Operating System:

[Win]

Published:

12 October 2016

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.2386
        Microsoft Security Bulletin MS16-119 - Critical Cumulative
               Security Update for Microsoft Edge (3192890)
                              12 October 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Microsoft Edge
Publisher:         Microsoft
Operating System:  Windows 10
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Increased Privileges            -- Remote with User Interaction
                   Access Privileged Data          -- Remote with User Interaction
                   Reduced Security                -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-7194 CVE-2016-7190 CVE-2016-7189
                   CVE-2016-3392 CVE-2016-3391 CVE-2016-3390
                   CVE-2016-3389 CVE-2016-3388 CVE-2016-3387
                   CVE-2016-3386 CVE-2016-3382 CVE-2016-3331
                   CVE-2016-3267  

Original Bulletin: 
   https://technet.microsoft.com/en-us/library/security/MS16-119

Comment: CVE-2016-7189 is being actively exploited in the wild.

- --------------------------BEGIN INCLUDED TEXT--------------------

Microsoft Security Bulletin MS16-119 - Critical Cumulative Security Update for
Microsoft Edge (3192890)

Published: October 11, 2016

Version: 1.0

Executive Summary

This security update resolves vulnerabilities in Microsoft Edge. The most 
severe of the vulnerabilities could allow remote code execution if a user 
views a specially crafted webpage using Microsoft Edge. An attacker who 
successfully exploited the vulnerabilities could gain the same user rights as
the current user. Customers whose accounts are configured to have fewer user 
rights on the system could be less impacted than users with administrative 
user rights.

This security update is rated Critical for Microsoft Edge on Windows 10.

Affected Software

Microsoft Edge

Vulnerability Information

Microsoft Edge Memory Corruption Vulnerability CVE-2016-3331

A remote code execution vulnerability exists in the way that Microsoft Edge 
handles objects in memory. The vulnerability could corrupt memory in a way 
that could allow an attacker to execute arbitrary code in the context of the 
current user.

In a web-based attack scenario, an attacker could host a specially crafted 
website that is designed to exploit the vulnerabilities through Microsoft Edge
and then convince a user to view the website. The attacker could also take 
advantage of compromised websites and websites that accept or host 
user-provided content or advertisements. These websites could contain 
specially crafted content that could exploit the vulnerability.

The security update addresses the vulnerability by modifying how Microsoft 
Edge handles objects in memory.

The following table contains a link to the standard entry for the 
vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title					CVE number	Publicly disclosed	Exploited

Microsoft Browser Memory Corruption Vulnerability	CVE-2016-3331	No			No

Multiple Scripting Engine Memory Corruption Vulnerabilities

Multiple remote code execution vulnerabilities exist in the way that the 
Chakra JavaScript engine renders when handling objects in memory in Microsoft
Edge. The vulnerabilities could corrupt memory in such a way that an attacker
could execute arbitrary code in the context of the current user. An attacker 
who successfully exploited the vulnerabilities could gain the same user rights
as the current user. If the current user is logged on with administrative user
rights, an attacker who successfully exploited the vulnerabilities could take
control of an affected system. An attacker could then install programs; view,
change, or delete data; or create new accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially crafted 
website that is designed to exploit the vulnerabilities through Microsoft Edge
and then convince a user to view the website. An attacker could also embed an
ActiveX control marked "safe for initialization" in an application or 
Microsoft Office document that hosts the Edge rendering engine. The attacker 
could also take advantage of compromised websites, and websites that accept or
host user-provided content or advertisements. These websites could contain 
specially crafted content that could exploit the vulnerabilities.

The security update addresses the vulnerabilities by modifying how the Chakra
JavaScript scripting engine handles objects in memory.

The following table contains links to the standard entry for each 
vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title					CVE number	Publicly disclosed	Exploited

Scripting Engine Memory Corruption Vulnerability	CVE-2016-3382	No			No

Scripting Engine Memory Corruption Vulnerability	CVE-2016-3386	No			No

Scripting Engine Memory Corruption Vulnerability	CVE-2016-3389	No			No

Scripting Engine Memory Corruption Vulnerability	CVE-2016-3390	No			No

Scripting Engine Memory Corruption Vulnerability	CVE-2016-7190	No			No

Scripting Engine Memory Corruption Vulnerability	CVE-2016-7194	No			No

Microsoft Browser Information Disclosure Vulnerability CVE-2016-3267

An information disclosure vulnerability exists when Microsoft Edge does not 
properly handle objects in memory. The vulnerability could allow an attacker 
to detect specific files on the user's computer. In a web-based attack 
scenario, an attacker could host a website that is used to attempt to exploit
the vulnerability.

In addition, compromised websites and websites that accept or host 
user-generated content could contain specially crafted content that could 
exploit the vulnerability. In all cases, however, an attacker would have no 
way to force a user to view the attacker-controlled content. Instead, an 
attacker would have to convince users to take action. For example, an attacker
could trick users into clicking a link that takes them to the attacker's site.

An attacker who successfully exploited the vulnerability could potentially 
read data that was not intended to be disclosed. Note that the vulnerability 
would not allow an attacker to execute code or to elevate a users rights 
directly, but the vulnerability could be used to obtain information in an 
attempt to further compromise the affected system. The update addresses the 
vulnerability by helping to restrict what information is returned to Internet
Explorer.

