Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.2386
Microsoft Security Bulletin MS16-119 - Critical Cumulative
Security Update for Microsoft Edge (3192890)
12 October 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Microsoft Edge
Publisher: Microsoft
Operating System: Windows 10
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Increased Privileges -- Remote with User Interaction
Access Privileged Data -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2016-7194 CVE-2016-7190 CVE-2016-7189
CVE-2016-3392 CVE-2016-3391 CVE-2016-3390
CVE-2016-3389 CVE-2016-3388 CVE-2016-3387
CVE-2016-3386 CVE-2016-3382 CVE-2016-3331
CVE-2016-3267
Original Bulletin:
https://technet.microsoft.com/en-us/library/security/MS16-119
Comment: CVE-2016-7189 is being actively exploited in the wild.
- --------------------------BEGIN INCLUDED TEXT--------------------
Microsoft Security Bulletin MS16-119 - Critical Cumulative Security Update for
Microsoft Edge (3192890)
Published: October 11, 2016
Version: 1.0
Executive Summary
This security update resolves vulnerabilities in Microsoft Edge. The most
severe of the vulnerabilities could allow remote code execution if a user
views a specially crafted webpage using Microsoft Edge. An attacker who
successfully exploited the vulnerabilities could gain the same user rights as
the current user. Customers whose accounts are configured to have fewer user
rights on the system could be less impacted than users with administrative
user rights.
This security update is rated Critical for Microsoft Edge on Windows 10.
Affected Software
Microsoft Edge
Vulnerability Information
Microsoft Edge Memory Corruption Vulnerability CVE-2016-3331
A remote code execution vulnerability exists in the way that Microsoft Edge
handles objects in memory. The vulnerability could corrupt memory in a way
that could allow an attacker to execute arbitrary code in the context of the
current user.
In a web-based attack scenario, an attacker could host a specially crafted
website that is designed to exploit the vulnerabilities through Microsoft Edge
and then convince a user to view the website. The attacker could also take
advantage of compromised websites and websites that accept or host
user-provided content or advertisements. These websites could contain
specially crafted content that could exploit the vulnerability.
The security update addresses the vulnerability by modifying how Microsoft
Edge handles objects in memory.
The following table contains a link to the standard entry for the
vulnerability in the Common Vulnerabilities and Exposures list:
Vulnerability title CVE number Publicly disclosed Exploited
Microsoft Browser Memory Corruption Vulnerability CVE-2016-3331 No No
Multiple Scripting Engine Memory Corruption Vulnerabilities
Multiple remote code execution vulnerabilities exist in the way that the
Chakra JavaScript engine renders when handling objects in memory in Microsoft
Edge. The vulnerabilities could corrupt memory in such a way that an attacker
could execute arbitrary code in the context of the current user. An attacker
who successfully exploited the vulnerabilities could gain the same user rights
as the current user. If the current user is logged on with administrative user
rights, an attacker who successfully exploited the vulnerabilities could take
control of an affected system. An attacker could then install programs; view,
change, or delete data; or create new accounts with full user rights.
In a web-based attack scenario, an attacker could host a specially crafted
website that is designed to exploit the vulnerabilities through Microsoft Edge
and then convince a user to view the website. An attacker could also embed an
ActiveX control marked "safe for initialization" in an application or
Microsoft Office document that hosts the Edge rendering engine. The attacker
could also take advantage of compromised websites, and websites that accept or
host user-provided content or advertisements. These websites could contain
specially crafted content that could exploit the vulnerabilities.
The security update addresses the vulnerabilities by modifying how the Chakra
JavaScript scripting engine handles objects in memory.
The following table contains links to the standard entry for each
vulnerability in the Common Vulnerabilities and Exposures list:
Vulnerability title CVE number Publicly disclosed Exploited
Scripting Engine Memory Corruption Vulnerability CVE-2016-3382 No No
Scripting Engine Memory Corruption Vulnerability CVE-2016-3386 No No
Scripting Engine Memory Corruption Vulnerability CVE-2016-3389 No No
Scripting Engine Memory Corruption Vulnerability CVE-2016-3390 No No
Scripting Engine Memory Corruption Vulnerability CVE-2016-7190 No No
Scripting Engine Memory Corruption Vulnerability CVE-2016-7194 No No
Microsoft Browser Information Disclosure Vulnerability CVE-2016-3267
An information disclosure vulnerability exists when Microsoft Edge does not
properly handle objects in memory. The vulnerability could allow an attacker
to detect specific files on the user's computer. In a web-based attack
scenario, an attacker could host a website that is used to attempt to exploit
the vulnerability.
In addition, compromised websites and websites that accept or host
user-generated content could contain specially crafted content that could
exploit the vulnerability. In all cases, however, an attacker would have no
way to force a user to view the attacker-controlled content. Instead, an
attacker would have to convince users to take action. For example, an attacker
could trick users into clicking a link that takes them to the attacker's site.
An attacker who successfully exploited the vulnerability could potentially
read data that was not intended to be disclosed. Note that the vulnerability
would not allow an attacker to execute code or to elevate a users rights
directly, but the vulnerability could be used to obtain information in an
attempt to further compromise the affected system. The update addresses the
vulnerability by helping to restrict what information is returned to Internet
Explorer.
