|
Security Update for Internet Explorer (3088903) Recommendation: Test and patch ASAP Mitigation option: EMET 5.2 configured to protect Internet Explorer (defautlt) is able to block the known exploit Related Bulletin and KBs: https://technet.microsoft.com/library/security/MS15-093 https://support.microsoft.com/en-us/kb/3087985 Executive Summary "This security update resolves a vulnerability in Internet Explorer. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. Vulnerability Information "An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an instant messenger or email message that takes users to the attacker's website, or by getting them to open an attachment sent through email. See bulletin for all affected software
|
Russ McRee 203 Posts ISC Handler Aug 19th 2015 |
| Thread locked Subscribe |
Aug 19th 2015 6 years ago |
|
I've heard that EMET 5.2 with the default config eliminates the chance of exploitation via this vulnerability. Can anyone confirm or deny?
|
MarkJx 5 Posts |
| Quote |
Aug 19th 2015 6 years ago |
|
True statement, Mark. Added as mitigation to diary post.
|
Russ McRee 203 Posts ISC Handler |
| Quote |
Aug 19th 2015 6 years ago |
|
We noticed the requirement "must first install the 3078071 update released on August 11, 2015 before installing the 3087985 update", and are testing if this will be handled in ONE reboot when deploying via WSUS - or if we could risk that the machines require two reboots.
Multiple reboots could be an issue when it comes to boot order etc. |
dotBATman 70 Posts |
| Quote |
Aug 19th 2015 6 years ago |
|
This is probably worth emphasizing as well, otherwise many may not notice the lower severity for servers.
"Moderate for Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows servers." |
SteveYarlly 1 Posts |
| Quote |
Aug 19th 2015 6 years ago |
|
Everyone needs to ensure EMET is tested properly before rushing to deploy as a fix. My enterprise right now is having issues with EMET mitigation features blocking iexplore.exe process. Luckily you can disable these known issues by disabling only the mitigation features in EMET responsible, such as ROP Callback, EAF, and SEHOP.
|
kyle 5 Posts |
| Quote |
Aug 19th 2015 6 years ago |
|
@dotBATman:
Were you able to confirm the need for 2 or 1 reboots? |
AAInfoSec 51 Posts |
| Quote |
Aug 19th 2015 6 years ago |
|
We tested the reboot options and it does appear that the 8/11 patch must be installed and the machine rebooted before WSUS will even recognize that the machine needs 15-093.
|
AAInfoSec 1 Posts |
| Quote |
Aug 19th 2015 6 years ago |
|
I have confirmed in our enterprise that it only requires one reboot.
3078071 requires a reboot, but 3087985 does not. This is a win 7 environment with 2008 R2 AD and WSUS running on 2008 R2. One thing I have noticed though is that you have to install 3078071 first and reboot BEFORE 3087985 will even show in the update list. I'll be deploying this today for privileged users and over the weekend to all other workstations. Good luck. Blaine |
Blaine 2 Posts |
| Quote |
Aug 19th 2015 6 years ago |
|
I can confirm in my enterprise that only 3078071 require a reboot. However, 3087985 will not show in the update list after 3078071 is installed.
3087985 may require IE to be closed, but does not require a reboot. We will have to run two updates in a row. My environment is Server 2008 R2 AD and Server 2008 R2 with WSUS 3.2.7600.256. Good luck. Blaine |
Blaine 2 Posts |
| Quote |
Aug 19th 2015 6 years ago |
|
SteveYarlly; The security rating is only lower for servers due to the fact that you are less likely (should NOT) use servers for internet surfing.
Note that Terminal Servers being used for user-driven activities need to be treated just like any other client computer when it comes to turnaround on patches. |
dotBATman 70 Posts |
| Quote |
Aug 20th 2015 6 years ago |
|
Thanks for sharing patch sequence / reboot findings! We have seen the same and will be able to proceed with approving both updates for deployment. We can do this knowing that WSUS will not install these in the wrong order and it will not require two reboots.
|
dotBATman 70 Posts |
| Quote |
Aug 20th 2015 6 years ago |
Quoting dotBATman:Thanks for sharing patch sequence / reboot findings! We have seen the same and will be able to proceed with approving both updates for deployment. We can do this knowing that WSUS will not install these in the wrong order and it will not require two reboots. OK - we just did more testing on Windows Server 2012 R2 (install via Windows Update running of WSUS server), and KB3087985/MS15-093 did require a reboot after installation. Sorry, it is still not clear! |
dotBATman 70 Posts |
| Quote |
Aug 20th 2015 6 years ago |
|
One more test was completed - in the last "reboot is required" test there was an open Internet Explorer window.
Ran the patch on another computer after the "August updates reboot", and the OOB fix installed successfully with no reboot required. Good luck. |
dotBATman 70 Posts |
| Quote |
Aug 20th 2015 6 years ago |
|
Anyone having an issue with opening IE after the installation? We have some users that get a View and Track downloads with an htm file from our Intranet whenever they try to open IE. At least on one system, the Internet Options control panel wouldn't launch (no error).
Uninstall this patch, and IE works again. |
Anonymous |
| Quote |
Aug 24th 2015 6 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
