
====================================================================

                                CERT-Renater

                     Note d'Information No. 2016/VULN158
_____________________________________________________________________

DATE                : 13/04/2016

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Internet Explorer versions 9, 10,
                                            11.

======================================================================
KB3148531
https://technet.microsoft.com/en-us/library/security/MS16-037
_____________________________________________________________________

MS16-037 - Cumulative Security Update for Internet Explorer (3148531)

Bulletin Number: MS16-037

Bulletin Title: Cumulative Security Update for Internet Explorer

Severity: Critical

KB Article: 3148531

Version: 1.0

Executive Summary

This security update resolves vulnerabilities in Internet Explorer. The
most severe of the vulnerabilities could allow remote code execution if
a user views a specially crafted webpage using Internet Explorer. An
attacker who successfully exploited the vulnerabilities could gain the
same user rights as the current user. If the current user is logged on
with administrative user rights, an attacker could take control of an
affected system. An attacker could then install programs; view, change,
or delete data; or create new accounts with full user rights.

This security update is rated Critical for Internet Explorer 9 (IE 9),
and Internet Explorer 11 (IE 11) on affected Windows clients, and
Moderate for Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10),
and Internet Explorer 11 (IE 11) on affected Windows servers.


Affected Software

Internet Explorer 9

Internet Explorer 10

Internet Explorer 11


Vulnerability Information

Multiple Internet Explorer Memory Corruption Vulnerabilities

Multiple remote code execution vulnerabilities exist when Internet
Explorer improperly accesses objects in memory. These vulnerabilities
could corrupt memory in such a way that an attacker could execute
arbitrary code in the context of the current user.

An attacker could host a specially crafted website that is designed to
exploit these vulnerabilities through Internet Explorer, and then
convince a user to view the website. The attacker could also take
advantage of compromised websites, or websites that accept or host
user-generated content or advertisements, by adding specially crafted
content that could exploit the vulnerabilities. In all cases, however,
an attacker would have no way to force users to view the
attacker-controlled content. Instead, an attacker would have to
convince users to take action, typically by an enticement in an email
or Instant Messenger message, or by getting them to open an attachment
sent through email.

An attacker who successfully exploited these vulnerabilities could gain
the same user rights as the current user. If the current user is logged
on with administrative user rights, the attacker could take control of
an affected system. An attacker could then install programs; view,
change, or delete data; or create new accounts with full user rights.
The update addresses the vulnerabilities by modifying how Internet
Explorer handles objects in memory.
The following table contains links to the standard entry for each


vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title   CVE number   Publicly disclosed    Exploited

Microsoft Browser Memory
Corruption Vulnerability 	CVE-2016-0154 	No 	No

Internet Explorer Memory
Corruption Vulnerability 	CVE-2016-0159 	No 	No

Internet Explorer Memory
Corruption Vulnerability 	CVE-2016-0164 	No 	No

Internet Explorer Memory
Corruption Vulnerability 	CVE-2016-0166 	No 	No


DLL Loading Remote Code Execution Vulnerability - CVE-2016-0160

A remote code execution vulnerability exists when Internet Explorer
improperly validates input before loading dynamic link library (DLL)
files. An attacker who successfully exploited this vulnerability could
take control of an affected system. An attacker could then install
programs; view, change, or delete data; or create new accounts with
full user rights. Users whose accounts are configured to have fewer
user rights on the system could be less impacted than users who operate
with administrative user rights. To exploit the vulnerability, an
attacker would first have to log on to the target system
and then run a specially crafted application. The updates address the
vulnerability by correcting how Internet Explorer validates input
before loading DLL files.

The following table contains links to the standard entry for each
vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title   CVE number   Publicly disclosed   Exploited

DLL Loading Remote Code
Execution Vulnerability    CVE-2016-0160      Yes         No


Internet Explorer Information Disclosure Vulnerability - CVE-2016-0162

An information disclosure vulnerability exists when Internet Explorer
does not properly handle JavaScript. The vulnerability could allow an
attacker to detect specific files on the user's computer. In a
web-based attack scenario, an attacker could host a website that is
used to attempt to exploit the vulnerability.

In addition, compromised websites and websites that accept or host
user-generated content could contain specially crafted content that
could exploit the vulnerability. In all cases, however, an attacker
would have no way to force a user to view the attacker-controlled
content. Instead, an attacker would have to convince users to take
action. For example, an attacker could trick users into clicking a link
that takes them to the attacker's site.

An attacker who successfully exploited the vulnerability could
potentially read data that was not intended to be disclosed. Note that
the vulnerability would not allow an attacker to execute code or to
elevate a users rights directly, but the vulnerability could be used to
obtain information in an attempt to further compromise the affected
system. The update addresses the vulnerability by helping to restrict
what information is returned to Internet Explorer.

The following table contains links to the standard entry for each
vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title   CVE number   Publicly disclosed    Exploited

Internet Explorer Information
Disclosure Vulnerability 	CVE-2016-0162	No 	No


==========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================