The following table contains a link to the standard entry for the
vulnerability in the Common Vulnerabilities and Exposures list:
Vulnerability title CVE number Publicly disclosed Exploited
Microsoft Browser Information Disclosure Vulnerability CVE-2016-3267 No No
Microsoft Browser Information Disclosure Vulnerability CVE-2016-3391
An information disclosure vulnerability exists when Microsoft browsers leave
credential data in memory. An attacker who successfully exploited this
vulnerability could harvest credentials from a memory dump of the browser
process. An attacker would need access to a memory dump from the affected
system.
The update addresses the vulnerability by changing the way Microsoft Browsers
store credentials in memory.
The following table contains a link to the standard entry for the
vulnerability in the Common Vulnerabilities and Exposures list:
Vulnerability title CVE number Publicly disclosed Exploited
Microsoft Browser Information Disclosure Vulnerability CVE-2016-3391 No No
Scripting Engine Remote Code Execution Vulnerability CVE-2016-7189
A remote code execution vulnerability exists when Microsoft Edge improperly
handles objects in memory. An attacker who successfully exploited the
vulnerability could obtain information to further compromise the users system.
To exploit the vulnerability, in a web-based attack scenario, an attacker
could host a website that is used to attempt to exploit the vulnerability. In
addition, compromised websites and websites that accept or host user-provided
content could contain specially crafted content that could exploit the
vulnerability. In all cases, however, an attacker would have no way to force
users to view the attacker-controlled content. Instead, an attacker would have
to convince users to take action. For example, an attacker could trick users
into clicking a link that takes them to the attacker's site.
The update addresses the vulnerability by correcting how the affected
components handle objects in memory.
The following table contains a link to the standard entry for the
vulnerability in the Common Vulnerabilities and Exposures list:
Vulnerability title CVE number Publicly disclosed Exploited
Scripting Engine Remote Code Execution Vulnerability CVE-2016-7189 No Yes
Multiple Microsoft Browser Elevation of Privilege Vulnerabilities
Elevation of privilege vulnerabilities exist when Microsoft Edge fails to
properly secure private namespace. An attacker who successfully exploited
these vulnerabilities could gain elevated permissions on the namespace
directory of a vulnerable system and gain elevated privileges.
The vulnerabilities by themselves do not allow arbitrary code to be run.
However, these vulnerabilities could be used in conjunction with one or more
vulnerabilities (e.g. a remote code execution vulnerability and another
elevation of privilege) that could take advantage of the elevated privileges
when running.
The update addresses the vulnerabilities by correcting how Microsoft Browsers
handle namespace boundaries.
The following table contains links to the standard entry for each
vulnerability in the Common Vulnerabilities and Exposures list:
Vulnerability title CVE number Publicly disclosed Exploited
Microsoft Browser Elevation of Privilege Vulnerability CVE-2016-3388 No No
Microsoft Browser Elevation of Privilege Vulnerability CVE-2016-3387 No No
Microsoft Browser Security Feature Bypass Vulnerability CVE-2016-3392
A security feature bypass vulnerability exists when the Edge Content Security
Policy fails to properly handle validation of certain specially crafted
documents.
An attacker could trick a user into loading a page with malicious content. To
exploit the vulnerability, an attacker would need to trick a user into loading
a page or visiting a site. The page could also be injected into a compromised
site or ad network.
The update corrects how Edge Content Security Policy validates documents.
The following table contains a link to the standard entry for the
vulnerability in the Common Vulnerabilities and Exposures list:
Vulnerability title CVE number Publicly disclosed Exploited
Microsoft Edge Security Feature Bypass Vulnerability CVE-2016-3392 No No
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBV/1xKYx+lLeg9Ub1AQhmbQ//ZFd4ksueNY8G05Y0uwG33tF1gFf5evWS
DsuaURh7OR8CPeGRqkRdTZmF2rh1z3TAr5j5yWpn8JggF0qAO5kLjho6Qq7k7GTl
Fn/ro/f9A8lrbX+C8QRdWzNS6geSdCNKDkIWRwEViiuGnujJV4q+ezQ29hNosRxC
BexZD+g5+8l83bGxPpL4GtpxIneNjQev1pqBbBrljW9ZEzOCHinYRSB9RwcUB/5f
7QV0rDSBWqo/kUqoxvck1GYMWIcDadik0BMkNRN9rh+jPiroJp0cucniZIUwRW4W
qu4YEBm6pMb0a39wul0HeHAWdMpNJJC8vSRpnQ7rVJLLZQlxv67zHwT2zXXyAEjH
40JSc2NHEjG81MCJBOPKuC5udZd7swiWeX/xMbr90p3fYho2PJLosvA9CBlDTkLF
eT86vGdda0oGyK2E2/L4zeBCoobKPXzpJQ2vhkypddmJso0KWqVr7HKM6hiShltx
lhWnpxJQvpJd+9B6N2FsEGaNepllacpThS3bsV87qudOlS4VDetYU0PUmXc3eUWA
Hem+hekoOSV8OAuShHZcfZL3QV0AjSaMRzKH5rCXukT7Y/iW+efHu0VM6PjSbsPE
3kq9hI+qyTewsArSuCESnmniHTd8ekeAA8L3bMlQFgy9/S4/sghRJy0NIKiOziDW
DyCUQx11fRM=
=A1oW
-----END PGP SIGNATURE-----