Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2015.2063
MS15-079 - Cumulative Security Update for Internet Explorer (3082442)
12 August 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Microsoft Internet Explorer
Publisher: Microsoft
Operating System: Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2015-2452 CVE-2015-2451 CVE-2015-2450
CVE-2015-2449 CVE-2015-2448 CVE-2015-2447
CVE-2015-2446 CVE-2015-2445 CVE-2015-2444
CVE-2015-2443 CVE-2015-2442 CVE-2015-2441
CVE-2015-2423
Original Bulletin:
https://technet.microsoft.com/en-us/library/security/MS15-079
- --------------------------BEGIN INCLUDED TEXT--------------------
MS15-079 Cumulative Security Update for Internet Explorer (3082442)
Bulletin Number: MS15-079
Bulletin Title: Cumulative Security Update for Internet Explorer
Severity: Critical
KB Article: 3082442
Version: 1.0
Published Date: August 11, 2015
Executive Summary
This security update resolves vulnerabilities in Internet Explorer. The most
severe of the vulnerabilities could allow remote code execution if a user
views a specially crafted webpage using Internet Explorer. An attacker who
successfully exploited these vulnerabilities could gain the same user rights
as the current user. Customers whose accounts are configured to have fewer
user rights on the system could be less impacted than those who operate with
administrative user rights.
This security update is rated Critical for Internet Explorer 7 (IE 7),
Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10
(IE 10), and Internet Explorer 11 (IE 11) on affected Windows clients, and
Moderate for Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet
Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE
11) on affected Windows servers. For more information, see the Affected
Software section.
Affected Software
Internet Explorer 7
Internet Explorer 8
Internet Explorer 9
Internet Explorer 10 [1]
Internet Explorer 11 [1]
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows 8 for 32-bit Systems
Windows 8 for x64-based Systems
Windows Server 2012
Windows RT
Windows 8.1 for 32-bit Systems
Windows 8.1 for x64-based Systems
Windows Server 2012 R2
Windows RT 8.1
Windows 10 for 32-bit Systems[2]
Windows 10 for x64-based Systems[2]
[1]This update is available via Windows Update.
[2]The Windows 10 update is cumulative. In addition to containing non-security
updates, it also contains all of the security fixes for all of the Windows
10-affected vulnerabilities shipping with this months security release. The
update is available via the Windows Update Catalog only. See Microsoft
Knowledge Base Article 3081435 for more information and download links.
Vulnerability Information
Multiple Memory Corruption Vulnerabilities
Remote code execution vulnerabilities exist when Internet Explorer improperly
accesses objects in memory. These vulnerabilities could corrupt memory in such
a way that an attacker could execute arbitrary code in the context of the
current user.
An attacker could host a specially crafted website that is designed to exploit
these vulnerabilities through Internet Explorer, and then convince a user to
view the website. The attacker could also take advantage of compromised
websites and websites that accept or host user-provided content or
advertisements by adding specially crafted content that could exploit these
vulnerabilities. In all cases, however, an attacker would have no way to force
users to view the attacker-controlled content. Instead, an attacker would have
to convince users to take action, typically by getting them to click a link in
an instant messenger or email message that takes users to the attacker's
website, or by getting them to open an attachment sent through email.
An attacker who successfully exploited these vulnerabilities could gain the
same user rights as the current user. If the current user is logged on with
administrative user rights, an attacker who successfully exploited these
vulnerabilities could take complete control of an affected system. An attacker
could then install programs; view, change, or delete data; or create new
accounts with full user rights. Systems where Internet Explorer is used
frequently, such as workstations or terminal servers, are at the most risk
from these vulnerabilities.
The update addresses the vulnerabilities by modifying how Internet Explorer
handles objects in memory.
