Vulnerabilities > CVE-2015-6106 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft products
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The Windows font library in Microsoft Windows Vista SP2, Windows Server 2008 SP2, Office 2007 SP3, Office 2010 SP2, Word Viewer, Skype for Business 2016, Lync 2010, Lync 2013 SP1, and Live Meeting 2007 Console allows remote attackers to execute arbitrary code via a crafted embedded font, aka "Graphics Memory Corruption Vulnerability."
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 9 | |
| OS | 2 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Msbulletin
| bulletin_id | MS15-128 |
| bulletin_url | |
| date | 2015-12-08T00:00:00 |
| impact | Remote Code Execution |
| knowledgebase_id | 3104503 |
| knowledgebase_url | |
| severity | Critical |
| title | Security Update for Microsoft Graphics Component to Address Remote Code Execution |
Nessus
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS15-128.NASL description The remote Windows host is affected by multiple remote code execution vulnerabilities due to improper handling of embedded fonts by the Windows font library. A remote attacker can exploit these by convincing a user to open a file or visit a website containing a specially crafted embedded font, resulting in execution of arbitrary code in the context of the current user. last seen 2020-06-01 modified 2020-06-02 plugin id 87257 published 2015-12-08 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/87257 title MS15-128: Security Update for Microsoft Graphics Component to Address Remote Code Execution (3104503) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(87257); script_version("1.12"); script_cvs_date("Date: 2018/11/15 20:50:31"); script_cve_id("CVE-2015-6106", "CVE-2015-6107", "CVE-2015-6108"); script_bugtraq_id(78497, 78498, 78499); script_xref(name:"MSFT", value:"MS15-128"); script_xref(name:"MSKB", value:"3085612"); script_xref(name:"MSKB", value:"3085616"); script_xref(name:"MSKB", value:"3099860"); script_xref(name:"MSKB", value:"3099862"); script_xref(name:"MSKB", value:"3099863"); script_xref(name:"MSKB", value:"3099864"); script_xref(name:"MSKB", value:"3099866"); script_xref(name:"MSKB", value:"3099869"); script_xref(name:"MSKB", value:"3099874"); script_xref(name:"MSKB", value:"3106614"); script_xref(name:"MSKB", value:"3109094"); script_xref(name:"MSKB", value:"3114351"); script_xref(name:"MSKB", value:"3114372"); script_xref(name:"MSKB", value:"3114478"); script_xref(name:"MSKB", value:"3115871"); script_xref(name:"MSKB", value:"3115872"); script_xref(name:"MSKB", value:"3115873"); script_xref(name:"MSKB", value:"3115875"); script_xref(name:"MSKB", value:"3116869"); script_xref(name:"MSKB", value:"3116900"); script_xref(name:"IAVA", value:"2015-A-0308"); script_name(english:"MS15-128: Security Update for Microsoft Graphics Component to Address Remote Code Execution (3104503)"); script_summary(english:"Checks the file versions."); script_set_attribute(attribute:"synopsis", value: "The remote host is affected by multiple remote code execution vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote Windows host is affected by multiple remote code execution vulnerabilities due to improper handling of embedded fonts by the Windows font library. A remote attacker can exploit these by convincing a user to open a file or visit a website containing a specially crafted embedded font, resulting in execution of arbitrary code in the context of the current user."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2015/ms15-128"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows Vista, 2008, 7, 2008 R2, 8, RT, 2012, 8.1, RT 8.1, 2012 R2, and 10. Additionally, Microsoft has released a set of patches for Office 2007, Office 2010, Word Viewer, Lync 2010, Lync 2010 Attendee, Lync 2013, Lync Basic 2013, Skype for Business 2016, Live Meeting 2007 Console, Silverlight; and .NET framework 3.0 SP2, 3.5, 3.5.1, 4, 4.5.1, 4.5.2, and 4.6."