Microsoft Security Bulletin MS15-025 - Important

Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (3038680)

Published: March 10, 2015 | Updated: March 16, 2015

Version: 2.0

Executive Summary

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application. An attacker who successfully exploited the vulnerability could run arbitrary code in the security context of the account of another user who is logged on to the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts potentially with full user rights.

This security update is rated Important for all supported releases of Microsoft Windows. For more information, see the Affected Software section.

The security update addresses the vulnerabilities by correcting how Windows Registry Virtualization handles the virtual store of other users and how Windows validates impersonation levels. For more information about the vulnerabilities, see the Vulnerability Information section.

For more information about this update, see Microsoft Knowledge Base Article 3038680.

Affected Software

The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.

**Operating System** **Maximum Security Impact** **Aggregate Severity Rating** **Updates Replaced**
**Windows Server 2003**
[Windows Server 2003 Service Pack 2](http://www.microsoft.com/downloads/details.aspx?familyid=658e35c3-ad4c-43ad-b154-f11b1bde4cf5) (3033395-v2) Elevation of Privilege Important 2859537 in [MS13-063](http://go.microsoft.com/fwlink/?linkid=309338)
[Windows Server 2003 x64 Edition Service Pack 2](http://www.microsoft.com/downloads/details.aspx?familyid=b416888c-dfe1-463a-87ad-db55f4222365) (3033395-v2) Elevation of Privilege Important 2813170 in [MS13-031](http://go.microsoft.com/fwlink/?linkid=282388)
[Windows Server 2003 with SP2 for Itanium-based Systems](http://www.microsoft.com/downloads/details.aspx?familyid=99af9e61-65f7-4636-847c-8ab6f0cfa748) (3033395-v2) Elevation of Privilege Important 2813170 in [MS13-031](http://go.microsoft.com/fwlink/?linkid=282388)
**Windows Vista**
[Windows Vista Service Pack 2](http://www.microsoft.com/downloads/details.aspx?familyid=d8f9cb74-0f78-45b7-8cb4-b80607a30fdc) (3035131) Elevation of Privilege Important None
[Windows Vista x64 Edition Service Pack 2](http://www.microsoft.com/downloads/details.aspx?familyid=a75720e3-8abc-4648-a162-ceddbf3468c9) (3035131) Elevation of Privilege Important None
**Windows Server 2008**
[Windows Server 2008 for 32-bit Systems Service Pack 2](http://www.microsoft.com/downloads/details.aspx?familyid=00de0310-6853-4abd-be10-d9d309bc5b7f) (3035131) Elevation of Privilege Important None
[Windows Server 2008 for x64-based Systems Service Pack 2](http://www.microsoft.com/downloads/details.aspx?familyid=5d52dc4d-aaa7-4d86-8f43-d7dafd38393c) (3035131) Elevation of Privilege Important None
[Windows Server 2008 for Itanium-based Systems Service Pack 2](http://www.microsoft.com/downloads/details.aspx?familyid=a08d2497-e988-41c2-a190-637acae8bdc4) (3035131) Elevation of Privilege Important None
**Windows 7**
[Windows 7 for 32-bit Systems Service Pack 1](http://www.microsoft.com/downloads/details.aspx?familyid=f2e4a8cf-36e9-43ac-b355-529ad64b64f9) (3035131)[1] Elevation of Privilege Important 3023562 in [MS15-010](http://go.microsoft.com/fwlink/?linkid=525535)
[Windows 7 for x64-based Systems Service Pack 1](http://www.microsoft.com/downloads/details.aspx?familyid=92d77046-0a1d-4761-9592-bce781b9469b) (3035131)[1] Elevation of Privilege Important 3023562 in [MS15-010](http://go.microsoft.com/fwlink/?linkid=525535)
**Windows Server 2008 R2**
[Windows Server 2008 R2 for x64-based Systems Service Pack 1](http://www.microsoft.com/downloads/details.aspx?familyid=6be66743-0f64-482a-8b3f-33e9f69ab939) (3035131)[1] Elevation of Privilege Important 3023562 in [MS15-010](http://go.microsoft.com/fwlink/?linkid=525535)
[Windows Server 2008 R2 for Itanium-based Systems Service Pack 1](http://www.microsoft.com/downloads/details.aspx?familyid=4eca4094-670f-482f-841e-e98f3325159d) (3035131)[1] Elevation of Privilege Important 3023562 in [MS15-010](http://go.microsoft.com/fwlink/?linkid=525535)
**Windows 8 and Windows 8.1**
[Windows 8 for 32-bit Systems](http://www.microsoft.com/downloads/details.aspx?familyid=48579083-f283-4636-a09a-18ac39cede18) (3035131) Elevation of Privilege Important 3023562 in [MS15-010](http://go.microsoft.com/fwlink/?linkid=525535)
[Windows 8 for x64-based Systems](http://www.microsoft.com/downloads/details.aspx?familyid=1473e5bd-e2dc-412c-a230-4c6de0b58b17) (3035131) Elevation of Privilege Important 3023562 in [MS15-010](http://go.microsoft.com/fwlink/?linkid=525535)
[Windows 8.1 for 32-bit Systems](http://www.microsoft.com/downloads/details.aspx?familyid=73c63761-9c4a-4f93-a741-75f38e6799e8) (3035131) Elevation of Privilege Important 3031432 in [MS15-015](http://go.microsoft.com/fwlink/?linkid=525538)
[Windows 8.1 for x64-based Systems](http://www.microsoft.com/downloads/details.aspx?familyid=c09cb703-32b3-4d38-afd8-64dd7b2427f2) (3035131) Elevation of Privilege Important 3031432 in [MS15-015](http://go.microsoft.com/fwlink/?linkid=525538)
**Windows Server 2012 and Windows Server 2012 R2**
[Windows Server 2012](http://www.microsoft.com/downloads/details.aspx?familyid=63f73141-3187-493a-a4e4-8a863fc774b4) (3035131) Elevation of Privilege Important 3023562 in [MS15-010](http://go.microsoft.com/fwlink/?linkid=525535)
[Windows Server 2012 R2](http://www.microsoft.com/downloads/details.aspx?familyid=768f2d9d-4355-411a-ae77-827f14ef66c6) (3035131) Elevation of Privilege Important 3031432 in [MS15-015](http://go.microsoft.com/fwlink/?linkid=525538)
**Windows RT and Windows RT 8.1**
Windows RT[2] (3035131) Elevation of Privilege Important 3023562 in [MS15-010](http://go.microsoft.com/fwlink/?linkid=525535)
Windows RT 8.1[2] (3035131) Elevation of Privilege Important 3031432 in [MS15-015](http://go.microsoft.com/fwlink/?linkid=525538)
**Server Core installation option**
[Windows Server 2008 for 32-bit Systems Service Pack 2](http://www.microsoft.com/downloads/details.aspx?familyid=00de0310-6853-4abd-be10-d9d309bc5b7f) (Server Core installation) (3035131) Elevation of Privilege Important None
[Windows Server 2008 for x64-based Systems Service Pack 2](http://www.microsoft.com/downloads/details.aspx?familyid=5d52dc4d-aaa7-4d86-8f43-d7dafd38393c) (Server Core installation) (3035131) Elevation of Privilege Important None
[Windows Server 2008 R2 for x64-based Systems Service Pack 1](http://www.microsoft.com/downloads/details.aspx?familyid=6be66743-0f64-482a-8b3f-33e9f69ab939) (Server Core installation) (3035131)[1] Elevation of Privilege Important 3023562 in [MS15-010](http://go.microsoft.com/fwlink/?linkid=525535)
[Windows Server 2012](http://www.microsoft.com/downloads/details.aspx?familyid=63f73141-3187-493a-a4e4-8a863fc774b4) (Server Core installation) (3035131) Elevation of Privilege Important 3023562 in [MS15-010](http://go.microsoft.com/fwlink/?linkid=525535)
[Windows Server 2012 R2](http://www.microsoft.com/downloads/details.aspx?familyid=768f2d9d-4355-411a-ae77-827f14ef66c6) (Server Core installation) (3035131) Elevation of Privilege Important 3031432 in [MS15-015](http://go.microsoft.com/fwlink/?linkid=525538)
[1]The 3035131 update for Windows 7 and Windows Server 2008 R2 has affected binaries in common with the update being released simultaneously via [Security Advisory 3033929](http://go.microsoft.com/fwlink/?linkid=528387). See the Update FAQ entry in this bulletin to learn how this could impact customers who download and install updates manually.