The following table contains links to the standard entry for each
vulnerability in the Common Vulnerabilities and Exposures list:
Vulnerability title CVE number Publicly disclosed Exploited
Memory Corruption Vulnerability CVE-2015-2441 No No
Memory Corruption Vulnerability CVE-2015-2442 No No
Memory Corruption Vulnerability CVE-2015-2443 No No
Memory Corruption Vulnerability CVE-2015-2444 No No
Memory Corruption Vulnerability CVE-2015-2446 No No
Memory Corruption Vulnerability CVE-2015-2447 No No
Memory Corruption Vulnerability CVE-2015-2448 No No
Memory Corruption Vulnerability CVE-2015-2450 No No
Memory Corruption Vulnerability CVE-2015-2451 No No
Memory Corruption Vulnerability CVE-2015-2452 No No
Multiple ASLR Bypass Vulnerabilities
Security feature bypass vulnerabilities exist when Internet Explorer fails to
use the Address Space Layout Randomization (ASLR) security feature, allowing
an attacker to more reliably predict the memory offsets of specific
instructions in a given call stack. An attacker who successfully exploited
this vulnerability could bypass the Address Space Layout Randomization (ASLR)
security feature, which helps protect users from a broad class of
vulnerabilities. The security feature bypass by itself does not allow
arbitrary code execution. However, an attacker could use this ASLR bypass
vulnerability in conjunction with another vulnerability, such as a remote code
execution vulnerability, to more reliably run arbitrary code on a target
system.
In a web-browsing scenario, successful exploitation of these vulnerabilities
requires that a user is logged on and running an affected version of Internet
Explorer, and browses to a malicious site. Therefore, any systems where a web
browser is used frequently, such as workstations or terminal servers, are at
the most risk from this vulnerability. Servers could be at more risk if
administrators allow users to browse and read email on servers. However, best
practices strongly discourage allowing this.
The update addresses these vulnerabilities by helping to ensure that affected
versions of Internet Explorer properly implement the ASLR security feature.
The following table contains links to the standard entry for each
vulnerability in the Common Vulnerabilities and Exposures list:
Vulnerability title CVE number Publicly Disclosed Exploited
ASLR Bypass CVE-2015-2445 No No
ASLR Bypass CVE-2015-2449 No No
Unsafe Command Line Parameter Passing Vulnerability - CVE-2015-2423
An information disclosure vulnerability exists in Microsoft Windows, Internet
Explorer, and Microsoft Office when files at a medium integrity level become
accessible to Internet Explorer running in Enhanced Protection Mode (EPM).
To exploit this vulnerability, an attacker would first need to leverage
another vulnerability and execute code in Internet Explorer with EPM, and then
execute Excel, Notepad, PowerPoint, Visio, or Word using an unsafe command
line parameter. The update addresses the vulnerability by improving how
Notepad and Microsoft Office programs are executed from Internet Explorer.
Important To be protected from this vulnerability, customers must apply the
updates provided in this bulletin, as well as Windows updates provided in
MS15-088. Likewise, customers running an affected Microsoft Office product
must also apply the applicable updates provided in MS15-081. Customers who do
not install all of the updates available for their affected software will not
be fully protected from the vulnerability.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVcqF2X6ZAP0PgtI9AQK0lhAAkL7f7IR/nJqZJMBDGxffkfI8kKX+oKnY
nqvyEhNU6o56u8it4o9inKycReHlYurZdZN9ogwHRBOaXKFPwJJva6wvTxWJyKMH
+kRjsVmkN6+T4tO+9Arvh8XIC37Zn7cckKC9jaKUhwhV4glzC3rWkXyTW3C6dSj1
BMckADDZZhDhU/DNB6lst6FuwxM+F5IQFC4jLQHbKnXf+eKjQrUIai1fED+SRbod
7pkkJjUzBI6YU302ft92PiqGoNyF6NX+KjAulZ9gMPyAethbLxxGFrrG+aZg3aN5
DRiy0bYUnpG0gIm/1wh23l+AhHcpEnWIj0Zk1TpsqBmMM6asWW0NDiXURYOpXPqE
fl/gnK0HJxbgL2o/4FfEqQQLA/cXmM/mRQ1WxXkuPD8gYNZ6WONqjIwTPwUOD37K
kdGehZbpWf2BcoZyxPZ6Ar4CR1Ovl2Ud82BT7S2Gx3UaLhxLyc98VZPVwG1+PawK
MDVrMztdhb9o8XwtjOnO7POXECbJ1Ci5Uhdhjpm+bdsEQZ9x0YEsTR3bKtKt0sWE
TOTHWODPfyihDEgb867tC6UpPGJuWPFyhlgdinN5cGIMMIxnWnMYjn2BrPFEYUxS
dCvnTMgjG2k6DxI/A0eYmKinmDVOiGZp7iA32/H/ot3tXTqzFyeHCKA1STKygruD
gwHHku6XPcU=
=pVdg
-----END PGP SIGNATURE-----