-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.1852
         MS15-065 Security Update for Internet Explorer (3076321)
                               15 July 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Microsoft Internet Explorer
Publisher:         Microsoft
Operating System:  Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Increased Privileges            -- Remote with User Interaction
                   Access Privileged Data          -- Remote with User Interaction
                   Cross-site Scripting            -- Remote with User Interaction
                   Reduced Security                -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-2425 CVE-2015-2422 CVE-2015-2421
                   CVE-2015-2419 CVE-2015-2414 CVE-2015-2413
                   CVE-2015-2412 CVE-2015-2411 CVE-2015-2410
                   CVE-2015-2408 CVE-2015-2406 CVE-2015-2405
                   CVE-2015-2404 CVE-2015-2403 CVE-2015-2401
                   CVE-2015-2398 CVE-2015-2397 CVE-2015-2391
                   CVE-2015-2390 CVE-2015-2389 CVE-2015-2388
                   CVE-2015-2385 CVE-2015-2384 CVE-2015-2383
                   CVE-2015-2372 CVE-2015-1767 CVE-2015-1738
                   CVE-2015-1733 CVE-2015-1729 

Original Bulletin: 
   https://technet.microsoft.com/en-us/library/security/MS15-065

- --------------------------BEGIN INCLUDED TEXT--------------------

MS15-065 Security Update for Internet Explorer (3076321)

Bulletin Number: MS15-065

Bulletin Title: Security Update for Internet Explorer

Severity: Critical

KB Article: 3076321

Version: 1.0

Published Date: July 14, 2015

Executive Summary

This security update resolves vulnerabilities in Internet Explorer. The most 
severe of the vulnerabilities could allow remote code execution if a user 
views a specially crafted webpage using Internet Explorer. An attacker who 
successfully exploited these vulnerabilities could gain the same user rights 
as the current user. Customers whose accounts are configured to have fewer 
user rights on the system could be less impacted than those who operate with 
administrative user rights.

This security update is rated Critical for Internet Explorer 6 (IE 6), 
Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 
(IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on 
affected Windows clients, and Moderate for Internet Explorer 6 (IE 6), 
Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 
(IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on 
affected Windows servers. For more information, see the Affected Software 
section.

Affected Software

Internet Explorer 6

Internet Explorer 7

Internet Explorer 8

Internet Explorer 9

Internet Explorer 10

Internet Explorer 11

Windows Server 2003 Service Pack 2

Windows Server 2003 x64 Edition Service Pack 2

Windows Server 2003 with SP2 for Itanium-based Systems

Windows Vista Service Pack 2

Windows Vista x64 Edition Service Pack 2

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for Itanium-based Systems Service Pack 2

Windows 7 for 32-bit Systems Service Pack 1

Windows 7 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1

Windows 8 for 32-bit Systems

Windows 8 for x64-based Systems

Windows Server 2012

Windows RT

Windows 8.1 for 32-bit Systems

Windows 8.1 for x64-based Systems

Windows Server 2012 R2

Windows RT 8.1

Vulnerability Information

VBScript Memory Corruption Vulnerability - CVE-2015-2372

A remote code execution vulnerability exists in the way that the VBScript 
engine, when rendered in Internet Explorer, handles objects in memory. In a 
web-based attack scenario, an attacker could host a specially crafted website
that is designed to exploit this vulnerability through Internet Explorer and 
then convince a user to view the website. An attacker could also embed an 
ActiveX control marked "safe for initialization" in an application or 
Microsoft Office document that hosts the IE rendering engine. The attacker 
could also take advantage of compromised websites and websites that accept or
host user-provided content or advertisements. These websites could contain 
specially crafted content that could exploit this vulnerability.

An attacker who successfully exploited this vulnerability could gain the same
user rights as the current user. If the current user is logged on with 
administrative user rights, an attacker who successfully exploited this 
vulnerability could take complete control of an affected system. An attacker 
could then install programs; view, change, or delete data; or create new 
accounts with full user rights. The update addresses the vulnerability by 
modifying how the VBScript scripting engine handles objects in memory.