[2]This update is available via Windows Update only.

Update FAQ

How is the 3035131 update related to Security Advisory 3033929?
For Windows 7 and Windows Server 2008 R2, the 3035131 update discussed in this bulletin shares affected binaries with the update being released simultaneously via Security Advisory 3033929. This overlap in affected binaries necessitates that one update supersede the other and in this case it is advisory update 3033929 that supersedes update 3035131. Customers with automatic updating enabled should experience no unusual installation behavior; both updates should install automatically and both should appear in the list of installed updates. However, for customers who download and install updates manually, the order in which the updates are installed will determine the observed behavior as follows:

  1. Scenario 1 (preferred): Customer first installs update 3035131 and then installs advisory update 3033929. Result: Both updates should install normally and both updates should appear in the list of installed updates.

  2. Scenario 2: Customer first installs advisory update 3033929 and then attempts to install update 3035131. Result: The installer notifies the user that the 3035131 update is already installed on the system; and the 3035131 update is NOT added to the list of installed updates.

Severity Ratings and Vulnerability Identifiers

The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the March bulletin summary.

**Vulnerability Severity Rating and Maximum Security Impact by Affected Software**
**Affected Software** [**Registry Virtualization Elevation of Privilege Vulnerability - CVE-2015-0073**](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-0073) [**Impersonation Level Check Elevation of Privilege Vulnerability - CVE-2015-0075**](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-0075) **Aggregate Severity Rating**
**Windows Server 2003**
Windows Server 2003 Service Pack 2 (3033395-v2) Not applicable **Important** Elevation of Privilege **Important**
Windows Server 2003 x64 Edition Service Pack 2 (3033395-v2) Not applicable **Important** Elevation of Privilege **Important**
Windows Server 2003 with SP2 for Itanium-based Systems (3033395-v2) Not applicable **Important** Elevation of Privilege **Important**
**Windows Vista**
Windows Vista Service Pack 2 (3035131) **Important** Elevation of Privilege **Important** Elevation of Privilege **Important**
Windows Vista x64 Edition Service Pack 2 (3035131) **Important** Elevation of Privilege **Important** Elevation of Privilege **Important**
**Windows Server 2008**
Windows Server 2008 for 32-bit Systems Service Pack 2 (3035131) **Important** Elevation of Privilege **Important** Elevation of Privilege **Important**
Windows Server 2008 for x64-based Systems Service Pack 2 (3035131) **Important** Elevation of Privilege **Important** Elevation of Privilege **Important**
Windows Server 2008 for Itanium-based Systems Service Pack 2 (3035131) **Important** Elevation of Privilege **Important** Elevation of Privilege **Important**
**Windows 7**
Windows 7 for 32-bit Systems Service Pack 1 (3035131) **Important** Elevation of Privilege **Important** Elevation of Privilege **Important**
Windows 7 for x64-based Systems Service Pack 1 (3035131) **Important** Elevation of Privilege **Important** Elevation of Privilege **Important**
**Windows Server 2008 R2**
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (3035131) **Important** Elevation of Privilege **Important** Elevation of Privilege **Important**
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 (3035131) **Important** Elevation of Privilege **Important** Elevation of Privilege **Important**
**Windows 8 and Windows 8.1**
Windows 8 for 32-bit Systems (3035131) **Important** Elevation of Privilege Not applicable **Important**
Windows 8 for x64-based Systems (3035131) **Important** Elevation of Privilege Not applicable **Important**
Windows 8.1 for 32-bit Systems (3035131) **Important** Elevation of Privilege Not applicable **Important**
Windows 8.1 for x64-based Systems (3035131) **Important** Elevation of Privilege Not applicable **Important**
**Windows Server 2012 and Windows Server 2012 R2**
Windows Server 2012 (3035131) **Important** Elevation of Privilege Not applicable **Important**
Windows Server 2012 R2 (3035131) **Important** Elevation of Privilege Not applicable **Important**
**Windows RT and Windows RT 8.1**
Windows RT (3035131) **Important** Elevation of Privilege Not applicable **Important**
Windows RT 8.1 (3035131) **Important** Elevation of Privilege Not applicable **Important**
**Server Core installation option**
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) (3035131) **Important** Elevation of Privilege **Important** Elevation of Privilege **Important**
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) (3035131) **Important** Elevation of Privilege **Important** Elevation of Privilege **Important**
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) (3035131) **Important** Elevation of Privilege **Important** Elevation of Privilege **Important**
Windows Server 2012 (Server Core installation) (3035131) **Important** Elevation of Privilege Not applicable **Important**
Windows Server 2012 R2 (Server Core installation) (3035131) **Important** Elevation of Privilege Not applicable **Important**