The following table contains a link to the standard entry for the 
vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title					CVE number	Publicly disclosed	Exploited

Microsoft Browser Information Disclosure Vulnerability	CVE-2016-3267	No			No

Microsoft Browser Information Disclosure Vulnerability CVE-2016-3391

An information disclosure vulnerability exists when Microsoft browsers leave 
credential data in memory. An attacker who successfully exploited this 
vulnerability could harvest credentials from a memory dump of the browser 
process. An attacker would need access to a memory dump from the affected 
system.

The update addresses the vulnerability by changing the way Microsoft Browsers
store credentials in memory.

The following table contains a link to the standard entry for the 
vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title					CVE number	Publicly disclosed	Exploited

Microsoft Browser Information Disclosure Vulnerability	CVE-2016-3391	No			No

Scripting Engine Remote Code Execution Vulnerability CVE-2016-7189

A remote code execution vulnerability exists when Microsoft Edge improperly 
handles objects in memory. An attacker who successfully exploited the 
vulnerability could obtain information to further compromise the users system.

To exploit the vulnerability, in a web-based attack scenario, an attacker 
could host a website that is used to attempt to exploit the vulnerability. In
addition, compromised websites and websites that accept or host user-provided
content could contain specially crafted content that could exploit the 
vulnerability. In all cases, however, an attacker would have no way to force 
users to view the attacker-controlled content. Instead, an attacker would have
to convince users to take action. For example, an attacker could trick users 
into clicking a link that takes them to the attacker's site.

The update addresses the vulnerability by correcting how the affected 
components handle objects in memory.

The following table contains a link to the standard entry for the 
vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title					CVE number	Publicly disclosed	Exploited

Scripting Engine Remote Code Execution Vulnerability	CVE-2016-7189	No			Yes

Multiple Microsoft Browser Elevation of Privilege Vulnerabilities

Elevation of privilege vulnerabilities exist when Microsoft Edge fails to 
properly secure private namespace. An attacker who successfully exploited 
these vulnerabilities could gain elevated permissions on the namespace 
directory of a vulnerable system and gain elevated privileges.

The vulnerabilities by themselves do not allow arbitrary code to be run. 
However, these vulnerabilities could be used in conjunction with one or more 
vulnerabilities (e.g. a remote code execution vulnerability and another 
elevation of privilege) that could take advantage of the elevated privileges 
when running.

The update addresses the vulnerabilities by correcting how Microsoft Browsers
handle namespace boundaries.

The following table contains links to the standard entry for each 
vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title					CVE number	Publicly disclosed	Exploited

Microsoft Browser Elevation of Privilege Vulnerability	CVE-2016-3388	No			No

Microsoft Browser Elevation of Privilege Vulnerability	CVE-2016-3387	No			No

Microsoft Browser Security Feature Bypass Vulnerability CVE-2016-3392

A security feature bypass vulnerability exists when the Edge Content Security
Policy fails to properly handle validation of certain specially crafted 
documents.

An attacker could trick a user into loading a page with malicious content. To
exploit the vulnerability, an attacker would need to trick a user into loading
a page or visiting a site. The page could also be injected into a compromised
site or ad network.

The update corrects how Edge Content Security Policy validates documents.

The following table contains a link to the standard entry for the 
vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title					CVE number	Publicly disclosed	Exploited

Microsoft Edge Security Feature Bypass Vulnerability	CVE-2016-3392	No			No

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBV/1xKYx+lLeg9Ub1AQhmbQ//ZFd4ksueNY8G05Y0uwG33tF1gFf5evWS
DsuaURh7OR8CPeGRqkRdTZmF2rh1z3TAr5j5yWpn8JggF0qAO5kLjho6Qq7k7GTl
Fn/ro/f9A8lrbX+C8QRdWzNS6geSdCNKDkIWRwEViiuGnujJV4q+ezQ29hNosRxC
BexZD+g5+8l83bGxPpL4GtpxIneNjQev1pqBbBrljW9ZEzOCHinYRSB9RwcUB/5f
7QV0rDSBWqo/kUqoxvck1GYMWIcDadik0BMkNRN9rh+jPiroJp0cucniZIUwRW4W
qu4YEBm6pMb0a39wul0HeHAWdMpNJJC8vSRpnQ7rVJLLZQlxv67zHwT2zXXyAEjH
40JSc2NHEjG81MCJBOPKuC5udZd7swiWeX/xMbr90p3fYho2PJLosvA9CBlDTkLF
eT86vGdda0oGyK2E2/L4zeBCoobKPXzpJQ2vhkypddmJso0KWqVr7HKM6hiShltx
lhWnpxJQvpJd+9B6N2FsEGaNepllacpThS3bsV87qudOlS4VDetYU0PUmXc3eUWA
Hem+hekoOSV8OAuShHZcfZL3QV0AjSaMRzKH5rCXukT7Y/iW+efHu0VM6PjSbsPE
3kq9hI+qyTewsArSuCESnmniHTd8ekeAA8L3bMlQFgy9/S4/sghRJy0NIKiOziDW
DyCUQx11fRM=
=A1oW
-----END PGP SIGNATURE-----