
====================================================================

                                    CERT-Renater

                       Note d'Information No. 2016/VULN321
_____________________________________________________________________

DATE                : 14/09/2016

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Internet Explorer.

=====================================================================
KB3183038
https://technet.microsoft.com/en-us/library/security/MS16-104
____________________________________________________________________

MS16-104: Cumulative Security Update for Internet Explorer (3183038) -
Critical

Executive Summary

This security update resolves vulnerabilities in Internet Explorer. The
most severe of the vulnerabilities could allow remote code execution if
a user views a specially crafted webpage using Internet Explorer. An
attacker who successfully exploited the vulnerabilities could gain the
same user rights as the current user. If the current user is logged on
with administrative user rights, an attacker could take control of an
affected system. An attacker could then install programs; view, change,
or delete data; or create new accounts with full user rights.

This security update is rated Critical for Internet Explorer 9 (IE 9),
and Internet Explorer 11 (IE 11) on affected Windows clients, and
Moderate for Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10),
and Internet Explorer 11 (IE 11) on affected Windows servers.


Affected Software

Internet Explorer 9

Internet Explorer 10

Internet Explorer 11


Multiple Microsoft Internet Explorer Memory Corruption Vulnerabilities

Multiple remote code execution vulnerabilities exist in the way that
Internet Explorer accesses objects in memory. The vulnerabilities could
corrupt memory in a way that could allow an attacker to execute
arbitrary code in the context of the current user. An attacker who
successfully exploited the vulnerabilities could gain the same user
rights as the current user. If the current user is logged on with
administrative user rights, the attacker could take control of an
affected system. An attacker could then install programs;
view, change, or delete data; or create new accounts with full user
rights.

An attacker could host a specially crafted website that is designed to
exploit the vulnerabilities through Internet Explorer, and then
convince a user to view the website. The attacker could also take
advantage of compromised websites, or websites that accept or host
user-provided content or advertisements, by adding specially crafted
content that could exploit the vulnerabilities. In all cases, however,
an attacker would have no way to force users to view the
attacker-controlled content. Instead, an attacker would have to
convince users to take action, typically via an enticement in email
or instant message, or by getting them to open an email attachment.

The update addresses the vulnerabilities by modifying how Internet
Explorer handles objects in memory.

The following table contains links to the standard entry for each
vulnerability in the Common Vulnerabilities and Exposures list:


Vulnerability Information

Vulnerability title   CVE number   Publicly disclosed 	Exploited

Microsoft Browser Memory
Corruption Vulnerability 	CVE-2016-3247 	No 	No

Microsoft Browser Memory
Corruption Vulnerability 	CVE-2016-3295 	No 	No

Microsoft Browser Memory
Corruption Vulnerability 	CVE-2016-3297 	No 	No

Internet Explorer Memory
Corruption Vulnerability 	CVE-2016-3324 	No 	No


Scripting Engine Memory Corruption Vulnerability CVE-2016-3375

A remote code execution vulnerability exists in the way that the
Microsoft OLE Automation mechanism and the VBScript Scripting Engine
in Internet Explorer access objects in memory. The vulnerability could
corrupt memory in a way that could allow an attacker to execute
arbitrary code in the context of the current user. An attacker who
successfully exploited the vulnerability could gain the same user
rights as the current user. If the current user is logged on with
administrative user rights, the attacker could take control of an
affected system. An attacker could then install programs; view, change,
or delete data; or create new accounts with full user rights.

An attacker could host a specially crafted website that is designed to
exploit the vulnerability through Internet Explorer, and then convince
a user to view the website. The attacker could also take advantage of
compromised websites, or websites that accept or host user-provided
content or advertisements, by adding specially crafted content that
could exploit the vulnerability. In all cases, however, an attacker
would have no way to force users to view the attacker-controlled
content. Instead, an attacker would have to convince users
to take action, typically via an enticement in email or instant
message, or by getting them to open an email attachment.

Note that you must install two updates to be protected from the
Scripting Engine Memory Corruption Vulnerability CVE-2016-3375: The
update in this bulletin, MS16-104, and the update in MS16-116. The
updates address the vulnerability by modifying how the Microsoft OLE
Automation mechanism and the VBScript Scripting Engine in Internet
Explorer handle objects in memory.

