Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2015.1852
MS15-065 Security Update for Internet Explorer (3076321)
15 July 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Microsoft Internet Explorer
Publisher: Microsoft
Operating System: Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Increased Privileges -- Remote with User Interaction
Access Privileged Data -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2015-2425 CVE-2015-2422 CVE-2015-2421
CVE-2015-2419 CVE-2015-2414 CVE-2015-2413
CVE-2015-2412 CVE-2015-2411 CVE-2015-2410
CVE-2015-2408 CVE-2015-2406 CVE-2015-2405
CVE-2015-2404 CVE-2015-2403 CVE-2015-2401
CVE-2015-2398 CVE-2015-2397 CVE-2015-2391
CVE-2015-2390 CVE-2015-2389 CVE-2015-2388
CVE-2015-2385 CVE-2015-2384 CVE-2015-2383
CVE-2015-2372 CVE-2015-1767 CVE-2015-1738
CVE-2015-1733 CVE-2015-1729
Original Bulletin:
https://technet.microsoft.com/en-us/library/security/MS15-065
- --------------------------BEGIN INCLUDED TEXT--------------------
MS15-065 Security Update for Internet Explorer (3076321)
Bulletin Number: MS15-065
Bulletin Title: Security Update for Internet Explorer
Severity: Critical
KB Article: 3076321
Version: 1.0
Published Date: July 14, 2015
Executive Summary
This security update resolves vulnerabilities in Internet Explorer. The most
severe of the vulnerabilities could allow remote code execution if a user
views a specially crafted webpage using Internet Explorer. An attacker who
successfully exploited these vulnerabilities could gain the same user rights
as the current user. Customers whose accounts are configured to have fewer
user rights on the system could be less impacted than those who operate with
administrative user rights.
This security update is rated Critical for Internet Explorer 6 (IE 6),
Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9
(IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on
affected Windows clients, and Moderate for Internet Explorer 6 (IE 6),
Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9
(IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on
affected Windows servers. For more information, see the Affected Software
section.
Affected Software
Internet Explorer 6
Internet Explorer 7
Internet Explorer 8
Internet Explorer 9
Internet Explorer 10
Internet Explorer 11
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows 8 for 32-bit Systems
Windows 8 for x64-based Systems
Windows Server 2012
Windows RT
Windows 8.1 for 32-bit Systems
Windows 8.1 for x64-based Systems
Windows Server 2012 R2
Windows RT 8.1
Vulnerability Information
VBScript Memory Corruption Vulnerability - CVE-2015-2372
A remote code execution vulnerability exists in the way that the VBScript
engine, when rendered in Internet Explorer, handles objects in memory. In a
web-based attack scenario, an attacker could host a specially crafted website
that is designed to exploit this vulnerability through Internet Explorer and
then convince a user to view the website. An attacker could also embed an
ActiveX control marked "safe for initialization" in an application or
Microsoft Office document that hosts the IE rendering engine. The attacker
could also take advantage of compromised websites and websites that accept or
host user-provided content or advertisements. These websites could contain
specially crafted content that could exploit this vulnerability.
An attacker who successfully exploited this vulnerability could gain the same
user rights as the current user. If the current user is logged on with
administrative user rights, an attacker who successfully exploited this
vulnerability could take complete control of an affected system. An attacker
could then install programs; view, change, or delete data; or create new
accounts with full user rights. The update addresses the vulnerability by
modifying how the VBScript scripting engine handles objects in memory.
Internet Explorer XSS Filter Bypass Vulnerability CVE-2015-2398
An XSS filter bypass vulnerability exists in the way that Internet Explorer
disables an HTML attribute in otherwise appropriately filtered HTTP response
data. The vulnerability could allow initially disabled scripts to run in the
wrong security context, leading to information disclosure.
An attacker could post on a website specially crafted content that is designed
to exploit this vulnerability. The attacker would then have to convince the
user to view the content on the affected website. If the user then browses to
the website, the XSS filter disables HTML attributes in the specially crafted
content, creating a condition that could allow malicious script to run in the
wrong security context, leading to information disclosure.
An attacker who successfully exploited this vulnerability could cause script
code to run on another user's system in the guise of a third-party website.
Such script code would run inside the browser when visiting the third-party
website, and could take any action on the user's system that the third-party
website was permitted to take. The vulnerability could only be exploited if
the user clicked a hypertext link, either in an HTML email or if the user
visited an attacker's website or a website containing content that is under
the attackers control. Any systems where Internet Explorer is used frequently,
such as workstations and terminal servers, are at the most risk from this
vulnerability.
The update addresses the vulnerability by preventing the XSS filter in
Internet Explorer from incorrectly disabling HTML attributes.
Internet Explorer Elevation of Privilege Vulnerability CVE-2015-2405
An elevation of privilege vulnerability exists when Internet Explorer does not
properly validate permissions under specific conditions, potentially allowing
script to be run with elevated privileges.
In a web-based attack scenario, an attacker could host a website that is used
to attempt to exploit this vulnerability. In addition, compromised websites
and websites that accept or host user-provided content could contain specially
crafted content that could exploit the vulnerability. In all cases, however,
an attacker would have no way to force users to view the attacker-controlled
content. Instead, an attacker would have to convince users to take action. For
example, an attacker could trick users into clicking a link that takes them to
the attacker's site. An attacker who successfully exploited the vulnerability
could elevate privileges in affected versions of Internet Explorer. An
attacker could then leverage these privileges with another vulnerability to
run arbitrary code with medium integrity level privileges (permissions of the
current user).
This vulnerability by itself does not allow arbitrary code to be run. However,
this vulnerability could be used in conjunction with another vulnerability
(e.g., a remote code execution vulnerability) that could take advantage of the
elevated privileges when running arbitrary code. For example, an attacker
could exploit another vulnerability to run arbitrary code through Internet
Explorer, but due to the context in which processes are launched by Internet
Explorer, the code might be restricted to run at a low integrity level (very
limited permissions). However, an attacker could, in turn, exploit this
vulnerability to cause the arbitrary code to run at a medium integrity level
(permissions of the current user).
JScript9 Memory Corruption Vulnerability CVE -2015-2419
A remote code execution vulnerability exists in the way that the JScript
engine, when rendered in Internet Explorer, handles objects in memory. In a
web-based attack scenario, an attacker could host a specially crafted website
that is designed to exploit this vulnerability through Internet Explorer and
then convince a user to view the website. An attacker could also embed an
ActiveX control marked "safe for initialization" in an application or
Microsoft Office document that hosts the IE rendering engine. The attacker
could also take advantage of compromised websites and websites that accept or
host user-provided content or advertisements. These websites could contain
specially crafted content that could exploit this vulnerability.
An attacker who successfully exploited this vulnerability could gain the same
user rights as the current user. If the current user is logged on with
administrative user rights, an attacker who successfully exploited this
vulnerability could take complete control of an affected system. An attacker
could then install programs; view, change, or delete data; or create new
accounts with full user rights. The update addresses the vulnerability by
modifying how the JScript scripting engine handles objects in memory.
Internet Explorer ASLR Bypass CVE-2015-2421
A security feature bypass vulnerability exists when Internet Explorer fails to
use the Address Space Layout Randomization (ASLR) security feature, allowing
an attacker to more reliably predict the memory offsets of specific
instructions in a given call stack. An attacker who successfully exploited
this vulnerability could bypass the Address Space Layout Randomization (ASLR)
security feature, which helps protect users from a broad class of
vulnerabilities. The security feature bypass by itself does not allow
arbitrary code execution. However, an attacker could use this ASLR bypass
vulnerability in conjunction with another vulnerability, such as a remote code
execution vulnerability, to more reliably run arbitrary code on a target
system.
In a web-browsing scenario, successful exploitation of this vulnerability
requires that a user to be logged on and running an affected version of
Internet Explorer, and then browse to a malicious site. Therefore, any systems
where a web browser is used frequently, such as workstations or terminal
servers, are at the most risk from this vulnerability. Servers could be at
more risk if administrators allow users to browse and read email on servers.
However, best practices strongly discourage allowing this.
Multiple Memory Corruption Vulnerabilities in Internet Explorer
Remote code execution vulnerabilities exist when Internet Explorer improperly
accesses objects in memory. These vulnerabilities could corrupt memory in such
a way that an attacker could execute arbitrary code in the context of the
current user.
An attacker could host a specially crafted website that is designed to exploit
these vulnerabilities through Internet Explorer, and then convince a user to
view the website. The attacker could also take advantage of compromised
websites and websites that accept or host user-provided content or
advertisements by adding specially crafted content that could exploit these
vulnerabilities. In all cases, however, an attacker would have no way to force
users to view the attacker-controlled content. Instead, an attacker would have
to convince users to take action, typically by getting them to click a link in
an instant messenger or email message that takes users to the attacker's
website, or by getting them to open an attachment sent through email.
An attacker who successfully exploited these vulnerabilities could gain the
same user rights as the current user. If the current user is logged on with
administrative user rights, an attacker who successfully exploited these
vulnerabilities could take complete control of an affected system. An attacker
could then install programs; view, change, or delete data; or create new
accounts with full user rights. Systems where Internet Explorer is used
frequently, such as workstations or terminal servers, are at the most risk
from these vulnerabilities.