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/12/08"); script_set_attribute(attribute:"patch_publication_date", value:"2015/12/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/12/08"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office:2007"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office:2010"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:word_viewer"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:live_meeting:2007"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:lync:2010"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:lync:2010:attendee"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:lync:2013"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:lync_basic:2013"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:skype_for_business:2016"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:silverlight"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:.net_framework"); script_set_attribute(attribute:"stig_severity", value:"II"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl", "office_installed.nasl", "microsoft_lync_server_installed.nasl", "silverlight_detect.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, "Host/patch_management_checks"); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_reg_query.inc"); include("misc_func.inc"); include("install_func.inc"); get_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible'); global_var bulletin, vuln, arch; arch = get_kb_item_or_exit('SMB/ARCH'); vuln = 0; bulletin = 'MS15-128'; kbs = make_list( "3085612", "3085616", "3099860", "3099862", "3099863", "3099864", "3099866", "3099869", "3099874", "3106614", "3109094", "3114351", "3114372", "3114478", "3115871", "3115872", "3115873", "3115875", "3116869", "3116900" ); if (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); winver = get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1); if (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0', win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); share = hotfix_get_systemdrive(exit_on_fail:TRUE, as_share:TRUE); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); # Windows Checks function perform_windows_checks() { if ( hotfix_is_vulnerable(os:"10", sp:0, file:"gdiplus.dll", version:"10.0.10586.20", min_version:"10.0.10586.0", dir:"\system32", bulletin:bulletin, kb:'3116900') || hotfix_is_vulnerable(os:"10", sp:0, file:"gdiplus.dll", version:"10.0.10240.16603", dir:"\system32", bulletin:bulletin, kb:'3116869') || # 8.1 / 2012 R2 hotfix_is_vulnerable(os:"6.3", sp:0, file:"dwrite.dll", version:"6.3.9600.18123", min_version:"6.3.9600.16000", dir:"\system32", bulletin:bulletin, kb:"3109094") || # 8 / 2012 hotfix_is_vulnerable(os:"6.2", sp:0, file:"dwrite.dll", version:"6.2.9200.17568", min_version:"6.2.9200.16000", dir:"\system32", bulletin:bulletin, kb:"3109094") || hotfix_is_vulnerable(os:"6.2", sp:0, file:"dwrite.dll", version:"6.2.9200.21687", min_version:"6.2.9200.20000 ", dir:"\system32", bulletin:bulletin, kb:"3109094") || # 7 / 2008 R2 hotfix_is_vulnerable(os:"6.1", sp:1, file:"dwrite.dll", version:"6.2.9200.17568", min_version:"6.2.9200.16000", dir:"\system32", bulletin:bulletin, kb:"3109094") || hotfix_is_vulnerable(os:"6.1", sp:1, file:"dwrite.dll", version:"6.2.9200.21687", min_version:"6.2.9200.20000 ", dir:"\system32", bulletin:bulletin, kb:"3109094") || hotfix_is_vulnerable(os:"6.1", sp:1, file:"dwrite.dll", version:"6.1.7601.19061", min_version:"6.1.7601.16000", dir:"\system32", bulletin:bulletin, kb:"3109094") || hotfix_is_vulnerable(os:"6.1", sp:1, file:"dwrite.dll", version:"6.1.7601.23265", min_version:"6.1.7601.22000", dir:"\system32", bulletin:bulletin, kb:"3109094") || # Vista / 2008 hotfix_is_vulnerable(os:"6.0", sp:2, file:"dwrite.dll", version:"7.0.6002.19535", min_version:"6.0.6002.18000", dir:"\system32", bulletin:bulletin, kb:"3109094") || hotfix_is_vulnerable(os:"6.0", sp:2, file:"dwrite.dll", version:"7.0.6002.23845", min_version:"6.0.6002.20000", dir:"\system32", bulletin:bulletin, kb:"3109094") ) vuln++; } # dotnet checks function perform_dotnet_checks() { local_var dotnet_452_installed, dotnet_451_installed, dotnet_45_installed, dotnet_46_installed; local_var ver, missing, count, installs, install; # Determine if .NET 4.5, 4.5.1, or 4.5.2 is installed dotnet_452_installed = FALSE; dotnet_451_installed = FALSE; dotnet_45_installed = FALSE; dotnet_46_installed = FALSE; count = get_install_count(app_name:'Microsoft .NET Framework'); if (count > 0) { installs = get_installs(app_name:'Microsoft .NET Framework'); foreach install(installs[1]) { ver = install["version"]; if (ver == "4.5") dotnet_45_installed = TRUE; if (ver == "4.6") dotnet_46_installed = TRUE; if (ver == "4.5.1") dotnet_451_installed = TRUE; if (ver == "4.5.2") dotnet_452_installed = TRUE; } } ########## KB3099860 ############# # .NET Framework 3.0 SP2 # # Windows Vista SP2 # # Windows Server 2008 SP2 # ################################## missing = 0; missing += hotfix_is_vulnerable(os:"6.0", sp:2, file:"wpfgfx_v0300.dll", version:"3.0.6920.4230", min_version:"3.0.6920.0", dir:"\Microsoft.NET\Framework\v3.0\WPF"); missing += hotfix_is_vulnerable(os:"6.0", sp:2, file:"wpfgfx_v0300.dll", version:"3.0.6920.8693", min_version:"3.0.6920.7000", dir:"\Microsoft.NET\Framework\v3.0\WPF"); if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:"3099860"); vuln += missing; ########### KB3099866 ############# # .NET Framework 4 # # Windows Vista SP2 # # Windows Server 2008 SP2 # ################################### missing = 0; # Windows Vista/Server 2008 SP2 missing += hotfix_is_vulnerable(os:"6.0", sp:2, file:"wpfgfx_v0400.dll", version:"4.0.30319.1044", min_version:"4.0.30319.0", dir:"\Microsoft.NET\Framework\v4.0.30319\WPF"); missing += hotfix_is_vulnerable(os:"6.0", sp:2, file:"wpfgfx_v0400.dll", version:"4.0.30319.2077", min_version:"4.0.30319.1200", dir:"\Microsoft.NET\Framework\v4.0.30319\WPF"); if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:"2099866"); vuln += missing; ########### KB3099869 ############ # .NET Framework 4.5/4.5.1/4.5.2 # # Windows Vista SP2 # # Windows Server 2008 SP2 # ################################## missing = 0; if (dotnet_45_installed || dotnet_451_installed || dotnet_452_installed) { missing += hotfix_is_vulnerable(os:"6.0", sp:2, file:"wpftxt_v0400.dll", version:"4.0.30319.34280", min_version:"4.0.30319.30000", dir:"\Microsoft.NET\Framework\v4.0.30319\WPF"); missing += hotfix_is_vulnerable(os:"6.0", sp:2, file:"wpftxt_v0400.dll", version:"4.0.30319.36330", min_version:"4.0.30319.34500", dir:"\Microsoft.NET\Framework\v4.0.30319\WPF"); } if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:"3099869"); vuln += missing; ############ KB3099874 ########### # .NET Framework 4.6 # # Windows Vista SP2 # # Windows Server 2008 SP2 # ################################## missing = 0; if (dotnet_46_installed) { missing += hotfix_is_vulnerable(os:"6.0", sp:2, file:"wpftxt_v0400.dll", version:"4.6.118.0", min_version:"4.6.0.0", dir:"\Microsoft.NET\Framework\v4.0.30319\WPF"); if(arch == "x64") missing += hotfix_is_vulnerable(os:"6.0", sp:2, file:"wpftxt_v0400.dll", version:"4.6.118.0", min_version:"4.6.0.0", dir:"\Microsoft.NET\Framework64\v4.0.30319\WPF"); } if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:"3099874"); vuln += missing; ############ KB3099864 ############ # .NET Framework 3.5 # # Windows 8.1 # # Windows Server 2012 R2 # ################################### missing = 0; missing += hotfix_is_vulnerable(os:"6.3", sp:0, file:"wpfgfx_v0300.dll", version:"3.0.6920.8009", min_version:"3.0.6920.0", dir:"\Microsoft.NET\Framework\v3.0\WPF"); missing += hotfix_is_vulnerable(os:"6.3", sp:0, file:"wpfgfx_v0300.dll", version:"3.0.6920.8693", min_version:"3.0.6920.8200", dir:"\Microsoft.NET\Framework\v3.0\WPF"); if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:"3099864"); vuln += missing; ########### KB3099862 ############# # .NET Framework 3.5.1 # # Windows 7 SP1 # # Windows Server 2008 R2 SP1 # ################################### missing = 0; missing += hotfix_is_vulnerable(os:"6.1", sp:1, file:"wpfgfx_v0300.dll", version:"3.0.6920.5470", min_version:"3.0.6920.0", dir:"\Microsoft.NET\Framework\v3.0\WPF"); missing += hotfix_is_vulnerable(os:"6.1", sp:1, file:"wpfgfx_v0300.dll", version:"3.0.6920.8693", min_version:"3.0.6920.7000", dir:"\Microsoft.NET\Framework\v3.0\WPF"); if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:"3099862"); vuln += missing; ########### KB3099863 ########### # .NET Framework 3.5 # # Windows 8 # # Windows Server 2012 # ################################# missing = 0; missing += hotfix_is_vulnerable(os:"6.2", sp:0, file:"wpfgfx_v0300.dll", version:"3.0.6920.6422", min_version:"3.0.6920.0", dir:"\Microsoft.NET\Framework\v3.0\WPF"); missing += hotfix_is_vulnerable(os:"6.2", sp:0, file:"wpfgfx_v0300.dll", version:"3.0.6920.8693", min_version:"3.0.6920.7000", dir:"\Microsoft.NET\Framework\v3.0\WPF"); if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:"3099863"); vuln += missing; ############# KB3116869 ############# # .NET Framework 3.5 # # Windows 10 # ##################################### missing = 0; # .NET 3.5 missing += hotfix_is_vulnerable(os:"10", sp:0, file:"wpfgfx_v0300.dll", version:"3.0.6920.8693", min_version:"3.0.6920.0", dir:"\Microsoft.NET\Framework\v3.0\WPF"); if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:"3116869"); vuln += missing; } # KB 3085546 / KB 3085529 (Office Checks) function perform_office_checks() { local_var office_versions, office_sp; local_var path, wvinst, wvkb; office_versions = hotfix_check_office_version(); # Office 2010 is only affected on Windows versions earlier than Vista if (winver !~ '^([0-5\\.]|6\\.0$)') { if (office_versions["14.0"]) { office_sp = get_kb_item("SMB/Office/2010/SP"); if (!isnull(office_sp) && office_sp == 2) { path = hotfix_append_path(path:hotfix_get_officecommonfilesdir(officever:"14.0"), value:"\Microsoft Shared\Office14"); if (hotfix_check_fversion(file:"Ogl.dll", version:"14.0.7164.5000", min_version:"14.0.0.0", path:path, bulletin:bulletin, kb:"3085612", product:"Microsoft Office 2010 SP2") == HCF_OLDER) vuln++; } } } if (office_versions["12.0"]) { office_sp = get_kb_item("SMB/Office/2007/SP"); if (office_sp == 3) { path = hotfix_append_path(path:hotfix_get_officecommonfilesdir(officever:"12.0"), value:"\Microsoft Shared\Office12"); if (hotfix_check_fversion(file:"Ogl.dll", version:"12.0.6738.5000", min_version:"12.0.0.0", path:path, bulletin:bulletin, kb:'3085616', product:"Microsoft Office 2007 SP3") == HCF_OLDER) vuln++; } } # Word Viewer wvinst = get_kb_list("SMB/Office/WordViewer/*/ProductPath"); if (!empty_or_null(wvinst)) { foreach wvkb (keys(wvinst)) { if ("11.0" >!< wvkb) continue; # Delete exe part path = ereg_replace(pattern:"[Ww]ordview\.exe$", replace:'', string:get_kb_item(wvkb)); if (hotfix_check_fversion(file:"gdiplus.dll", version:"11.0.8422.0", min_version:"11.0.0.0", path:path, bulletin:bulletin, kb:'3114478', product:"Microsoft Word Viewer") == HCF_OLDER) vuln++; } } } # Lync checks function perform_lync_checks() { local_var lync_count, lync_installs, lync_install; lync_count = get_install_count(app_name:"Microsoft Lync"); # Nothing to do if (int(lync_count) <= 0) return; lync_installs = get_installs(app_name:"Microsoft Lync"); foreach lync_install (lync_installs[1]) { #if ("Live Meeting 2007 Console" >< lync_install["Product"]) #{ # if (hotfix_check_fversion(file:"pubutil.dll", version:"8.0.6362.249", min_version:"8.0.0.0", path:lync_install["path"], bulletin:bulletin, kb:"3115875", product:"Live Meeting 2007 Console") == HCF_OLDER) # vuln++; #} if (lync_install["version"] =~ "^4\.0\." && "Server" >!< lync_install["Product"]) { # Lync 2010 if ("Attendee" >!< lync_install["Product"]) { if (hotfix_check_fversion(file:"communicator.exe", version:"4.0.7577.4486", min_version:"4.0.0.0", path:lync_install["path"], bulletin:bulletin, kb:"3115875", product:"Microsoft Lync 2010") == HCF_OLDER) vuln++; } # Lync 2010 Attendee else if ("Attendee" >< lync_install["Product"]) { if ("user level" >< tolower(lync_install["Product"])) # User { if (hotfix_check_fversion(file:"MeetingJoinAxAOC.DLL", version:"4.0.7577.4486", min_version:"4.0.0.0", path:lync_install["path"], bulletin:bulletin, kb:"3115872", product:lync_install["Product"]) == HCF_OLDER) vuln++; } else # Admin { if (hotfix_check_fversion(file:"MeetingJoinAxAOC.DLL", version:"4.0.7577.4486", min_version:"4.0.0.0", path:lync_install["path"], bulletin:bulletin, kb:"3115873", product:lync_install["Product"]) == HCF_OLDER) vuln++; } } } # Lync 2013 else if (lync_install["version"] =~ "^15\.0\." && "Server" >!< lync_install["Product"]) { if (hotfix_check_fversion(file:"Lync.exe", version:"15.0.4779.1001", min_version:"15.0.4569.1503", path:lync_install["path"], bulletin:bulletin, kb:"3101496", product:"Microsoft Lync 2013 (Skype for Business)") == HCF_OLDER) vuln++; } # Skype for Business 2016 else if (lync_install["version"] =~ "^16\.0\." && "Server" >!