The following table contains links to the standard entry for each
vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title   CVE number   Publicly disclosed 	Exploited

Scripting Engine Memory
Corruption Vulnerability 	CVE-2016-3375 	No 	No


Internet Explorer Elevation of Privilege Vulnerability CVE-2016-3292

An elevation of privilege vulnerability exists when Internet Explorer
fails a check, allowing sandbox escape. An attacker who successfully
exploited the vulnerability could use the sandbox escape to elevate
privileges on an affected system. This vulnerability by itself does not
allow arbitrary code execution; however, it could allow arbitrary code
to be run if the attacker uses it in combination with one or more
vulnerabilities (such as a remote code execution vulnerability or
another elevation of privilege vulnerability) that is capable of
leveraging the elevated privileges when code execution is
attempted.

The update addresses the vulnerability by correcting how Internet
Explorer handles zone and integrity settings.

The following table contains links to the standard entry for each
vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title 	CVE number    Publicly disclosed   Exploited

Microsoft Browser Elevation of
Privilege Vulnerability    CVE-2016-3292 	No 	   No


Multiple Internet Explorer Information Disclosure Vulnerabilities

Multiple information disclosure vulnerabilities exist in the way that
Internet Explorer handles objects in memory. An attacker who
successfully exploited the vulnerabilities could obtain information to
further compromise a target system.

In a web-based attack scenario an attacker could host a website that is
used to attempt to exploit the vulnerabilities. Additionally,
compromised websites and websites that accept or host user-provided
content could contain specially crafted content that could be used to
exploit the vulnerabilities. However, in all cases an attacker would
have no way to force users to view attacker-controlled content.
Instead, an attacker would have to convince users to take action. For
example, an attacker could trick users into clicking a link that takes
them to the attacker's site.

The update addresses the vulnerabilities by correcting how certain
functions handle objects in memory.

The following table contains links to the standard entry for each
vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title  CVE number    Publicly disclosed 	Exploited

Microsoft Browser Information
Disclosure Vulnerability 	CVE-2016-3325 	No 	No

Microsoft Browser Information
Disclosure Vulnerability 	CVE-2016-3351 	No 	Yes


Microsoft Browser Information Disclosure Vulnerability CVE-2016-3291

An information disclosure vulnerability exists in the way that affected
Microsoft browsers handle cross-origin requests. An attacker who
successfully exploited this vulnerability could determine the origin of
all of the web pages in the affected browser.

In a web-based attack scenario, an attacker could host a website that
is used to attempt to exploit the vulnerability. Additionally,
compromised websites and websites that accept or host user-provided
content could contain specially crafted content that could be used to
exploit the vulnerabilities. However, in all cases an attacker would
have no way to force users to view attacker-controlled content.
Instead, an attacker would have to convince users to take action. For
example, an attacker could trick users into clicking a link that takes
them to the attacker's site.

The security update addresses the vulnerabilities by correcting how
affected browsers handle cross-origin resources.

The following table contains links to the standard entry for each
vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title   CVE number   Publicly disclosed 	Exploited

Microsoft Browser Information
Disclosure Vulnerability 	CVE-2016-3291 	No 	No


Internet Explorer Security Feature Bypass - CVE-2016-3353

A security feature bypass opportunity exists in the way that Internet
Explorer handles files from the Internet zone.

In a web-based attack scenario an attacker could host a malicious
website that is designed to exploit the security feature bypass.
Alternatively, in an email or instant message attack scenario, the
attacker could send the targeted user a specially crafted .URL file
that is designed to exploit the bypass.
Additionally, compromised websites or websites that accept or host
user-provided content could contain specially crafted content that
could be used to exploit the security feature bypass. In all cases,
however, an attacker would have no way to force users to view
attacker-controlled content.
Instead, an attacker would have to convince users to take action. For
example, an attacker could entice users into clicking a link that
directs them to the attacker's site or send a malicious attachment.

The update addresses the security feature by correcting how Internet
Explorer handles .URL files

The following table contains links to the standard entry for each
vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title 	CVE number   Publicly disclosed   Exploited

Internet Explorer Security
Feature Bypass 	       CVE-2016-3353 	No 		No

==========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================