Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.1713
Microsoft Security Bulletin MS16-085 - Critical
13 July 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Microsoft Edge
Publisher: Microsoft
Operating System: Windows 10
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2016-3277 CVE-2016-3276 CVE-2016-3274
CVE-2016-3273 CVE-2016-3271 CVE-2016-3269
CVE-2016-3265 CVE-2016-3264 CVE-2016-3260
CVE-2016-3259 CVE-2016-3248 CVE-2016-3246
CVE-2016-3244
Reference: ESB-2016.1712
Original Bulletin:
https://technet.microsoft.com/library/security/MS16-085
- --------------------------BEGIN INCLUDED TEXT--------------------
Microsoft Security Bulletin MS16-085 - Critical
Cumulative Security Update for Microsoft Edge (3169999)
Published: July 12, 2016
Version: 1.0
Executive Summary
This security update resolves vulnerabilities in Microsoft Edge. The most
severe of the vulnerabilities could allow remote code execution if a user
views a specially crafted webpage using Microsoft Edge. An attacker who
successfully exploited the vulnerabilities could gain the same user rights as
the current user. Customers whose accounts are configured to have fewer user
rights on the system could be less impacted than users with administrative
user rights.
This security update is rated Critical for Microsoft Edge on Windows 10. For
more information, see the Affected Software section.
Affected Software
Microsoft Edge
Windows 10 for 32-bit Systems [1]
Windows 10 for x64-based Systems [1]
Windows 10 Version 1511 for 32-bit Systems
Windows 10 Version 1511 for x64-based Systems [1]
[1]Windows 10 updates are cumulative. The monthly security release includes
all security fixes for vulnerabilities that affect Windows 10, in addition to
non-security updates. The updates are available via the Microsoft Update
Catalog.
Vulnerability Information
Microsoft Edge Security Feature Bypass CVE-2016-3244
A security feature bypass exists when Microsoft Edge does not properly
implement Address Space Layout Randomization (ASLR). The vulnerability could
allow an attacker to bypass the ASLR security feature, after which the
attacker could load additional malicious code in the process in an attempt to
exploit another vulnerability.
An attacker who successfully exploited this vulnerability could bypass the
ASLR security feature, which protects users from a broad class of
vulnerabilities. The security feature bypass by itself does not allow
arbitrary code execution. However, an attacker could use this ASLR bypass
vulnerability in conjunction with another vulnerability, such as a remote code
execution vulnerability that could take advantage of the ASLR bypass to run
arbitrary code.
In a web-based attack scenario, an attacker could host a website that is used
to attempt to exploit this vulnerability. In addition, compromised websites
and websites that accept or host user-provided content could contain specially
crafted content that could exploit this vulnerability. An attacker would have
no way to force users to visit a specially crafted website. Instead, an
attacker would have to convince users to take action. For example, an attacker
could trick users into clicking a link that takes them to the attacker's site.
The update addresses the vulnerability by helping to ensure that Microsoft
Edge properly implements ASLR.
The following table contains links to the standard entry for each
vulnerability in the Common Vulnerabilities and Exposures list:
Vulnerability title CVE number Publicly disclosed Exploited
Microsoft Edge Security Feature Bypass CVE-2016-3244 No No
Multiple Edge Memory Corruption Vulnerabilities
Multiple remote code execution vulnerabilities exist when Microsoft Edge
improperly accesses objects in memory. The vulnerabilities could corrupt
memory in such a way that enables an attacker to execute arbitrary code in the
context of the current user. An attacker who successfully exploited the
vulnerabilities could gain the same user rights as the current user. If the
current user is logged on with administrative user rights, an attacker could
take control of an affected system. An attacker could then install programs;
view, change, or delete data; or create new accounts with full user rights.
An attacker could host a specially crafted website that is designed to exploit
the vulnerabilities through Microsoft Edge, and then convince a user to view
the website. The attacker could also take advantage of compromised websites
and websites that accept or host user-provided content or advertisements by
adding specially crafted content that could exploit the vulnerabilities. In
all cases, however, an attacker would have no way to force users to view the
attacker-controlled content. Instead, an attacker would have to convince users
to take action, typically by way of enticement in an email or Instant
Messenger message, or by getting them to open an attachment sent through
email. The update addresses the vulnerabilities by modifying how Microsoft
Edge handles objects in memory.
