NOTICE: Update Microsoft Edge to address vulnerabilities

Tuesday, November 8, 2016

This information is intended for U-M IT staff who are responsible for university workstations or servers running the Microsoft Edge web browser. It was sent to the IT Security Community and Windows Administrators groups on November 8, 2016.

Summary

A new security update is available for Microsoft Edge that resolves multiple vulnerabilities. This update should be applied as soon as possible after appropriate testing. Successful exploitation of the identified vulnerabilities could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Problem

Multiple vulnerabilities have been discovered in Microsoft Edge, the most severe of which could allow for remote code execution if a user views a specially crafted web page. There are reports of the vulnerabilities being exploited in the wild.

Threats

An information disclosure (CVE-2016-7199) and a spoofing (CVE-2016-7204) vulnerability have been publicly disclosed. There are also reports of these vulnerabilities being exploited in the wild.

Affected Versions

  • Windows 10
  • Windows 10 (Version 1511)
  • Windows 10 (Version 1607)
  • Windows Server 2016

Action Items

Apply the security update provided by Microsoft as soon as possible after appropriate testing. See Microsoft Security Bulletin MS16-129 - Critical: Cumulative Security Update for Microsoft Edge (3199057) for details and links to the updates.

Technical Details

Multiple vulnerabilities have been discovered in Microsoft Edge, the most severe of which could allow for remote code execution if a user views a specially crafted web page. Details of these vulnerabilities are as follows:
Eight scripting engine memory corruption vulnerabilities exist in the way the scripting engine renders when handling objects in memory.

  • Four memory corruption vulnerabilities exist when Microsoft Edge improperly handles objects in memory.
  • Three information disclosure vulnerabilities exist when Microsoft Edge improperly handles objects in memory.
  • One information disclosure vulnerability exists when the Microsoft Edge XSS filter is abused to leak sensitive page information.
  • One spoofing vulnerability exists when Microsoft Edge does not properly parse HTTP content.

Information for Users

MiWorkspace machines will be patched as soon as possible. If you have the Microsoft Edge web browser installed on your own computer running Windows 10 that is not managed by the university, please make sure that you have your computer set to automatically update Windows. This will ensure that Edge is also updated. See How to Update Microsoft Edge.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Instructions for Securing Your Devices and Data, and Use a Secure Internet Connection on the U-M Safe Computing website.

Questions, Concerns, Reports

Please contact [email protected].

References