Internet Explorer XSS Filter Bypass Vulnerability CVE-2015-2398

An XSS filter bypass vulnerability exists in the way that Internet Explorer 
disables an HTML attribute in otherwise appropriately filtered HTTP response 
data. The vulnerability could allow initially disabled scripts to run in the 
wrong security context, leading to information disclosure.

An attacker could post on a website specially crafted content that is designed
to exploit this vulnerability. The attacker would then have to convince the 
user to view the content on the affected website. If the user then browses to
the website, the XSS filter disables HTML attributes in the specially crafted
content, creating a condition that could allow malicious script to run in the
wrong security context, leading to information disclosure.

An attacker who successfully exploited this vulnerability could cause script 
code to run on another user's system in the guise of a third-party website. 
Such script code would run inside the browser when visiting the third-party 
website, and could take any action on the user's system that the third-party 
website was permitted to take. The vulnerability could only be exploited if 
the user clicked a hypertext link, either in an HTML email or if the user 
visited an attacker's website or a website containing content that is under 
the attackers control. Any systems where Internet Explorer is used frequently,
such as workstations and terminal servers, are at the most risk from this 
vulnerability.

The update addresses the vulnerability by preventing the XSS filter in 
Internet Explorer from incorrectly disabling HTML attributes.

Internet Explorer Elevation of Privilege Vulnerability CVE-2015-2405

An elevation of privilege vulnerability exists when Internet Explorer does not
properly validate permissions under specific conditions, potentially allowing
script to be run with elevated privileges.

In a web-based attack scenario, an attacker could host a website that is used
to attempt to exploit this vulnerability. In addition, compromised websites 
and websites that accept or host user-provided content could contain specially
crafted content that could exploit the vulnerability. In all cases, however, 
an attacker would have no way to force users to view the attacker-controlled 
content. Instead, an attacker would have to convince users to take action. For
example, an attacker could trick users into clicking a link that takes them to
the attacker's site. An attacker who successfully exploited the vulnerability
could elevate privileges in affected versions of Internet Explorer. An 
attacker could then leverage these privileges with another vulnerability to 
run arbitrary code with medium integrity level privileges (permissions of the
current user).

This vulnerability by itself does not allow arbitrary code to be run. However,
this vulnerability could be used in conjunction with another vulnerability 
(e.g., a remote code execution vulnerability) that could take advantage of the
elevated privileges when running arbitrary code. For example, an attacker 
could exploit another vulnerability to run arbitrary code through Internet 
Explorer, but due to the context in which processes are launched by Internet 
Explorer, the code might be restricted to run at a low integrity level (very 
limited permissions). However, an attacker could, in turn, exploit this 
vulnerability to cause the arbitrary code to run at a medium integrity level 
(permissions of the current user).

JScript9 Memory Corruption Vulnerability CVE -2015-2419

A remote code execution vulnerability exists in the way that the JScript 
engine, when rendered in Internet Explorer, handles objects in memory. In a 
web-based attack scenario, an attacker could host a specially crafted website
that is designed to exploit this vulnerability through Internet Explorer and 
then convince a user to view the website. An attacker could also embed an 
ActiveX control marked "safe for initialization" in an application or 
Microsoft Office document that hosts the IE rendering engine. The attacker 
could also take advantage of compromised websites and websites that accept or
host user-provided content or advertisements. These websites could contain 
specially crafted content that could exploit this vulnerability.

An attacker who successfully exploited this vulnerability could gain the same
user rights as the current user. If the current user is logged on with 
administrative user rights, an attacker who successfully exploited this 
vulnerability could take complete control of an affected system. An attacker 
could then install programs; view, change, or delete data; or create new 
accounts with full user rights. The update addresses the vulnerability by 
modifying how the JScript scripting engine handles objects in memory.

