Vulnerabilities > CVE-2015-6107 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft products

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
microsoft
CWE-119
critical
nessus

Summary

The Windows font library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, Windows 10 Gold and 1511, Office 2007 SP3, Office 2010 SP2, Word Viewer, Skype for Business 2016, Lync 2010, Lync 2013 SP1, and Live Meeting 2007 Console allows remote attackers to execute arbitrary code via a crafted embedded font, aka "Graphics Memory Corruption Vulnerability."

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Msbulletin

bulletin_idMS15-128
bulletin_url
date2015-12-08T00:00:00
impactRemote Code Execution
knowledgebase_id3104503
knowledgebase_url
severityCritical
titleSecurity Update for Microsoft Graphics Component to Address Remote Code Execution

Nessus

  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS15-128.NASL
    descriptionThe remote Windows host is affected by multiple remote code execution vulnerabilities due to improper handling of embedded fonts by the Windows font library. A remote attacker can exploit these by convincing a user to open a file or visit a website containing a specially crafted embedded font, resulting in execution of arbitrary code in the context of the current user.
    last seen2020-06-01
    modified2020-06-02
    plugin id87257
    published2015-12-08
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/87257
    titleMS15-128: Security Update for Microsoft Graphics Component to Address Remote Code Execution (3104503)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(87257);
      script_version("1.12");
      script_cvs_date("Date: 2018/11/15 20:50:31");
    
      script_cve_id("CVE-2015-6106", "CVE-2015-6107", "CVE-2015-6108");
      script_bugtraq_id(78497, 78498, 78499);
      script_xref(name:"MSFT", value:"MS15-128");
      script_xref(name:"MSKB", value:"3085612");
      script_xref(name:"MSKB", value:"3085616");
      script_xref(name:"MSKB", value:"3099860");
      script_xref(name:"MSKB", value:"3099862");
      script_xref(name:"MSKB", value:"3099863");
      script_xref(name:"MSKB", value:"3099864");
      script_xref(name:"MSKB", value:"3099866");
      script_xref(name:"MSKB", value:"3099869");
      script_xref(name:"MSKB", value:"3099874");
      script_xref(name:"MSKB", value:"3106614");
      script_xref(name:"MSKB", value:"3109094");
      script_xref(name:"MSKB", value:"3114351");
      script_xref(name:"MSKB", value:"3114372");
      script_xref(name:"MSKB", value:"3114478");
      script_xref(name:"MSKB", value:"3115871");
      script_xref(name:"MSKB", value:"3115872");
      script_xref(name:"MSKB", value:"3115873");
      script_xref(name:"MSKB", value:"3115875");
      script_xref(name:"MSKB", value:"3116869");
      script_xref(name:"MSKB", value:"3116900");
      script_xref(name:"IAVA", value:"2015-A-0308");
    
      script_name(english:"MS15-128: Security Update for Microsoft Graphics Component to Address Remote Code Execution (3104503)");
      script_summary(english:"Checks the file versions.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote host is affected by multiple remote code execution
    vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote Windows host is affected by multiple remote code execution
    vulnerabilities due to improper handling of embedded fonts by the
    Windows font library. A remote attacker can exploit these by
    convincing a user to open a file or visit a website containing a
    specially crafted embedded font, resulting in execution of arbitrary
    code in the context of the current user.");
      script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2015/ms15-128");
      script_set_attribute(attribute:"solution", value:
    "Microsoft has released a set of patches for Windows Vista, 2008, 7,
    2008 R2, 8, RT, 2012, 8.1, RT 8.1, 2012 R2, and 10. Additionally,
    Microsoft has released a set of patches for Office 2007, Office 2010,
    Word Viewer, Lync 2010, Lync 2010 Attendee, Lync 2013, Lync Basic
    2013, Skype for Business 2016, Live Meeting 2007 Console, Silverlight;
    and .NET framework 3.0 SP2, 3.5, 3.5.1, 4, 4.5.1, 4.5.2, and 4.6.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2015/12/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2015/12/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/12/08");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office:2007");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office:2010");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:word_viewer");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:live_meeting:2007");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:lync:2010");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:lync:2010:attendee");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:lync:2013");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:lync_basic:2013");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:skype_for_business:2016");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:silverlight");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:.net_framework");
      script_set_attribute(attribute:"stig_severity", value:"II");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.");
    
      script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl", "office_installed.nasl", "microsoft_lync_server_installed.nasl", "silverlight_detect.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    
    include("audit.inc");
    include("smb_func.inc");
    include("smb_hotfixes.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_reg_query.inc");
    include("misc_func.inc");
    include("install_func.inc");
    
    get_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');
    
    global_var bulletin, vuln, arch;
    
    arch = get_kb_item_or_exit('SMB/ARCH');
    vuln = 0;
    bulletin = 'MS15-128';
    
    kbs = make_list(
      "3085612",
      "3085616",
      "3099860",
      "3099862",
      "3099863",
      "3099864",
      "3099866",
      "3099869",
      "3099874",
      "3106614",
      "3109094",
      "3114351",
      "3114372",
      "3114478",
      "3115871",
      "3115872",
      "3115873",
      "3115875",
      "3116869",
      "3116900"
    );
    
    if (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    winver = get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);
    if (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0', win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    share = hotfix_get_systemdrive(exit_on_fail:TRUE, as_share:TRUE);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    # Windows Checks
    function perform_windows_checks()
    {
      if (
        hotfix_is_vulnerable(os:"10", sp:0, file:"gdiplus.dll", version:"10.0.10586.20", min_version:"10.0.10586.0", dir:"\system32", bulletin:bulletin, kb:'3116900') ||
        hotfix_is_vulnerable(os:"10", sp:0, file:"gdiplus.dll", version:"10.0.10240.16603", dir:"\system32", bulletin:bulletin, kb:'3116869') ||
        # 8.1 / 2012 R2
        hotfix_is_vulnerable(os:"6.3", sp:0, file:"dwrite.dll", version:"6.3.9600.18123", min_version:"6.3.9600.16000", dir:"\system32", bulletin:bulletin, kb:"3109094") ||
        # 8 / 2012
        hotfix_is_vulnerable(os:"6.2", sp:0, file:"dwrite.dll", version:"6.2.9200.17568", min_version:"6.2.9200.16000", dir:"\system32", bulletin:bulletin, kb:"3109094") ||
        hotfix_is_vulnerable(os:"6.2", sp:0, file:"dwrite.dll", version:"6.2.9200.21687", min_version:"6.2.9200.20000 ", dir:"\system32", bulletin:bulletin, kb:"3109094") ||
        # 7 / 2008 R2
        hotfix_is_vulnerable(os:"6.1", sp:1, file:"dwrite.dll", version:"6.2.9200.17568", min_version:"6.2.9200.16000", dir:"\system32", bulletin:bulletin, kb:"3109094") ||
        hotfix_is_vulnerable(os:"6.1", sp:1, file:"dwrite.dll", version:"6.2.9200.21687", min_version:"6.2.9200.20000 ", dir:"\system32", bulletin:bulletin, kb:"3109094") ||
        hotfix_is_vulnerable(os:"6.1", sp:1, file:"dwrite.dll", version:"6.1.7601.19061", min_version:"6.1.7601.16000", dir:"\system32", bulletin:bulletin, kb:"3109094") ||
        hotfix_is_vulnerable(os:"6.1", sp:1, file:"dwrite.dll", version:"6.1.7601.23265", min_version:"6.1.7601.22000", dir:"\system32", bulletin:bulletin, kb:"3109094") ||
        # Vista / 2008
        hotfix_is_vulnerable(os:"6.0", sp:2, file:"dwrite.dll", version:"7.0.6002.19535", min_version:"6.0.6002.18000", dir:"\system32", bulletin:bulletin, kb:"3109094") ||
        hotfix_is_vulnerable(os:"6.0", sp:2, file:"dwrite.dll", version:"7.0.6002.23845", min_version:"6.0.6002.20000", dir:"\system32", bulletin:bulletin, kb:"3109094")
      )
        vuln++;
    }
    
    # dotnet checks
    function perform_dotnet_checks()
    {
      local_var dotnet_452_installed, dotnet_451_installed, dotnet_45_installed, dotnet_46_installed;
      local_var ver, missing, count, installs, install;
    