The following table contains links to the standard entry for each
vulnerability in the Common Vulnerabilities and Exposures list:
Vulnerability title CVE number Publicly disclosed Exploited
Microsoft Edge Memory Corruption Vulnerability CVE-2016-3246 No No
Microsoft Browser Memory Corruption Vulnerability CVE-2016-3264 No No
Multiple Scripting Engine Memory Corruption Vulnerabilities
Multiple remote code execution vulnerabilities exist in the way that the
Chakra JavaScript engine renders when handling objects in memory in Microsoft
Edge. The vulnerabilities could corrupt memory in such a way that an attacker
could execute arbitrary code in the context of the current user. An attacker
who successfully exploited the vulnerabilities could gain the same user rights
as the current user. If the current user is logged on with administrative user
rights, an attacker who successfully exploited the vulnerabilities could take
control of an affected system. An attacker could then install programs; view,
change, or delete data; or create new accounts with full user rights.
In a web-based attack scenario, an attacker could host a specially crafted
website that is designed to exploit the vulnerabilities through Microsoft Edge
and then convince a user to view the website. An attacker could also embed an
ActiveX control marked "safe for initialization" in an application or
Microsoft Office document that hosts the Edge rendering engine. The attacker
could also take advantage of compromised websites, and websites that accept or
host user-provided content or advertisements. These websites could contain
specially crafted content that could exploit the vulnerabilities. The update
addresses the vulnerabilities by modifying how the Chakra JavaScript scripting
engine handles objects in memory.
The following table contains links to the standard entry for each
vulnerability in the Common Vulnerabilities and Exposures list:
Vulnerability title CVE number Publicly disclosed Exploited
Scripting Engine Memory Corruption Vulnerability CVE-2016-3248 No No
Scripting Engine Memory Corruption Vulnerability CVE-2016-3259 No No
Scripting Engine Memory Corruption Vulnerability CVE-2016-3260 No No
Scripting Engine Memory Corruption Vulnerability CVE-2016-3265 No No
Scripting Engine Memory Corruption Vulnerability CVE-2016-3269 No No
Scripting Engine Information Disclosure Vulnerability - CVE-2016-3271
An information disclosure vulnerability exists when VBScript improperly
discloses the contents of its memory, which could provide an attacker with
information to further compromise the users computer or data.
To exploit the vulnerability, an attacker must know the memory address of
where the object was created. The update addresses the vulnerability by
changing the way certain functions handle objects in memory.
The following table contains links to the standard entry for each
vulnerability in the Common Vulnerabilities and Exposures list:
Vulnerability title CVE number Publicly disclosed Exploited
Scripting Engine Information Disclosure Vulnerability CVE-2016-3271 No No
Microsoft Browser Information Disclosure Vulnerability - CVE-2016-3273
An information disclosure vulnerability exists when the Microsoft Browser XSS
Filter does not properly validate content under specific conditions. An
attacker who exploited the vulnerability could run arbitrary JavaScript that
could lead to an information disclosure.
In a web-based attack scenario, an attacker could host a website in an attempt
to exploit this vulnerability. In addition, compromised websites and websites
that accept or host user-provided content could contain specially crafted
content that could exploit the vulnerability.
However, in all cases an attacker would have no way to force users to view the
attacker-controlled content. Instead, an attacker would have to convince users
to take action. For example, an attacker could trick users into clicking a
link that takes the user to the attacker's site. The update addresses the
vulnerability by fixing how the Microsoft Browser XSS Filter validates
content.
The following table contains links to the standard entry for each
vulnerability in the Common Vulnerabilities and Exposures list:
Vulnerability title CVE number Publicly disclosed Exploited
Microsoft Browser Information Disclosure Filter Vulnerability CVE-2016-3273 No No
Microsoft Browser Spoofing Vulnerability CVE-2016-3274
A spoofing vulnerability exists when a Microsoft browser does not properly
parse HTTP content. An attacker who successfully exploited this vulnerability
could trick a user by redirecting the user to a specially crafted website. The
specially crafted website could either spoof content or serve as a pivot to
chain an attack with other vulnerabilities in web services.
To exploit the vulnerability, the user must click a specially crafted URL. In
an email attack scenario, an attacker could send an email message containing
the specially crafted URL to the user in an attempt to convince the user to
click it.
In a web-based attack scenario, an attacker could host a specially crafted
website designed to appear as a legitimate website to the user. However, the
attacker would have no way to force the user to visit the specially crafted
website. The attacker would have to convince the user to visit the specially
crafted website, typically by way of enticement in an email or Instant
Messenger message, and then convince the user to interact with content on the
website. The update addresses the vulnerability by correcting how the
Microsoft browser parses HTTP responses.