Internet Explorer ASLR Bypass CVE-2015-2421

A security feature bypass vulnerability exists when Internet Explorer fails to
use the Address Space Layout Randomization (ASLR) security feature, allowing 
an attacker to more reliably predict the memory offsets of specific 
instructions in a given call stack. An attacker who successfully exploited 
this vulnerability could bypass the Address Space Layout Randomization (ASLR)
security feature, which helps protect users from a broad class of 
vulnerabilities. The security feature bypass by itself does not allow 
arbitrary code execution. However, an attacker could use this ASLR bypass 
vulnerability in conjunction with another vulnerability, such as a remote code
execution vulnerability, to more reliably run arbitrary code on a target 
system.

In a web-browsing scenario, successful exploitation of this vulnerability 
requires that a user to be logged on and running an affected version of 
Internet Explorer, and then browse to a malicious site. Therefore, any systems
where a web browser is used frequently, such as workstations or terminal 
servers, are at the most risk from this vulnerability. Servers could be at 
more risk if administrators allow users to browse and read email on servers. 
However, best practices strongly discourage allowing this.

Multiple Memory Corruption Vulnerabilities in Internet Explorer

Remote code execution vulnerabilities exist when Internet Explorer improperly
accesses objects in memory. These vulnerabilities could corrupt memory in such
a way that an attacker could execute arbitrary code in the context of the 
current user.

An attacker could host a specially crafted website that is designed to exploit
these vulnerabilities through Internet Explorer, and then convince a user to 
view the website. The attacker could also take advantage of compromised 
websites and websites that accept or host user-provided content or 
advertisements by adding specially crafted content that could exploit these 
vulnerabilities. In all cases, however, an attacker would have no way to force
users to view the attacker-controlled content. Instead, an attacker would have
to convince users to take action, typically by getting them to click a link in
an instant messenger or email message that takes users to the attacker's 
website, or by getting them to open an attachment sent through email.

An attacker who successfully exploited these vulnerabilities could gain the 
same user rights as the current user. If the current user is logged on with 
administrative user rights, an attacker who successfully exploited these 
vulnerabilities could take complete control of an affected system. An attacker
could then install programs; view, change, or delete data; or create new 
accounts with full user rights. Systems where Internet Explorer is used 
frequently, such as workstations or terminal servers, are at the most risk 
from these vulnerabilities.

The update addresses the vulnerabilities by modifying how Internet Explorer 
handles objects in memory. The following table contains links to the standard
entry for each vulnerability in the Common Vulnerabilities and Exposures list:

Internet Explorer Memory Corruption Vulnerability CVE-2015-1733

Internet Explorer Memory Corruption Vulnerability CVE-2015-1738

Internet Explorer Memory Corruption Vulnerability CVE-2015-1767

Internet Explorer Memory Corruption Vulnerability CVE-2015-2383

Internet Explorer Memory Corruption Vulnerability CVE-2015-2384

Internet Explorer Memory Corruption Vulnerability CVE-2015-2385

Internet Explorer Memory Corruption Vulnerability CVE-2015-2388

Internet Explorer Memory Corruption Vulnerability CVE-2015-2389

Internet Explorer Memory Corruption Vulnerability CVE-2015-2390

Internet Explorer Memory Corruption Vulnerability CVE-2015-2391

Internet Explorer Memory Corruption Vulnerability CVE-2015-2397

Internet Explorer Memory Corruption Vulnerability CVE-2015-2401

Internet Explorer Memory Corruption Vulnerability CVE-2015-2403

Internet Explorer Memory Corruption Vulnerability CVE-2015-2404

Internet Explorer Memory Corruption Vulnerability CVE-2015-2406

Internet Explorer Memory Corruption Vulnerability CVE-2015-2408

Internet Explorer Memory Corruption Vulnerability CVE-2015-2411

Internet Explorer Memory Corruption Vulnerability CVE-2015-2422

Internet Explorer Memory Corruption Vulnerability CVE-2015-2425

Multiple Internet Explorer Information Disclosure Vulnerabilities

Information disclosure vulnerabilities exist in Internet Explorer:

CVE-2015-1729

An information disclosure vulnerability exists when Internet Explorer does not
properly enforce cross-domain policies, which could allow an attacker to gain
access to information in another domain or Internet Explorer zone. The update
addresses the vulnerability by helping to ensure cross-domain policies are 
properly enforced in Internet Explorer.

