SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (Microsoft)  >   Windows DLL (Any) Vendors:   Microsoft
Microsoft Windows Installer Service Custom Action Script Processing Flaw Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1032905
SecurityTracker URL:  http://securitytracker.com/id/1032905
CVE Reference:   CVE-2015-2371   (Links to External Site)
Updated:  Jul 29 2015
Original Entry Date:  Jul 15 2015
Impact:   Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2003 SP2, 2003 R2 SP2, Vista SP2, 2008 SP2, 7 SP1, 2008 R2 SP1, 8, 8.1, 2012, 2012 R2, RT, RT 8.1, 10; and prior service packs
Description:   A vulnerability was reported in Microsoft Windows Installer Service. A local user can gain system privileges on the target system.

A local user can locate a vulnerable '.msi' package installed on the target system and place specially crafted code that the target '.msi' package can execute to trigger a flaw in the Microsoft Windows Installer Service in the processing of custom action scripts to gain system level privileges on the target system.

Mariusz Mlynski (via HP's Zero Day Initiative) reported this vulnerability.

Impact:   A local user can obtain system privileges on the target system.
Solution:   The vendor has issued a fix.

Windows Server 2003 Service Pack 2:

https://www.microsoft.com/downloads/details.aspx?familyid=F024121F-7F22-41EA-94DE-2DED869E98A5

Windows Server 2003 x64 Edition Service Pack 2:

https://www.microsoft.com/downloads/details.aspx?familyid=03FAE512-8429-4FA8-9111-84FC7EC38619

Windows Server 2003 with SP2 for Itanium-based Systems:

https://www.microsoft.com/downloads/details.aspx?familyid=461A1ECF-62EB-4360-9870-25003FC5790B

Windows Server 2003 R2 Service Pack 2:

https://www.microsoft.com/downloads/details.aspx?familyid=F024121F-7F22-41EA-94DE-2DED869E98A5

Windows Server 2003 R2 x64 Edition Service Pack 2:

https://www.microsoft.com/downloads/details.aspx?familyid=03FAE512-8429-4FA8-9111-84FC7EC38619

Windows Vista Service Pack 2:

https://www.microsoft.com/downloads/details.aspx?familyid=3B38762D-1BEF-4F21-A87F-EA39AEC40AFF

Windows Vista x64 Edition Service Pack 2:

https://www.microsoft.com/downloads/details.aspx?familyid=7FBFF842-82FA-4E3C-B8B2-E1E4CE77BBD1

Windows Server 2008 for 32-bit Systems Service Pack 2:

https://www.microsoft.com/downloads/details.aspx?familyid=ED24C353-83AC-431F-BB2E-A7F17402BE97

Windows Server 2008 for x64-based Systems Service Pack 2:

https://www.microsoft.com/downloads/details.aspx?familyid=3D7C2C0B-4555-4270-876E-A2CB24B19BA0

Windows Server 2008 for Itanium-based Systems Service Pack 2:

https://www.microsoft.com/downloads/details.aspx?familyid=31B3AA1D-56B8-46F4-BE0C-5B59322C1740

Windows 7 for 32-bit Systems Service Pack 1:

https://www.microsoft.com/downloads/details.aspx?familyid=584E6993-40EA-403D-B62C-4414417A1FBF

Windows 7 for x64-based Systems Service Pack 1:

https://www.microsoft.com/downloads/details.aspx?familyid=98B493CF-1E9A-45F2-BCBB-15AC71A67418

Windows Server 2008 R2 for x64-based Systems Service Pack 1:

https://www.microsoft.com/downloads/details.aspx?familyid=DF6BFA91-47A4-40D2-9E57-1E58A80CCAF1

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1:

https://www.microsoft.com/downloads/details.aspx?familyid=F79DDED5-B820-4281-8258-1ACA5E9451ED

Windows 8 for 32-bit Systems:

https://www.microsoft.com/downloads/details.aspx?familyid=2CA01D8E-1A53-4FF7-AC72-5ED9621C7308

Windows 8 for x64-based Systems:

https://www.microsoft.com/downloads/details.aspx?familyid=FB48DD4D-6E35-4989-89F8-D0208EC3C866

Windows 8.1 for 32-bit Systems:

https://www.microsoft.com/downloads/details.aspx?familyid=6607B310-CCC8-413E-8BE6-6C2E58EED0F1

Windows 8.1 for x64-based Systems:

https://www.microsoft.com/downloads/details.aspx?familyid=E4100CAB-63A3-4F62-A827-09D061AB746F

Windows Server 2012:

https://www.microsoft.com/downloads/details.aspx?familyid=0AB960AC-EE1C-4484-9F52-4B775551A286

Windows Server 2012 R2:

https://www.microsoft.com/downloads/details.aspx?familyid=18417106-E4D2-4C81-88E6-171C5E3D99BD

Windows Server 2008 for 32-bit Systems Service Pack 2:

https://www.microsoft.com/downloads/details.aspx?familyid=ED24C353-83AC-431F-BB2E-A7F17402BE97

Windows Server 2008 for x64-based Systems Service Pack 2:

https://www.microsoft.com/downloads/details.aspx?familyid=3D7C2C0B-4555-4270-876E-A2CB24B19BA0

Windows Server 2008 R2 for x64-based Systems Service Pack 1:

https://www.microsoft.com/downloads/details.aspx?familyid=DF6BFA91-47A4-40D2-9E57-1E58A80CCAF1

Windows Server 2012:

https://www.microsoft.com/downloads/details.aspx?familyid=0AB960AC-EE1C-4484-9F52-4B775551A286

Windows Server 2012 R2:

https://www.microsoft.com/downloads/details.aspx?familyid=18417106-E4D2-4C81-88E6-171C5E3D99BD

Windows 10:

KB 3074683, available via Windows Update only.

The Microsoft advisory is available at:

https://technet.microsoft.com/library/security/ms15-074

Vendor URL:  technet.microsoft.com/library/security/ms15-074 (Links to External Site)
Cause:   Access control error

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC