Operating System:

[WIN]

Published:

15 June 2016

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ESB-2016.1491 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.1491
    MS16-068 - Cumulative Security Update for Microsoft Edge (3163656)
                               15 June 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Microsoft Edge
Publisher:         Microsoft
Operating System:  Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Provide Misleading Information  -- Remote with User Interaction
                   Access Confidential Data        -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-3222 CVE-2016-3215 CVE-2016-3214
                   CVE-2016-3203 CVE-2016-3202 CVE-2016-3201
                   CVE-2016-3199 CVE-2016-3198 

Original Bulletin: 
   https://technet.microsoft.com/en-us/library/security/MS16-068

- --------------------------BEGIN INCLUDED TEXT--------------------

MS16-068 - Cumulative Security Update for Microsoft Edge (3163656)

Executive Summary

This security update resolves vulnerabilities in Microsoft Edge. The most 
severe of the vulnerabilities could allow remote code execution if a user 
views a specially crafted webpage using Microsoft Edge. An attacker who 
successfully exploited the vulnerabilities could gain the same user rights as
the current user. Customers whose accounts are configured to have fewer user 
rights on the system could be less impacted than users with administrative 
user rights.

This security update is rated Critical for Microsoft Edge on Windows 10.

Affected Software

Microsoft Edge

Vulnerability Information

Microsoft Edge Security Feature Bypass - CVE-2016-3198

A security feature bypass exists in Microsoft Edge when the Edge Content 
Security Policy (CSP) fails to properly validate certain specially crafted 
documents. An attacker who exploited the bypass could trick a user into 
loading a page containing malicious content.

To exploit the bypass, an attacker must trick a user into either loading a 
page containing malicious content or visiting a malicious website. The 
attacker could also inject the malicious page into either a compromised 
website or an advertisement network. The update addresses the bypass by 
correcting how the Edge CSP validates documents.

The following table contains links to the standard entry for each 
vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title 			CVE number 	Publicly disclosed 	Exploited

Microsoft Edge Security Feature Bypass 	CVE-2016-3198 	No 			No

Multiple Scripting Engine Memory Corruption Vulnerabilities

Multiple remote code execution vulnerabilities exist in the way that the 
Chakra JavaScript engine renders when handling objects in memory in Microsoft
Edge. The vulnerabilities could corrupt memory in such a way that an attacker
could execute arbitrary code in the context of the current user. An attacker 
who successfully exploited the vulnerabilities could gain the same user rights
as the current user. If the current user is logged on with administrative user
rights, an attacker who successfully exploited the vulnerabilities could take
control of an affected system. An attacker could then install programs; view,
change, or delete data; or create new accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially crafted 
website that is designed to exploit the vulnerabilities through Microsoft Edge
and then convince a user to view the website. An attacker could also embed an
ActiveX control marked "safe for initialization" in an application or 
Microsoft Office document that hosts the Edge rendering engine. The attacker 
could also take advantage of compromised websites, and websites that accept or
host user-provided content or advertisements. These websites could contain 
specially crafted content that could exploit the vulnerabilities. The update 
addresses the vulnerabilities by modifying how the Chakra JavaScript scripting
engine handles objects in memory.

The following table contains links to the standard entry for each 
vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title 					CVE number 	Publicly disclosed 	Exploited

Scripting Engine Memory Corruption Vulnerability	CVE-2016-3199 	No 			No

Scripting Engine Memory Corruption Vulnerability 	CVE-2016-3202 	No 			No

Scripting Engine Memory Corruption Vulnerability 	CVE-2016-3214 	No 			No

Microsoft Edge Memory Corruption Vulnerability 		CVE-2016-3222 	Yes 			No

Multiple Windows PDF Information Disclosure Vulnerabilities

Information disclosure vulnerabilities exist in Microsoft Windows when a user
opens a specially crafted .pdf file. An attacker who successfully exploited 
the vulnerabilities could read information in the context of the current user.

To exploit the vulnerabilities, an attacker would have to trick the user into
opening the .pdf file. The update addresses the vulnerabilities by modifying 
how Windows parses .pdf files.

The following table contains links to the standard entry for each 
vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title 					CVE number 	Publicly disclosed 	Exploited

Windows PDF Information Disclosure Vulnerability 	CVE-2016-3201 	No 			No

Windows PDF Information Disclosure Vulnerability 	CVE-2016-3215 	No 			No

Windows PDF Remote Code Execution Vulnerability - CVE-2016-3203

A remote code execution vulnerability exists in Microsoft Windows if a user 
opens a specially crafted .pdf file. An attacker who successfully exploited 
the vulnerability could cause arbitrary code to execute in the context of the
current user.

To exploit the vulnerability, an attacker must entice the user to open a 
specially crafted .pdf file. The update addresses the vulnerabilities by 
modifying how Windows parses .pdf files.

The following table contains links to the standard entry for each 
vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title 				CVE number 	Publicly disclosed 	Exploited

Windows PDF Remote Code Execution Vulnerability CVE-2016-3203 	No 			No

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBV2CuJIx+lLeg9Ub1AQhKeg/+IMmJB2nK69jF0bTCfev/KZzl+Sa1FY3Y
Jo0PFsJXKR5xz0rRUBIuA6RHr8BrVle4UcGws/ulWdkAgsNkDdHSmQ4vHZgnfl9z
GYsYQlbzRuKAFKb/DSVoqkgu//ogdYuM2Fgouki5nFuZ29soqoIv93sCCEh66SAH
e7kL061ThPgHtBngRXLRRUr5DL4DqH6skS5T2SSmM/UNw+NtJKhHRhAxLpxJ5jF/
9mbaU/egNL0ozn3eU08QEnTJLDxT5WR2GHS+VrsAcpjMqGT4JATqOgcUzD/3taTX
fBZZroSLa/FJBMq1jWGutYwVI9h9Ii/7Mx2prw8i+3m6FetkwVfOGQZEMKS0KQjt
PYHu02vB6i4MSQaZYeeTeLsUKpoAWBvPVhDTo+YoQl9fQ9uf8mlXFcMhWGE9KCIS
CILn0J7xjrVjg8LbgneTH+h9KEtfoW31Wfn/nUT2rQ4j6V2ln4+JkoyiDwST4DGy
Twrwn8kZalpzBQ1VGlxqmR11ZnNtPHa8LKKRUPO1i3RXr+NAk4zGf9whKz0da4U2
WoaVpu2952DvApZJ9Vq0ovZ0wSejMCaSJ113UXsm01P3LREAsfDWbeqX+ACJ6BMi
PpS0yKUNowSC49Ba+j+UMrqteoPds3vRozGNRJ/LwRhQSQWApDDvJCP2f2okeT+6
JLGksOqQTvQ=
=+yl6
-----END PGP SIGNATURE-----