==================================================================== CERT-Renater Note d'Information No. 2016/VULN051 _____________________________________________________________________ DATE : 11/02/2016 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Internet Explorer versions 9, 10, 11. ====================================================================== KB3134220 https://technet.microsoft.com/en-us/library/security/MS16-009 _____________________________________________________________________ MS16-009 Cumulative Security Update for Internet Explorer (3134220) Document Metadata Bulletin Number: MS16-009 Bulletin Title: Cumulative Security Update for Internet Explorer Severity: Critical KB Article: 3134220 Version: 1.0 Published Date: February 9, 2016 Executive Summary This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. This security update is rated Critical for Internet Explorer 9 (IE 9), and Internet Explorer 11 (IE 11) on affected Windows clients, and Moderate for Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows servers. For more information, see the Affected Software section. Affected Software Internet Explorer 9 Internet Explorer 10 Internet Explorer 11 Vulnerability Information DLL Loading Remote Code Execution Vulnerability - CVE-2016-0041 A remote code execution vulnerability exists when Internet Explorer improperly validates input before loading dynamic link library (DLL) files. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. To exploit the vulnerability, an attacker would first have to log on to the target system and then run a specially crafted application. The updates address the vulnerabilities by correcting how Internet Explorer validates input before loading DLL files. Vulnerability title CVE number Publicly disclosed Exploited DLL Loading Remote CVE-2016-0041 No No Code Execution Vulnerability Internet Explorer Information Disclosure Vulnerability - CVE-2016-0059 An information disclosure vulnerability exists in Internet Explorer when Hyperlink Object Library improperly discloses the contents of its memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. To exploit the vulnerability, an attacker must convince a user to either click a link in an email message or open an Office file, and then click a link in the file. Workstations and terminal servers are primarily at risk of this vulnerability. Servers could be at more risk if administrators allow users to log on to servers and to run programs. However, best practices strongly discourage allowing this. The update addresses the vulnerability by changing how certain functions handle objects in memory. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Internet Explorer Information CVE-2016-0059 No No Disclosure Vulnerability Multiple Internet Explorer Memory Corruption Vulnerabilities Multiple remote code execution vulnerabilities exist when Internet Explorer improperly accesses objects in memory. These vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit these vulnerabilities through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerabilities. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited these vulnerabilities could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The update addresses the vulnerabilities by modifying how Internet Explorer handles objects in memory. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Microsoft Browser Memory CVE-2016-0060 No No Corruption Vulnerability Microsoft Browser Memory CVE-2016-0061 No No Corruption Vulnerability Microsoft Browser Memory CVE-2016-0062 No No Corruption Vulnerability Internet Explorer Memory CVE-2016-0063 No No Corruption Vulnerability Internet Explorer Memory CVE-2016-0064 No No Corruption Vulnerability Internet Explorer Memory CVE-2016-0067 No No Corruption Vulnerability Internet Explorer Memory CVE-2016-0071 No No Corruption Vulnerability Internet Explorer Memory CVE-2016-0072 No No Corruption Vulnerability Microsoft Browser Spoofing Vulnerability - CVE-2016-0077 A spoofing vulnerability exists when a Microsoft browser does not properly parse HTTP responses. An attacker who successfully exploited this vulnerability could trick a user by redirecting them to a specially crafted website. The specially crafted website could spoof content or be used as a pivot to chain an attack with other vulnerabilities in web services. To exploit the vulnerability, the user must click a specially crafted URL. In an email attack scenario, an attacker could send an email message containing the specially crafted URL to the user in an attempt to convince the user to click it. In a web-based attack scenario, an attacker could host a specially crafted website designed to appear as a legitimate website to the user. However, the attacker would have no way to force the user to visit the specially crafted website. The attacker would have to convince the user to visit the specially crafted website, typically by way of enticement in an email or Instant Messenger message, and then convince the user to interact with content on the website. The update addresses the vulnerability by correcting how Microsoft Edge parses HTTP responses. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Microsoft Browser Spoofing CVE-2016-0077 No No Vulnerability Multiple Internet Explorer Elevation of Privilege Vulnerabilities Multiple elevation of privilege vulnerabilities exist when Internet Explorer does not properly enforce cross-domain policies, which could allow an attacker to access information from one domain and inject it into another domain. In a web-based attack scenario, an attacker could host a website that is used to attempt to exploit the vulnerabilities. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit the vulnerabilities. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action. For example, an attacker could trick users into clicking a link that takes them to the attacker's site. An attacker who successfully exploited the vulnerabilities could elevate privileges in affected versions of Internet Explorer. The vulnerabilities alone do not allow arbitrary code to be run. However, the vulnerabilities could be used in conjunction with another vulnerability (for example, a remote code execution vulnerability) that could take advantage of the elevated privileges when running arbitrary code. For example, an attacker could exploit another vulnerability to run arbitrary code through Internet Explorer, but due to the context in which processes are launched by Internet Explorer, the code might be restricted to run at a low integrity level (very limited permissions). However, an attacker could, in turn, exploit the vulnerabilities to cause the arbitrary code to run at a medium integrity level (permissions of the current user). The update addresses the vulnerabilities by helping to ensure that cross-domain policies are properly enforced in Internet Explorer. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Internet Explorer Elevation CVE-2016-0068 No No of Privilege Vulnerability Internet Explorer Elevation CVE-2016-0069 No No of Privilege Vulnerability ========================================================== Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================