The update addresses the vulnerabilities by modifying how Internet Explorer
handles objects in memory. The following table contains links to the standard
entry for each vulnerability in the Common Vulnerabilities and Exposures list:
Internet Explorer Memory Corruption Vulnerability CVE-2015-1733
Internet Explorer Memory Corruption Vulnerability CVE-2015-1738
Internet Explorer Memory Corruption Vulnerability CVE-2015-1767
Internet Explorer Memory Corruption Vulnerability CVE-2015-2383
Internet Explorer Memory Corruption Vulnerability CVE-2015-2384
Internet Explorer Memory Corruption Vulnerability CVE-2015-2385
Internet Explorer Memory Corruption Vulnerability CVE-2015-2388
Internet Explorer Memory Corruption Vulnerability CVE-2015-2389
Internet Explorer Memory Corruption Vulnerability CVE-2015-2390
Internet Explorer Memory Corruption Vulnerability CVE-2015-2391
Internet Explorer Memory Corruption Vulnerability CVE-2015-2397
Internet Explorer Memory Corruption Vulnerability CVE-2015-2401
Internet Explorer Memory Corruption Vulnerability CVE-2015-2403
Internet Explorer Memory Corruption Vulnerability CVE-2015-2404
Internet Explorer Memory Corruption Vulnerability CVE-2015-2406
Internet Explorer Memory Corruption Vulnerability CVE-2015-2408
Internet Explorer Memory Corruption Vulnerability CVE-2015-2411
Internet Explorer Memory Corruption Vulnerability CVE-2015-2422
Internet Explorer Memory Corruption Vulnerability CVE-2015-2425
Multiple Internet Explorer Information Disclosure Vulnerabilities
Information disclosure vulnerabilities exist in Internet Explorer:
CVE-2015-1729
An information disclosure vulnerability exists when Internet Explorer does not
properly enforce cross-domain policies, which could allow an attacker to gain
access to information in another domain or Internet Explorer zone. The update
addresses the vulnerability by helping to ensure cross-domain policies are
properly enforced in Internet Explorer.
CVE-2015-2410
An information disclosure vulnerability exists when Internet Explorer does not
properly handle requests from external stylesheets, which could allow an
attacker to detect the existence of specific files on the user's computer. The
update addresses the vulnerability by helping to restrict what information is
returned to external stylesheets.
CVE-2015-2412
An information disclosure vulnerability exists when Internet Explorer does not
properly validate file paths, which could allow an attacker to disclose the
contents of arbitrary files on the user's computer. The update addresses the
vulnerability by helping to ensure that file paths are properly validated
before returning file data to the user.
CVE-2015-2413
An information disclosure vulnerability exists when Internet Explorer does not
properly handle requests for module resources, which could allow an attacker
to detect the existence of specific files on the user's computer. The update
addresses the vulnerability by helping to ensure that requests for module
resources are properly validated in Internet Explorer
CVE-2015-2414
An information disclosure vulnerability exists when Internet Explorer does not
properly handle cached image information, which could allow an attacker to
gain access to information about the user's browsing history. The update
addresses the vulnerability by helping to ensure cross-domain policies are
properly enforced in Internet Explorer
In a web-based attack scenario, an attacker could host a website that is used
to attempt to exploit these vulnerabilities. In addition, compromised websites
and websites that accept or host user-provided content could contain specially
crafted content that could exploit these vulnerabilities. In all cases,
however, an attacker would have no way to force users to view the
attacker-controlled content. Instead, an attacker would have to convince users
to take action. For example, an attacker could trick users into clicking a
link that takes them to the attacker's site.
An attacker who successfully exploited any of these vulnerabilities could
potentially read data that was not intended to be disclosed. Note that these
vulnerabilities would not allow an attacker to execute code or to elevate
their user rights directly, but they could be used to obtain information that
could be used to try to further compromise the affected system.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVaWWtX6ZAP0PgtI9AQI3KRAAu8oowz+ntTji6jOBnEJcMtEmVrxvcOLU
NRN4r/8gtHIde4DzzFt0kBwzDk+/JTzBV9V3zYuonzDBrhQSBmCoenkkKKORGaZv
L1bryo11oxB1UZP0fNpYqWSp+xQyhW1TNDXAa/QAzuMUOQSvM6nd4o9vWoY9Zqt+
QpjLObO9RmlhU1+3LReP86agDwtuAmvdlZqzO3Fo7l7F4gSAL0Q+/oiTlxiM4u+r
h6tgEet41ugXMidNf89sUIGTtvu2xVsRHsnFd99T4rXp+db8lcJgJEF25zLbdr9Z
sFoctv6kpz7hKn0aSNQH7nQfs4PhJBwXqrEeHDzYcjUN+JbcFqqU49slrPZ7CJbX
/Vc2LhfxOXAdwopuu20NIM28dUg4gImqECKu1fgWjVQjU3VZJR1Q8msJTtVYUiMn
hPz7/tdP8yOsNf4PhYzG7HZS1JilWlC2AZ+DUPKHa/AD5qGHY6c9dYrFVB56n7C8
chTD7XvQfjLMk8d/F6+fkIdFfWS3LcpKGTzBIGvhgKM3Is7fSVEUvqGexnPU5Qe6
/yH9wYdSuWvAbUW69/mMkwRaOjh2mIHZxjE+PmkkV7OkYdwLhvPS4Mh21S4Tw734
GrnmnWUqp/UcA8WKzbOMg5Y+4Idlke5MAts2hNGiTF/U5D8mND2z/FmiKjJeNxMF
epMsNGdJeFY=
=SioI
-----END PGP SIGNATURE-----