cancel
Showing results for 
Search instead for 
Did you mean: 
Hayton
Level 18
Report Inappropriate Content
Message 1 of 7

Microsoft : KB3116180 doesn't fix IE weaknesses; additional actions by users necessary

This came in today. Since not too many Home users subscribe to Microsoft Security Bulletins I think it's worth posting here, where I hope it will get read. The extracts below contain the gist of the various Microsoft documents but leave out a lot of system-specific detail. If there's any doubt about what you need to do, you'd better read the originals.


Bulletin Information:


=====================



MS15-124 - Critical



- Title: Cumulative Security Update for Internet Explorer (3116180)


- https://technet.microsoft.com/library/security/ms15-124.aspx


- Reason for Revision: V1.1 (December 16, 2015): Bulletin revised to further clarify the steps users must take to be protected


   from the vulnerability described in CVE-2015-6161. This bulletin, MS15-124, provides protections for this issue, but user action is required to enable them; the cumulative update for Internet Explorer does not enable the protections by default.



Before applying the protections, Microsoft recommends that customers perform testing appropriate to their environment and system configurations.


- Originally posted: December 08, 2015


- Updated: December 16, 2015


- Bulletin Severity Rating: Critical


- Version: 1.1





Microsoft Security Bulletin MS15-124 - Critical


Update FAQ




Are there any further steps I need to carry out to be protected from the vulnerabilities described in this bulletin?


Yes. It is important to note that your system is not protected from CVE-2015-6161 unless you carry out the instructions included in the vulnerability information section for CVE-2015-6161. This bulletin, MS15-124, provides protections for this issue, but user interaction is required to enable them; the cumulative update does not enable the protections by default.



I am running Internet Explorer 11 on Windows 10. How do I protect my system from CVE-2015-6161?


Your system is affected by this ASLR bypass, but is not protected from it unless you do the following:


Install either Windows 10 Cumulative Update 3116869 or Windows 10 Version 1511 Cumulative Update 3116900. See the Affected Software table for download links.


Note: these updates are installed automatically on systems that have automatic updating enabled or for users who visit Windows Update and check for updates manually.


Run the Microsoft easy fix available in Microsoft Knowledge Base Article 3125869 to enable the User32 Exception Handler Hardening Feature. An alternative to the easy fix is to enable this feature manually using the steps described in the vulnerability information section for CVE-2015-6161.



I am running a version of Internet Explorer on a version of Windows that was released prior to Windows 10. How do I protect my system from CVE-2015-6161?


Your system is affected by this ASLR bypass, but is not protected from it unless you do the following:


Install Cumulative Update for Internet Explorer 3104002. See the Affected Software table for download links.


Install security update 3109094 in MS15-135.


Note: these updates are installed automatically on systems that have automatic updating enabled or for users who visit Windows Update and check for updates manually. Also note that you do not need to install the updates in any particular order.


Run the Microsoft easy fix available in Microsoft Knowledge Base Article 3125869 to enable the User32 Exception Handler Hardening Feature. An alternative to the easy fix is to enable this feature manually using the steps described in the vulnerability information section for CVE-2015-6161.




Internet Explorer ASLR Bypass – CVE-2015-6161


A security feature bypass for Internet Explorer exists as a result of how exceptions are handled when dispatching certain window messages, allowing an attacker to probe the layout of the address space and thereby bypassing Address Space Layout Randomization (ASLR). By itself, the ASLR bypass does not allow arbitrary code execution. However, an attacker could use this ASLR bypass in conjunction with another vulnerability, such as a remote code execution vulnerability, to run arbitrary code on a target system. Successful exploitation of the ASLR bypass requires a user to be logged on and running an affected version of Internet Explorer. The user would then need to browse to a malicious site.


