues

AffectedSoftware

MS15-032

Cumulative Security Update for Internet Explorer (3038314) This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Critical Remote Code Execution

Requires restart

---------

Microsoft Windows,Internet Explorer

MS15-033

Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (3048019) This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Critical Remote Code Execution

May require restart

---------

Microsoft Office

MS15-034

Vulnerability in HTTP.sys Could Allow Remote Code Execution (3042553) This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends a specially crafted HTTP request to an affected Windows system.

Critical Remote Code Execution

Requires restart

---------

Microsoft Windows

MS15-035

Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution (3046306) This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker successfully convinces a user to browse to a specially crafted website, open a specially crafted file, or browse to a working directory that contains a specially crafted Enhanced Metafile (EMF) image file. In all cases, however, an attacker would have no way to force users to take such actions; an attacker would have to convince users to do so, typically by way of enticements in email or Instant Messenger messages.

Critical Remote Code Execution

May require restart

---------

Microsoft Windows

MS15-036

Vulnerabilities in Microsoft SharePoint Server Could Allow Elevation of Privilege (3052044) This security update resolves vulnerabilities in Microsoft Office server and productivity software. The vulnerabilities could allow elevation of privilege if an attacker sends a specially crafted request to an affected SharePoint server. An attacker who successfully exploited the vulnerabilities could read content that the attacker is not authorized to read, use the victim's identity to take actions on the SharePoint site on behalf of the victim, such as change permissions and delete content, and inject malicious content in the victim’s browser.

Important Elevation of Privilege

May require restart

---------

Microsoft Server Software,Productivity Software

MS15-037

Vulnerability in Windows Task Scheduler Could Allow Elevation of Privilege (3046269) This security update resolves a vulnerability in Microsoft Windows. An attacker who successfully exploited the vulnerability could leverage a known invalid task to cause Task Scheduler to run a specially crafted application in the context of the System account. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Important Elevation of Privilege

Does not require restart

---------

Microsoft Windows

MS15-038

Vulnerabilities in Microsoft Windows Could Allow Elevation of Privilege (3049576) This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. To exploit these vulnerabilities, an attacker would first have to log on to the system.

Important Elevation of Privilege

Requires restart

---------

Microsoft Windows

MS15-039

Vulnerability in XML Core Services Could Allow Security Feature Bypass (3046482) This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if a user clicks a specially crafted link. In all cases, however, an attacker would have no way to force users to click a specially crafted link; an attacker would have to convince users to click the link, typically by way of an enticement in an email or Instant Messenger message.

Important Security Feature Bypass

May require restart

---------

Microsoft Windows

MS15-040

Vulnerability in Active Directory Federation Services Could Allow Information Disclosure (3045711) This security update resolves a vulnerability in Active Directory Federation Services (AD FS). The vulnerability could allow information disclosure if a user leaves their browser open after logging off from an application and an attacker reopens the application in the browser immediately after the user has logged off.

Important Information Disclosure

May require restart

---------

Microsoft Windows

MS15-041

Vulnerability in .NET Framework Could Allow Information Disclosure (3048010) This security update resolves a vulnerability in Microsoft .NET Framework. The vulnerability could allow information disclosure if an attacker sends a specially crafted web request to an affected server that has custom error messages disabled. An attacker who successfully exploited the vulnerability would be able to view parts of a web configuration file, which could expose sensitive information.

Important Information Disclosure

May require restart

---------

Microsoft Windows, Microsoft .NET Framework

MS15-042

Vulnerability in Windows Hyper-V Could Allow Denial of Service (3047234) This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an authenticated attacker runs a specially crafted application in a virtual machine (VM) session. Note that the denial of service does not allow an attacker to execute code or elevate user rights on other VMs running on the Hyper-V host; however, it could cause other VMs on the host to not be manageable in Virtual Machine Manager.

Important Denial of Service

Requires restart

---------

Microsoft Windows

The table above is just a summary from the Bulletin release page. Make sure you check that out to get more detailed information including exploitability index and more details of affected software.

Jeffa

Technorati Tags: Security Bulletins,Updates,Patching