The following table contains links to the standard entry for each
vulnerability in the Common Vulnerabilities and Exposures list:
Vulnerability title CVE number Publicly disclosed Exploited
Microsoft Browser Spoofing Vulnerability CVE-2016-3274 No No
Microsoft Browser Spoofing Vulnerability CVE-2016-3276
A spoofing vulnerability exists when the Microsoft Browser in reader mode does
not properly parse HTML content. An attacker who successfully exploited this
vulnerability could trick a user by redirecting them to a specially crafted
website. The specially crafted website could spoof content or serve as a pivot
to chain an attack with other vulnerabilities in web services.
To exploit the vulnerability, the user must click a specially crafted URL. In
an email attack scenario, an attacker could send an email message containing
the specially crafted URL to the user in an attempt to convince the user to
click it.
In a web-based attack scenario, an attacker could host a specially crafted
website designed to appear as a legitimate website to the user. However, the
attacker would have no way to force the user to visit the specially crafted
website. The attacker would have to convince the user to visit the specially
crafted website, typically by way of enticement in an email or Instant
Messenger message, and then convince the user to interact with content on the
website. The update addresses the vulnerability by correcting how the
Microsoft Browser parses HTML.
The following table contains links to the standard entry for each
vulnerability in the Common Vulnerabilities and Exposures list:
Vulnerability title CVE number Publicly disclosed Exploited
Microsoft Browser Spoofing Vulnerability CVE-2016-3276 No No
Microsoft Browser Information Disclosure Vulnerability CVE-2016-3277
An information disclosure vulnerability exists when the Microsoft Browser
improperly handles objects in memory. An attacker who successfully exploited
this vulnerability could obtain information to further compromise the users
system.
To exploit the vulnerability, in a web-based attack scenario, an attacker
could host a website that is used to attempt to exploit the vulnerability. In
addition, compromised websites and websites that accept or host user-provided
content could contain specially crafted content that could exploit the
vulnerability. In all cases, however, an attacker would have no way to force
users to view the attacker-controlled content. Instead, an attacker would have
to convince users to take action. For example, an attacker could trick users
into clicking a link that takes them to the attacker's site. The update
addresses the vulnerability by changing how certain functions handle objects
in memory.
The following table contains links to the standard entry for each
vulnerability in the Common Vulnerabilities and Exposures list:
Vulnerability title CVE number Publicly disclosed Exploited
Microsoft Browser Information Disclosure Vulnerability CVE-2016-3277 No No
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBV4WJN4x+lLeg9Ub1AQj6IA//QLELwy40RBt8yMGaSCw19OHhBm9b3LSr
Kt1IrISSXjS6JkuN3280a/2dG4lDcpeg2BCK9iJB2/QxgNAWA4D+tIUkJguziaog
F9QFLpA0JYJ+gHK//vv9q9Srgw1QSvz1lXVyfgA+OKYoRPklc9nfJy97+tOTyXDH
rDe1m+YeTkTFgnuXdHOVnRn/YvCV4pLVSzy9VP4mXiMGDJM39+y+QavvY9uoJ7IT
6kgVaEIDUTGjSPF+6/aKHbuDO40ycaRti3KNsB6HR7w/nFxtwg/NYAjyswr9F68z
zmIVXv81+jjxMHR5q35TV59+Ar2bv6JuV6P3DPTLQyV5G4CSP/AT6RATPkx5srey
MbY5URXiXR9CY4bCVHVfGQJBGiFqwcXaOA5+iHQUEoCBwL8cAC7t4NcrJOADRYlF
GHDXuRMLB6oGL3KH8hIZZd7X1PIDm1emdAdaGCP7ONNK82Oexu/q01pk4xrCBOdo
q4qP0GXuMcMkRKmMRyV+eBMkagn6qMArGobXOROH1x2sYAhzMYUqjJJPxouiBXVE
yw8JUrMGac4OZj4UCQa6KUFUDWc6C5jBMha8h2c+BohnWBOA7pFQghzK0tWAjmag
MX36zNAC6SK2UMgMpVQ/x/0+03BIY1vdQr3ulGBG9TkmNzwcDx5alyitIDPhlTRe
4uS+bB9xJSA=
=Pjwx
-----END PGP SIGNATURE-----