The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list:


















Vulnerability title



CVE number



Publicly disclosed



Exploited



Internet Explorer ASLR Bypass



CVE-2015-6161



No



No





Important: Your system is not protected from this ASLR Bypass unless you install the applicable updates and then enable the User32 Exception Handler Hardening Feature:



Enabling the User32 Exception Handler Hardening Feature


A Microsoft easy fix is available if you do not wish to manually enable the User32 Exception Handler Hardening Feature in Registry Editor. See Microsoft Knowledge Base Article 3125869 for the easy fix.


Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.




For 32-bit operating systems:



  1. Click Start, click Run, type Regedit in the Open box, and then click OK.

  2. Navigate to the following registry location:


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\




  3. Create a new key with the name FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING

  4. Under the new key, add a new DWORD entry “iexplore.exe”.

  5. Set the DWORD value to 1.



For x64-based operating systems:



  1. Click Start, click Run, type Regedit in the Open box, and then click OK.

  2. Navigate to the following registry location:






    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\






  3. Create a new key with the name FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING

  4. Under the new key, add a new DWORD entry “iexplore.exe”.

  5. Set the DWORD value to 1.

  6. Navigate to the following registry location:






    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\






  7. Create a new key with the name FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING

  8. Under the new key, add a new DWORD entry “iexplore.exe”.

  9. Set the DWORD value to 1.



See Microsoft Security Bulletin MS15-135 for the download links for update 3109094.


See Knowledge Base Article 3125869 for more information and the Microsoft easy fix.




There's also another one which will only be of interest to anyone who needs to upload pages or image files using ASP -


MS15-DEC



- Title: Microsoft Security Bulletin Summary for December 2015


- https://technet.microsoft.com/library/security/ms15-dec.aspx


- Reason for Revision: V1.2 (December 16, 2015): Bulletin Summary revised to add a Known Issue to the Executive Summaries table for 3104002. To resolve the issue, install hotfix 3125446. See Microsoft Knowledge Base Article 3104002 for more information.


- Originally posted: December 08, 2015


- Updated: December 16, 2015


- Version: 1.2





6 Replies

Re: Microsoft : KB3116180 doesn't fix IE weaknesses; additional actions by users necessary

Are you saying we should in addition enable 'User 32 Exception Handler Hardner' https://support.microsoft.com/en-us/kb/3125869  ?  In addition to the other required (Installed) updates?

(Note)  Windows7 Sp1 Internet Explorer 11

Thanks Mate..

Cliff
McAfee Volunteer
Hayton
Level 18
Report Inappropriate Content
Message 3 of 7

Re: Microsoft : KB3116180 doesn't fix IE weaknesses; additional actions by users necessary

That's what it says in the Microsoft document. Of course, I was doing a cut-and-paste job, so I may have overlooked something. That's why I said, read the article(s) if it's not clear. Although anyone who does is likely to end up somewhat confused : the whole thing is made to appear messy and complex, probably it looks more complex than it is.

exbrit
Level 21
Report Inappropriate Content
Message 4 of 7

Re: Microsoft : KB3116180 doesn't fix IE weaknesses; additional actions by users necessary

I'll try the KB article easy fix first and see if it gives me world domination in a mouse-click, just kidding.

Why do MS make life so difficult?

Hayton
Level 18
Report Inappropriate Content
Message 5 of 7

Re: Microsoft : KB3116180 doesn't fix IE weaknesses; additional actions by users necessary


Ex_Brit wrote:


Why do MS make life so difficult?


It's to distract us all from their own overarching plans for total world domination

exbrit
Level 21
Report Inappropriate Content
Message 6 of 7

Re: Microsoft : KB3116180 doesn't fix IE weaknesses; additional actions by users necessary

Oh is that all?  Too bad, I'll just have to find another world to dominate then.

Back to reality, IE didn't crash after I applied "The Fix", not that I use IE much, and my computer didn't suddenly walk out of the room, so all is well thus far.

Re: Microsoft : KB3116180 doesn't fix IE weaknesses; additional actions by users necessary

Thanks Guys...I believe I will simply use the link I inserted up top and download/install/enable and close/open browser.

Cliff
McAfee Volunteer