Vulnerability Information

Registry Virtualization Elevation of Privilege Vulnerability - CVE-2015-0073

An elevation of privilege vulnerability exists in the way that Windows Registry Virtualization improperly allows a user to modify the virtual store of another user. An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the account of another user who is logged on to the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts potentially with full user rights.

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control over the account of another user who is logged on to the affected system. The update addresses the vulnerability by correcting how Windows Registry Virtualization handles the virtual store of other users.

Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was originally issued Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.

Mitigating Factors

The following mitigating factors may be helpful in your situation:

  • Only processes that use Registry Virtualization are affected by this vulnerability.
    • Registry virtualization is enabled only for the following:

      • 32-bit interactive processes

      • Keys in HKEY_LOCAL_MACHINE\Software

      • Keys that an administrator can write to.

        (If an administrator cannot write to a key, then the application would have failed on previous versions of Windows even if it was run by an administrator.)

    • Registry virtualization is disabled for the following:

      • 64-bit processes that are not interactive, such as services.
        Note Using the registry as an inter-process communication (IPC) mechanism between a service (or any other process that does not have virtualization enabled) and an application will not work correctly if the key is virtualized. For instance, if an antivirus service updates its signature files based on a value set by an application, the service will never update its signature files because the service reads from the global store but the application writes to the virtual store. Processes that impersonate a user. If a process attempts an operation while impersonating a user, that operation will not be virtualized. Kernel-mode processes such as drivers.
      • Processes that have requestedExecutionLevel specified in their manifests.
      • Keys and subkeys of HKEY_LOCAL_MACHINE\Software\Classes, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows, and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT.
        See Registry Virtualization for more information.

Workarounds

The following workarounds may be helpful in your situation:

  • Disable Registry Virtualization

Using Group Policy:

The User Account Control: Virtualize file and registry write failures to per-user locations policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software.

The options are:

  • Enabled. (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry.
  • Disabled. Applications that write data to protected locations fail.

Using registry settings:

In the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, set the DWORD value "EnableVirtualization" to 0 to disable file and registry virtualization, or 1 to enable (this is the default)

For more information, see User Account Control: Virtualize file and registry write failures to per-user locations.

Impact of workaround. Software that depends on being able to write to protected registry and file system locations may not work properly.

Impersonation Level Check Elevation of Privilege Vulnerability - CVE-2015-0075

An elevation of privilege vulnerability exists when Windows fails to properly validate and enforce impersonation levels. An attacker who successfully exploited this vulnerability could bypass user account checks to gain elevated privileges.

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application designed to increase privileges. The update addresses the vulnerability by correcting how Windows validates impersonation levels.

Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was originally issued Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.

Mitigating Factors

Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

Acknowledgments

Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgments for more information.

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (March 10, 2015): Bulletin published.
  • V2.0 (March 16, 2015): To address a packaging issue for customers who are repeatedly reoffered security update 3033395 when installed on systems running supported editions of Windows Server 2003, Microsoft released update 3033395-v2 for all supported editions of Windows Server 2003. Customers who have not already installed the 3033395 update should install update 3033395-v2 to be fully protected from this vulnerability. To avoid the possibility of future detection logic problems, Microsoft recommends that customers running Windows Server 2003 who have already successfully installed the 3033395 update also apply update 3033395-v2 even though they are already protected from this vulnerability. Customers running other Microsoft operating systems are not affected by this rerelease and do not need to take any action. See Microsoft Knowledge Base Article 3033395 for more information.

Page generated 2015-03-16 14:59Z-07:00.