      # Determine if .NET 4.5, 4.5.1, or 4.5.2 is installed
      dotnet_452_installed = FALSE;
      dotnet_451_installed = FALSE;
      dotnet_45_installed  = FALSE;
      dotnet_46_installed  = FALSE;
    
      count = get_install_count(app_name:'Microsoft .NET Framework');
      if (count > 0)
      {
        installs = get_installs(app_name:'Microsoft .NET Framework');
        foreach install(installs[1])
        {
          ver = install["version"];
          if (ver == "4.5") dotnet_45_installed = TRUE;
          if (ver == "4.6") dotnet_46_installed = TRUE;
          if (ver == "4.5.1") dotnet_451_installed = TRUE;
          if (ver == "4.5.2") dotnet_452_installed = TRUE;
        }
      }
    
      ########## KB3099860 #############
      # .NET Framework 3.0 SP2         #
      # Windows Vista SP2              #
      # Windows Server 2008 SP2        #
      ##################################
      missing = 0;
      missing += hotfix_is_vulnerable(os:"6.0", sp:2, file:"wpfgfx_v0300.dll", version:"3.0.6920.4230", min_version:"3.0.6920.0", dir:"\Microsoft.NET\Framework\v3.0\WPF");
      missing += hotfix_is_vulnerable(os:"6.0", sp:2, file:"wpfgfx_v0300.dll", version:"3.0.6920.8693", min_version:"3.0.6920.7000", dir:"\Microsoft.NET\Framework\v3.0\WPF");
    
      if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:"3099860");
      vuln += missing;
    
      ########### KB3099866 #############
      # .NET Framework 4                #
      # Windows Vista SP2               #
      # Windows Server 2008 SP2         #
      ###################################
      missing = 0;
      # Windows Vista/Server 2008 SP2
      missing += hotfix_is_vulnerable(os:"6.0", sp:2, file:"wpfgfx_v0400.dll", version:"4.0.30319.1044", min_version:"4.0.30319.0", dir:"\Microsoft.NET\Framework\v4.0.30319\WPF");
      missing += hotfix_is_vulnerable(os:"6.0", sp:2, file:"wpfgfx_v0400.dll", version:"4.0.30319.2077", min_version:"4.0.30319.1200", dir:"\Microsoft.NET\Framework\v4.0.30319\WPF");
    
      if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:"2099866");
      vuln += missing;
    
      ########### KB3099869 ############
      # .NET Framework 4.5/4.5.1/4.5.2 #
      # Windows Vista SP2              #
      # Windows Server 2008 SP2        #
      ##################################
      missing = 0;
      if (dotnet_45_installed || dotnet_451_installed || dotnet_452_installed)
      {
        missing += hotfix_is_vulnerable(os:"6.0", sp:2, file:"wpftxt_v0400.dll", version:"4.0.30319.34280", min_version:"4.0.30319.30000", dir:"\Microsoft.NET\Framework\v4.0.30319\WPF");
        missing += hotfix_is_vulnerable(os:"6.0", sp:2, file:"wpftxt_v0400.dll", version:"4.0.30319.36330", min_version:"4.0.30319.34500", dir:"\Microsoft.NET\Framework\v4.0.30319\WPF");
      }
    
      if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:"3099869");
      vuln += missing;
    
      ############ KB3099874 ###########
      # .NET Framework 4.6             #
      # Windows Vista SP2              #
      # Windows Server 2008 SP2        #
      ##################################
      missing = 0;
      if (dotnet_46_installed)
      {
        missing += hotfix_is_vulnerable(os:"6.0", sp:2, file:"wpftxt_v0400.dll", version:"4.6.118.0", min_version:"4.6.0.0", dir:"\Microsoft.NET\Framework\v4.0.30319\WPF");
        if(arch == "x64")
          missing += hotfix_is_vulnerable(os:"6.0", sp:2, file:"wpftxt_v0400.dll", version:"4.6.118.0", min_version:"4.6.0.0", dir:"\Microsoft.NET\Framework64\v4.0.30319\WPF");
      }
    
      if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:"3099874");
      vuln += missing;
    
