Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Microsoft Security Bulletin MS15-093 - Critical OOB - Internet Explorer RCE - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Microsoft Security Bulletin MS15-093 - Critical OOB - Internet Explorer RCE

Security Update for Internet Explorer (3088903)

Recommendation: Test and patch ASAP

Mitigation option: EMET 5.2 configured to protect Internet Explorer (defautlt) is able to block the known exploit

Related Bulletin and KBs: 

https://technet.microsoft.com/library/security/MS15-093

https://support.microsoft.com/en-us/kb/3087985
https://support.microsoft.com/en-us/kb/3081444
https://support.microsoft.com/en-us/kb/3088903

Executive Summary

"This security update resolves a vulnerability in Internet Explorer. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
This security update is rated Critical for Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows clients, and Moderate for Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows servers. For more information, see the Affected Software section.
The security update addresses the vulnerability by modifying how Internet Explorer handles objects in memory.
For more information about this update, see Microsoft Knowledge Base Article 3088903."

Vulnerability Information

"An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an instant messenger or email message that takes users to the attacker's website, or by getting them to open an attachment sent through email.
An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Systems where Internet Explorer is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability."

See bulletin for all affected software 

Russ McRee | @holisticinfosec

 

Russ McRee

183 Posts
ISC Handler
I've heard that EMET 5.2 with the default config eliminates the chance of exploitation via this vulnerability. Can anyone confirm or deny?
MarkJx

5 Posts
True statement, Mark. Added as mitigation to diary post.
Russ McRee

183 Posts
ISC Handler
We noticed the requirement "must first install the 3078071 update released on August 11, 2015 before installing the 3087985 update", and are testing if this will be handled in ONE reboot when deploying via WSUS - or if we could risk that the machines require two reboots.
Multiple reboots could be an issue when it comes to boot order etc.
dotBATman

63 Posts
This is probably worth emphasizing as well, otherwise many may not notice the lower severity for servers.

"Moderate for Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows servers."
SteveYarlly

1 Posts
Everyone needs to ensure EMET is tested properly before rushing to deploy as a fix. My enterprise right now is having issues with EMET mitigation features blocking iexplore.exe process. Luckily you can disable these known issues by disabling only the mitigation features in EMET responsible, such as ROP Callback, EAF, and SEHOP.
kyle

5 Posts
@dotBATman:
Were you able to confirm the need for 2 or 1 reboots?
AAInfoSec

48 Posts
We tested the reboot options and it does appear that the 8/11 patch must be installed and the machine rebooted before WSUS will even recognize that the machine needs 15-093.
AAInfoSec
1 Posts
I have confirmed in our enterprise that it only requires one reboot.

3078071 requires a reboot, but 3087985 does not.

This is a win 7 environment with 2008 R2 AD and WSUS running on 2008 R2.

One thing I have noticed though is that you have to install 3078071 first and reboot BEFORE 3087985 will even show in the update list.

I'll be deploying this today for privileged users and over the weekend to all other workstations.

Good luck.

Blaine
Blaine

2 Posts
I can confirm in my enterprise that only 3078071 require a reboot. However, 3087985 will not show in the update list after 3078071 is installed.

3087985 may require IE to be closed, but does not require a reboot.

We will have to run two updates in a row.

My environment is Server 2008 R2 AD and Server 2008 R2 with WSUS 3.2.7600.256.

Good luck.

Blaine
Blaine

2 Posts
SteveYarlly; The security rating is only lower for servers due to the fact that you are less likely (should NOT) use servers for internet surfing.

Note that Terminal Servers being used for user-driven activities need to be treated just like any other client computer when it comes to turnaround on patches.
dotBATman

63 Posts
Thanks for sharing patch sequence / reboot findings! We have seen the same and will be able to proceed with approving both updates for deployment. We can do this knowing that WSUS will not install these in the wrong order and it will not require two reboots.
dotBATman

63 Posts
Quoting dotBATman:Thanks for sharing patch sequence / reboot findings! We have seen the same and will be able to proceed with approving both updates for deployment. We can do this knowing that WSUS will not install these in the wrong order and it will not require two reboots.

OK - we just did more testing on Windows Server 2012 R2 (install via Windows Update running of WSUS server), and KB3087985/MS15-093 did require a reboot after installation.

Sorry, it is still not clear!
dotBATman

63 Posts
One more test was completed - in the last "reboot is required" test there was an open Internet Explorer window.

Ran the patch on another computer after the "August updates reboot", and the OOB fix installed successfully with no reboot required.

Good luck.
dotBATman

63 Posts
Anyone having an issue with opening IE after the installation? We have some users that get a View and Track downloads with an htm file from our Intranet whenever they try to open IE. At least on one system, the Internet Options control panel wouldn't launch (no error).

Uninstall this patch, and IE works again.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!