Microsoft Security Bulletin MS15-093 - Critical OOB - Internet Explorer RCE

Published: 2015-08-18
Last Updated: 2015-08-19 05:41:24 UTC
by Russ McRee (Version: 1)
14 comment(s)

Security Update for Internet Explorer (3088903)

Recommendation: Test and patch ASAP

Mitigation option: EMET 5.2 configured to protect Internet Explorer (defautlt) is able to block the known exploit

Related Bulletin and KBs: 

https://technet.microsoft.com/library/security/MS15-093

https://support.microsoft.com/en-us/kb/3087985
https://support.microsoft.com/en-us/kb/3081444
https://support.microsoft.com/en-us/kb/3088903

Executive Summary

"This security update resolves a vulnerability in Internet Explorer. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
This security update is rated Critical for Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows clients, and Moderate for Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows servers. For more information, see the Affected Software section.
The security update addresses the vulnerability by modifying how Internet Explorer handles objects in memory.
For more information about this update, see Microsoft Knowledge Base Article 3088903."

Vulnerability Information

"An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an instant messenger or email message that takes users to the attacker's website, or by getting them to open an attachment sent through email.
An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Systems where Internet Explorer is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability."

See bulletin for all affected software 

Russ McRee | @holisticinfosec

 

14 comment(s)

Comments

I've heard that EMET 5.2 with the default config eliminates the chance of exploitation via this vulnerability. Can anyone confirm or deny?
True statement, Mark. Added as mitigation to diary post.
We noticed the requirement "must first install the 3078071 update released on August 11, 2015 before installing the 3087985 update", and are testing if this will be handled in ONE reboot when deploying via WSUS - or if we could risk that the machines require two reboots.
Multiple reboots could be an issue when it comes to boot order etc.
This is probably worth emphasizing as well, otherwise many may not notice the lower severity for servers.

"Moderate for Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows servers."
Everyone needs to ensure EMET is tested properly before rushing to deploy as a fix. My enterprise right now is having issues with EMET mitigation features blocking iexplore.exe process. Luckily you can disable these known issues by disabling only the mitigation features in EMET responsible, such as ROP Callback, EAF, and SEHOP.
@dotBATman:
Were you able to confirm the need for 2 or 1 reboots?
We tested the reboot options and it does appear that the 8/11 patch must be installed and the machine rebooted before WSUS will even recognize that the machine needs 15-093.
I have confirmed in our enterprise that it only requires one reboot.

3078071 requires a reboot, but 3087985 does not.

This is a win 7 environment with 2008 R2 AD and WSUS running on 2008 R2.

One thing I have noticed though is that you have to install 3078071 first and reboot BEFORE 3087985 will even show in the update list.

I'll be deploying this today for privileged users and over the weekend to all other workstations.

Good luck.

Blaine
I can confirm in my enterprise that only 3078071 require a reboot. However, 3087985 will not show in the update list after 3078071 is installed.

3087985 may require IE to be closed, but does not require a reboot.

We will have to run two updates in a row.

My environment is Server 2008 R2 AD and Server 2008 R2 with WSUS 3.2.7600.256.

Good luck.

Blaine
SteveYarlly; The security rating is only lower for servers due to the fact that you are less likely (should NOT) use servers for internet surfing.

Note that Terminal Servers being used for user-driven activities need to be treated just like any other client computer when it comes to turnaround on patches.

Diary Archives