      ############ KB3099864 ############
      # .NET Framework 3.5              #
      # Windows 8.1                     #
      # Windows Server 2012 R2          #
      ###################################
      missing = 0;
      missing += hotfix_is_vulnerable(os:"6.3", sp:0, file:"wpfgfx_v0300.dll", version:"3.0.6920.8009", min_version:"3.0.6920.0", dir:"\Microsoft.NET\Framework\v3.0\WPF");
      missing += hotfix_is_vulnerable(os:"6.3", sp:0, file:"wpfgfx_v0300.dll", version:"3.0.6920.8693", min_version:"3.0.6920.8200", dir:"\Microsoft.NET\Framework\v3.0\WPF");
    
      if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:"3099864");
      vuln += missing;
    
      ########### KB3099862 #############
      # .NET Framework 3.5.1            #
      # Windows 7 SP1                   #
      # Windows Server 2008 R2 SP1      #
      ###################################
      missing = 0;
      missing += hotfix_is_vulnerable(os:"6.1", sp:1, file:"wpfgfx_v0300.dll", version:"3.0.6920.5470", min_version:"3.0.6920.0",  dir:"\Microsoft.NET\Framework\v3.0\WPF");
      missing += hotfix_is_vulnerable(os:"6.1", sp:1, file:"wpfgfx_v0300.dll", version:"3.0.6920.8693", min_version:"3.0.6920.7000",  dir:"\Microsoft.NET\Framework\v3.0\WPF");
    
      if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:"3099862");
      vuln += missing;
    
      ########### KB3099863 ###########
      # .NET Framework 3.5            #
      # Windows 8                     #
      # Windows Server 2012           #
      #################################
      missing = 0;
      missing += hotfix_is_vulnerable(os:"6.2", sp:0, file:"wpfgfx_v0300.dll", version:"3.0.6920.6422", min_version:"3.0.6920.0", dir:"\Microsoft.NET\Framework\v3.0\WPF");
      missing += hotfix_is_vulnerable(os:"6.2", sp:0, file:"wpfgfx_v0300.dll", version:"3.0.6920.8693", min_version:"3.0.6920.7000", dir:"\Microsoft.NET\Framework\v3.0\WPF");
    
      if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:"3099863");
      vuln += missing;
    
      ############# KB3116869 #############
      #  .NET Framework 3.5               #
      #  Windows 10                       #
      #####################################
      missing = 0;
      # .NET 3.5
      missing += hotfix_is_vulnerable(os:"10", sp:0, file:"wpfgfx_v0300.dll", version:"3.0.6920.8693", min_version:"3.0.6920.0", dir:"\Microsoft.NET\Framework\v3.0\WPF");
    
      if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:"3116869");
      vuln += missing;
    }
    
    # KB 3085546 / KB 3085529 (Office Checks)
    function perform_office_checks()
    {
      local_var office_versions, office_sp;
      local_var path, wvinst, wvkb;
    
      office_versions = hotfix_check_office_version();
      # Office 2010 is only affected on Windows versions earlier than Vista
      if (winver !~ '^([0-5\\.]|6\\.0$)')
      {
        if (office_versions["14.0"])
        {
          office_sp = get_kb_item("SMB/Office/2010/SP");
          if (!isnull(office_sp) && office_sp == 2)
          {
            path = hotfix_append_path(path:hotfix_get_officecommonfilesdir(officever:"14.0"), value:"\Microsoft Shared\Office14");
            if (hotfix_check_fversion(file:"Ogl.dll", version:"14.0.7164.5000", min_version:"14.0.0.0", path:path, bulletin:bulletin, kb:"3085612", product:"Microsoft Office 2010 SP2") == HCF_OLDER)
              vuln++;
          }
        }
      }
    
      if (office_versions["12.0"])
      {
        office_sp = get_kb_item("SMB/Office/2007/SP");
        if (office_sp == 3)
        {
          path = hotfix_append_path(path:hotfix_get_officecommonfilesdir(officever:"12.0"), value:"\Microsoft Shared\Office12");
          if (hotfix_check_fversion(file:"Ogl.dll", version:"12.0.6738.5000", min_version:"12.0.0.0", path:path, bulletin:bulletin, kb:'3085616', product:"Microsoft Office 2007 SP3") == HCF_OLDER)
             vuln++;
        }
      }
    