CVE-2015-2410

An information disclosure vulnerability exists when Internet Explorer does not
properly handle requests from external stylesheets, which could allow an 
attacker to detect the existence of specific files on the user's computer. The
update addresses the vulnerability by helping to restrict what information is
returned to external stylesheets.

CVE-2015-2412

An information disclosure vulnerability exists when Internet Explorer does not
properly validate file paths, which could allow an attacker to disclose the 
contents of arbitrary files on the user's computer. The update addresses the 
vulnerability by helping to ensure that file paths are properly validated 
before returning file data to the user.

CVE-2015-2413

An information disclosure vulnerability exists when Internet Explorer does not
properly handle requests for module resources, which could allow an attacker 
to detect the existence of specific files on the user's computer. The update 
addresses the vulnerability by helping to ensure that requests for module 
resources are properly validated in Internet Explorer

CVE-2015-2414

An information disclosure vulnerability exists when Internet Explorer does not
properly handle cached image information, which could allow an attacker to 
gain access to information about the user's browsing history. The update 
addresses the vulnerability by helping to ensure cross-domain policies are 
properly enforced in Internet Explorer

In a web-based attack scenario, an attacker could host a website that is used
to attempt to exploit these vulnerabilities. In addition, compromised websites
and websites that accept or host user-provided content could contain specially
crafted content that could exploit these vulnerabilities. In all cases, 
however, an attacker would have no way to force users to view the 
attacker-controlled content. Instead, an attacker would have to convince users
to take action. For example, an attacker could trick users into clicking a 
link that takes them to the attacker's site.

An attacker who successfully exploited any of these vulnerabilities could 
potentially read data that was not intended to be disclosed. Note that these 
vulnerabilities would not allow an attacker to execute code or to elevate 
their user rights directly, but they could be used to obtain information that
could be used to try to further compromise the affected system.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVaWWtX6ZAP0PgtI9AQI3KRAAu8oowz+ntTji6jOBnEJcMtEmVrxvcOLU
NRN4r/8gtHIde4DzzFt0kBwzDk+/JTzBV9V3zYuonzDBrhQSBmCoenkkKKORGaZv
L1bryo11oxB1UZP0fNpYqWSp+xQyhW1TNDXAa/QAzuMUOQSvM6nd4o9vWoY9Zqt+
QpjLObO9RmlhU1+3LReP86agDwtuAmvdlZqzO3Fo7l7F4gSAL0Q+/oiTlxiM4u+r
h6tgEet41ugXMidNf89sUIGTtvu2xVsRHsnFd99T4rXp+db8lcJgJEF25zLbdr9Z
sFoctv6kpz7hKn0aSNQH7nQfs4PhJBwXqrEeHDzYcjUN+JbcFqqU49slrPZ7CJbX
/Vc2LhfxOXAdwopuu20NIM28dUg4gImqECKu1fgWjVQjU3VZJR1Q8msJTtVYUiMn
hPz7/tdP8yOsNf4PhYzG7HZS1JilWlC2AZ+DUPKHa/AD5qGHY6c9dYrFVB56n7C8
chTD7XvQfjLMk8d/F6+fkIdFfWS3LcpKGTzBIGvhgKM3Is7fSVEUvqGexnPU5Qe6
/yH9wYdSuWvAbUW69/mMkwRaOjh2mIHZxjE+PmkkV7OkYdwLhvPS4Mh21S4Tw734
GrnmnWUqp/UcA8WKzbOMg5Y+4Idlke5MAts2hNGiTF/U5D8mND2z/FmiKjJeNxMF
epMsNGdJeFY=
=SioI
-----END PGP SIGNATURE-----