Friday, December 18, 2015

MS15-130 exploit likely in coming days

TL;DR - Rendition Infosec recommends that if you haven't patched yet (and many of our clients have not) make sure you do it.  At least patch the MS15-130 vulnerability if you are running Windows 7 or Server 2k8R2 (no other versions are impacted).  Do it now.  Font parsing vulnerabilities are huge.  An attacker could send you a PDF, an office document, a web page, or an HTML enabled email.  Basically anything that can trick your system into loading a custom font.  This has the potential to result in remote code execution.

A trigger for the MS15-130 vulnerability was made publicly available as early as yesterday.  I'm again teaching this week, so I can't devote the time to it I'd like to.  But unlike MS15-127 that I wrote about last week, this particular vulnerability now has a trigger available, simplifying any exploit that would be created.

The vulnerability is reported to be in usp10.dll.  This DLL handles some unicode font parsing.  I'll post patch differentials and maybe work on this a little bit tomorrow.  I'm wrapping up the new SANS CTI class (FOR578) today and have to host DFIR Netwars tonight at SANS CDI.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.