6 Replies Latest reply on Dec 18, 2015 11:44 AM by catdaddy

    Microsoft : KB3116180 doesn't fix IE weaknesses; additional actions by users necessary

    Hayton

      This came in today. Since not too many Home users subscribe to Microsoft Security Bulletins I think it's worth posting here, where I hope it will get read. The extracts below contain the gist of the various Microsoft documents but leave out a lot of system-specific detail. If there's any doubt about what you need to do, you'd better read the originals.

       

      Bulletin Information:

      =====================

       

      MS15-124 - Critical

       

      - Title: Cumulative Security Update for Internet Explorer (3116180)

      - https://technet.microsoft.com/library/security/ms15-124.aspx

      - Reason for Revision: V1.1 (December 16, 2015): Bulletin revised to further clarify the steps users must take to be protected

         from the vulnerability described in CVE-2015-6161. This bulletin, MS15-124, provides protections for this issue, but user action is required to enable them; the cumulative update for Internet Explorer does not enable the protections by default.

       

      Before applying the protections, Microsoft recommends that customers perform testing appropriate to their environment and system configurations.

      - Originally posted: December 08, 2015

      - Updated: December 16, 2015

      - Bulletin Severity Rating: Critical

      - Version: 1.1

       

       

      Microsoft Security Bulletin MS15-124 - Critical

      Update FAQ

       

       

      Are there any further steps I need to carry out to be protected from the vulnerabilities described in this bulletin?

      Yes. It is important to note that your system is not protected from CVE-2015-6161 unless you carry out the instructions included in the vulnerability information section for CVE-2015-6161. This bulletin, MS15-124, provides protections for this issue, but user interaction is required to enable them; the cumulative update does not enable the protections by default.

       

      I am running Internet Explorer 11 on Windows 10. How do I protect my system from CVE-2015-6161?

      Your system is affected by this ASLR bypass, but is not protected from it unless you do the following:

      Install either Windows 10 Cumulative Update 3116869 or Windows 10 Version 1511 Cumulative Update 3116900. See the Affected Software table for download links.

      Note: these updates are installed automatically on systems that have automatic updating enabled or for users who visit Windows Update and check for updates manually.

      Run the Microsoft easy fix available in Microsoft Knowledge Base Article 3125869 to enable the User32 Exception Handler Hardening Feature. An alternative to the easy fix is to enable this feature manually using the steps described in the vulnerability information section for CVE-2015-6161.

       

      I am running a version of Internet Explorer on a version of Windows that was released prior to Windows 10. How do I protect my system from CVE-2015-6161?

      Your system is affected by this ASLR bypass, but is not protected from it unless you do the following:

      Install Cumulative Update for Internet Explorer 3104002. See the Affected Software table for download links.

      Install security update 3109094 in MS15-135.

      Note: these updates are installed automatically on systems that have automatic updating enabled or for users who visit Windows Update and check for updates manually. Also note that you do not need to install the updates in any particular order.

      Run the Microsoft easy fix available in Microsoft Knowledge Base Article 3125869 to enable the User32 Exception Handler Hardening Feature. An alternative to the easy fix is to enable this feature manually using the steps described in the vulnerability information section for CVE-2015-6161.

       

      Internet Explorer ASLR Bypass – CVE-2015-6161

      A security feature bypass for Internet Explorer exists as a result of how exceptions are handled when dispatching certain window messages, allowing an attacker to probe the layout of the address space and thereby bypassing Address Space Layout Randomization (ASLR). By itself, the ASLR bypass does not allow arbitrary code execution. However, an attacker could use this ASLR bypass in conjunction with another vulnerability, such as a remote code execution vulnerability, to run arbitrary code on a target system. Successful exploitation of the ASLR bypass requires a user to be logged on and running an affected version of Internet Explorer. The user would then need to browse to a malicious site.

      The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list:

      Vulnerability title

      CVE number

      Publicly disclosed

      Exploited

      Internet Explorer ASLR Bypass

      CVE-2015-6161

      No

      No

       

       

      Important: Your system is not protected from this ASLR Bypass unless you install the applicable updates and then enable the User32 Exception Handler Hardening Feature:

      Enabling the User32 Exception Handler Hardening Feature

      A Microsoft easy fix is available if you do not wish to manually enable the User32 Exception Handler Hardening Feature in Registry Editor. See Microsoft Knowledge Base Article 3125869 for the easy fix.

      Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.


      For 32-bit operating systems:

      1. Click Start, click Run, type Regedit in the Open box, and then click OK.
      2. Navigate to the following registry location:
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\
      3. Create a new key with the name FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING
      4. Under the new key, add a new DWORD entry “iexplore.exe”.
      5. Set the DWORD value to 1.

       

      For x64-based operating systems:

      1. Click Start, click Run, type Regedit in the Open box, and then click OK.
      2. Navigate to the following registry location:

         

         

         

        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\

         

      3. Create a new key with the name FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING
      4. Under the new key, add a new DWORD entry “iexplore.exe”.
      5. Set the DWORD value to 1.
      6. Navigate to the following registry location:

         

         

         

        HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\

         

      7. Create a new key with the name FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING
      8. Under the new key, add a new DWORD entry “iexplore.exe”.
      9. Set the DWORD value to 1.

       

      See Microsoft Security Bulletin MS15-135 for the download links for update 3109094.

      See Knowledge Base Article 3125869 for more information and the Microsoft easy fix.

       

       

      There's also another one which will only be of interest to anyone who needs to upload pages or image files using ASP -

      MS15-DEC

       

      - Title: Microsoft Security Bulletin Summary for December 2015

      - https://technet.microsoft.com/library/security/ms15-dec.aspx

      - Reason for Revision: V1.2 (December 16, 2015): Bulletin Summary revised to add a Known Issue to the Executive Summaries table for 3104002. To resolve the issue, install hotfix 3125446. See Microsoft Knowledge Base Article 3104002 for more information.

      - Originally posted: December 08, 2015

      - Updated: December 16, 2015

      - Version: 1.2