< lync_install["Product"]) { if (hotfix_check_fversion(file:"Lync.exe", version:"16.0.4312.1000", channel:"MSI", channel_product:"Lync", path:lync_install["path"], bulletin:bulletin, kb:"3085634", product:"Skype for Business 2016") == HCF_OLDER) vuln++; if (hotfix_check_fversion(file:"Lync.exe", version:"16.0.6001.1043", channel:"Current", channel_product:"Lync", path:lync_install["path"], bulletin:bulletin, kb:"3085634", product:"Skype for Business 2016") == HCF_OLDER) vuln++; } } } # Silverlight Check function perform_silverlight_checks() { local_var slver, report, path; slver = get_kb_item("SMB/Silverlight/Version"); if (slver && slver =~ "^5\." && ver_compare(ver:slver, fix:"5.1.41105.0",strict:FALSE) == -1) { path = get_kb_item("SMB/Silverlight/Path"); if (isnull(path)) path = 'n/a'; report = '\n Path : ' + path + '\n Installed version : ' + slver + '\n Fixed version : 5.1.41105.0' + '\n'; hotfix_add_report(report,bulletin:bulletin, kb:"3106614"); vuln += 1; } } perform_windows_checks(); perform_dotnet_checks(); perform_office_checks(); perform_lync_checks(); perform_silverlight_checks(); if(vuln) { set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }NASL family MacOS X Local Security Checks NASL id MACOSX_MS15-128.NASL description The version of Microsoft Silverlight installed on the remote host is affected by multiple remote code execution vulnerabilities due to improper handling of embedded fonts by the Windows font library. A remote attacker can exploit these by convincing a user to open a file or visit a website containing a specially crafted embedded font, resulting in execution of arbitrary code in the context of the current user. last seen 2020-06-01 modified 2020-06-02 plugin id 87250 published 2015-12-08 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/87250 title Microsoft Silverlight < 5.1.41105.0 Multiple Vulnerabilities (MS15-128) (Mac OS X) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(87250); script_version("1.5"); script_cvs_date("Date: 2019/11/20"); script_cve_id("CVE-2015-6106", "CVE-2015-6107", "CVE-2015-6108"); script_xref(name:"MSFT", value:"MS15-128"); script_xref(name:"IAVA", value:"2015-A-0308"); script_xref(name:"MSKB", value:"3106614"); script_name(english:"Microsoft Silverlight < 5.1.41105.0 Multiple Vulnerabilities (MS15-128) (Mac OS X)"); script_summary(english:"Checks the version of Microsoft Silverlight."); script_set_attribute(attribute:"synopsis", value: "A multimedia application framework installed on the remote Mac OS X host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Microsoft Silverlight installed on the remote host is affected by multiple remote code execution vulnerabilities due to improper handling of embedded fonts by the Windows font library. A remote attacker can exploit these by convincing a user to open a file or visit a website containing a specially crafted embedded font, resulting in execution of arbitrary code in the context of the current user."); script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/bulletin/ms15-128"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Silverlight 5."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/12/08"); script_set_attribute(attribute:"patch_publication_date", value:"2015/12/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/12/08"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:silverlight"); script_set_attribute(attribute:"stig_severity", value:"II"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("macosx_silverlight_installed.nasl"); script_require_keys("Host/local_checks_enabled", "Host/MacOSX/Version", "MacOSX/Silverlight/Installed"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); kb_base = "MacOSX/Silverlight"; get_kb_item_or_exit(kb_base+"/Installed"); path = get_kb_item_or_exit(kb_base+"/Path", exit_code:1); version = get_kb_item_or_exit(kb_base+"/Version", exit_code:1); bulletin = "MS15-128"; kb = "3106614"; fixed_version = "5.1.41105.0"; if (version =~ "^5\." && ver_compare(ver:version, fix:fixed_version, strict:FALSE) < 0) { if (defined_func("report_xml_tag")) report_xml_tag(tag:bulletin, value:kb); if (report_verbosity > 0) { report = '\n Path : ' + path + '\n Installed version : ' + version + '\n Fixed version : ' + fixed_version + '\n'; security_hole(port:0, extra:report); } else security_hole(0); exit(0); } else exit(0, "The Microsoft Silverlight "+version+" install is not reported to be affected.");