      # Word Viewer
      wvinst = get_kb_list("SMB/Office/WordViewer/*/ProductPath");
      if (!empty_or_null(wvinst))
      {
        foreach wvkb (keys(wvinst))
        {
          if ("11.0" >!< wvkb)
            continue;
          # Delete exe part
          path = ereg_replace(pattern:"[Ww]ordview\.exe$", replace:'', string:get_kb_item(wvkb));
          if (hotfix_check_fversion(file:"gdiplus.dll", version:"11.0.8422.0", min_version:"11.0.0.0", path:path, bulletin:bulletin, kb:'3114478', product:"Microsoft Word Viewer") == HCF_OLDER)
            vuln++;
        }
      }
    }
    
    # Lync checks
    function perform_lync_checks()
    {
      local_var lync_count, lync_installs, lync_install;
    
      lync_count = get_install_count(app_name:"Microsoft Lync");
    
      # Nothing to do
      if (int(lync_count) <= 0)
        return;
    
      lync_installs = get_installs(app_name:"Microsoft Lync");
      foreach lync_install (lync_installs[1])
      {
        #if ("Live Meeting 2007 Console" >< lync_install["Product"])
        #{
        #  if (hotfix_check_fversion(file:"pubutil.dll", version:"8.0.6362.249", min_version:"8.0.0.0", path:lync_install["path"], bulletin:bulletin, kb:"3115875", product:"Live Meeting 2007 Console") == HCF_OLDER)
        #    vuln++;
        #}
        if (lync_install["version"] =~ "^4\.0\." && "Server" >!< lync_install["Product"])
        {
          # Lync 2010
          if ("Attendee" >!< lync_install["Product"])
          {
            if (hotfix_check_fversion(file:"communicator.exe", version:"4.0.7577.4486", min_version:"4.0.0.0", path:lync_install["path"], bulletin:bulletin, kb:"3115875", product:"Microsoft Lync 2010") == HCF_OLDER)
              vuln++;
          }
          # Lync 2010 Attendee
          else if ("Attendee" >< lync_install["Product"])
          {
            if ("user level" >< tolower(lync_install["Product"])) # User
            {
              if (hotfix_check_fversion(file:"MeetingJoinAxAOC.DLL", version:"4.0.7577.4486", min_version:"4.0.0.0", path:lync_install["path"], bulletin:bulletin, kb:"3115872", product:lync_install["Product"]) == HCF_OLDER)
                vuln++;
            }
            else # Admin
            {
              if (hotfix_check_fversion(file:"MeetingJoinAxAOC.DLL", version:"4.0.7577.4486", min_version:"4.0.0.0", path:lync_install["path"], bulletin:bulletin, kb:"3115873", product:lync_install["Product"]) == HCF_OLDER)
                vuln++;
            }
          }
        }
        # Lync 2013
        else if (lync_install["version"] =~ "^15\.0\." && "Server" >!< lync_install["Product"])
        {
          if (hotfix_check_fversion(file:"Lync.exe", version:"15.0.4779.1001", min_version:"15.0.4569.1503", path:lync_install["path"], bulletin:bulletin, kb:"3101496", product:"Microsoft Lync 2013 (Skype for Business)") == HCF_OLDER)
            vuln++;
        }
        # Skype for Business 2016
        else if (lync_install["version"] =~ "^16\.0\." && "Server" >!< lync_install["Product"])
        {
          if (hotfix_check_fversion(file:"Lync.exe", version:"16.0.4312.1000", channel:"MSI", channel_product:"Lync", path:lync_install["path"], bulletin:bulletin, kb:"3085634", product:"Skype for Business 2016") == HCF_OLDER)
            vuln++;
          if (hotfix_check_fversion(file:"Lync.exe", version:"16.0.6001.1043", channel:"Current", channel_product:"Lync", path:lync_install["path"], bulletin:bulletin, kb:"3085634", product:"Skype for Business 2016") == HCF_OLDER)
            vuln++;
        }
      }
    }
    
