Business

News

 
More...

Alerts

 
More...

Events

 
More...
 
     
 

Microsoft Windows Shell Remote Code Execution Vulnerabilities

 

Systems Affected



Windows Vista and Vista x64 Edition SP2
Windows Server 2008 for 32-bit Systems and x64-based Systems SP2
Windows Server 2008 for Itanium-based Systems SP2
Windows 7 for 32-bit and x64-based Systems SP1
Windows Server 2008 R2 for Itanium-based Systems and x64-based Systems SP1
Windows 8 and 8.1 for 32-bit and x64-based Systems
Windows Server 2012 and Windows Server 2012 R2
Windows RT and Windows RT 8.1
Windows 10 for 32-bit and x64-based Systems

Threat Level


High


Overview


Two vulnerabilities have been reported in Microsoft Windows Shell, which could be exploited by remote attackers to execute an arbitrary code and completely compromise the affected system.


Description


1. Microsoft Windows Toolbar Handling Use-After-Free Vulnerability ( CVE-2015-2515 )
This vulnerability exist in the toolbar component of Microsoft Windows due to improper memory operations performed by the affected software when handling crafted content. A remote attacker could exploit this vulnerability by convincing a user to open a malicious toolbar object. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code with the privileges of the user and take control of the affected system.

2. Microsoft Windows Tablet Input Band Use-After-Free Vulnerability( CVE-2015-2548 )
This vulnerability exist in the Microsoft Tablet Input Band component of Microsoft Windows due to improper memory operations performed when handling crafted content. A remote attacker could exploit this vulnerability by convincing a user to open a malicious toolbar object. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code with the privileges of the user and take control of the affected system.

Workaround
Deny access to TipBand.dll


Impact



Solution/ Workarounds


Apply appropriate updates as mentioned in the Microsoft Security Bulletin MS15-109


References


http://www.cert-in.org.in/


Disclaimer


The information provided herein is on "as is" basis, without warranty of any kind.


 
     

© Copyright Sri Lanka CERT|CC. All Rights Reserved.