    # Silverlight Check
    function perform_silverlight_checks()
    {
      local_var slver, report, path;
    
      slver = get_kb_item("SMB/Silverlight/Version");
      if (slver && slver =~ "^5\." && ver_compare(ver:slver, fix:"5.1.41105.0",strict:FALSE) == -1)
      {
        path = get_kb_item("SMB/Silverlight/Path");
        if (isnull(path)) path = 'n/a';
    
        report =
          '\n  Path              : ' + path +
          '\n  Installed version : ' + slver +
          '\n  Fixed version     : 5.1.41105.0' +
          '\n';
        hotfix_add_report(report,bulletin:bulletin, kb:"3106614");
        vuln += 1;
      }
    }
    
    perform_windows_checks();
    perform_dotnet_checks();
    perform_office_checks();
    perform_lync_checks();
    perform_silverlight_checks();
    
    if(vuln)
    {
      set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, 'affected');
    }
    
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_MS15-128.NASL
    descriptionThe version of Microsoft Silverlight installed on the remote host is affected by multiple remote code execution vulnerabilities due to improper handling of embedded fonts by the Windows font library. A remote attacker can exploit these by convincing a user to open a file or visit a website containing a specially crafted embedded font, resulting in execution of arbitrary code in the context of the current user.
    last seen2020-06-01
    modified2020-06-02
    plugin id87250
    published2015-12-08
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/87250
    titleMicrosoft Silverlight < 5.1.41105.0 Multiple Vulnerabilities (MS15-128) (Mac OS X)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(87250);
      script_version("1.5");
      script_cvs_date("Date: 2019/11/20");
    
      script_cve_id("CVE-2015-6106", "CVE-2015-6107", "CVE-2015-6108");
      script_xref(name:"MSFT", value:"MS15-128");
      script_xref(name:"IAVA", value:"2015-A-0308");
      script_xref(name:"MSKB", value:"3106614");
    
      script_name(english:"Microsoft Silverlight < 5.1.41105.0 Multiple Vulnerabilities (MS15-128) (Mac OS X)");
      script_summary(english:"Checks the version of Microsoft Silverlight.");
    
      script_set_attribute(attribute:"synopsis", value:
    "A multimedia application framework installed on the remote Mac OS X
    host is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Microsoft Silverlight installed on the remote host is
    affected by multiple remote code execution vulnerabilities due to 
    improper handling of embedded fonts by the Windows font library.  A
    remote attacker can exploit these by convincing a user to open a file
    or visit a website containing a specially crafted embedded font, 
    resulting in execution of arbitrary code in the context of the current
    user.");
      script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/bulletin/ms15-128");
      script_set_attribute(attribute:"solution", value:
    "Microsoft has released a set of patches for Silverlight 5.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2015/12/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2015/12/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/12/08");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:silverlight");
      script_set_attribute(attribute:"stig_severity", value:"II");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"MacOS X Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("macosx_silverlight_installed.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/MacOSX/Version", "MacOSX/Silverlight/Installed");
    
      exit(0);
    }
    
    include("global_settings.inc");
    include("misc_func.inc");
    
    kb_base = "MacOSX/Silverlight";
    get_kb_item_or_exit(kb_base+"/Installed");
    path = get_kb_item_or_exit(kb_base+"/Path", exit_code:1);
    version = get_kb_item_or_exit(kb_base+"/Version", exit_code:1);
    
    
    bulletin = "MS15-128";
    kb = "3106614";
    
    fixed_version = "5.1.41105.0";
    if (version =~ "^5\." && ver_compare(ver:version, fix:fixed_version, strict:FALSE) < 0)
    {
      if (defined_func("report_xml_tag")) report_xml_tag(tag:bulletin, value:kb);
    
      if (report_verbosity > 0)
      {
        report =
          '\n  Path              : ' + path +
          '\n  Installed version : ' + version +
          '\n  Fixed version     : ' + fixed_version +
          '\n';
        security_hole(port:0, extra:report);
      }
      else security_hole(0);
      exit(0);
    }
    else exit(0, "The Microsoft Silverlight "+version+" install is not reported to be affected.");