ADVISORY: Apply security update for IE

Wednesday, October 14, 2015

The message below was sent to U-M IT staff groups on October 14, 2015.


This message is intended for U-M IT staff who are responsible for university machines, including servers, with Microsoft Internet Explorer installed.

Summary: 

Microsoft has released a security update to mitigate multiple vulnerabilities in Microsoft Internet Explorer. At least one of the vulnerabilities has been publicly disclosed. This update should be applied as soon as possible after appropriate testing. Successful exploitation of these vulnerabilities could result in an attacker gaining the same privileges as the logged-on user.

Problem: 

The most severe of the identified vulnerabilities could allow an attacker to execute remote code by luring a victim to visit a specially crafted malicious website. When the website is visited, the attacker's script could run within the context of the affected browser or with the same permissions as the affected user account. Depending on the privileges associated with the user, an attacker could then install programs; view, change, and delete data; and create new accounts with full user rights.

Affected Systems: 
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
Action Items: 

We recommend that the security update be applied as soon as possible after appropriate testing if needed. Users should have auto-updating turned on for Internet Explorer and receive the update automatically. If auto-updating is not enabled, users should apply the update manually as soon as possible.

Threats: 

One memory corruption vulnerability that allows remote code execution (CVE-2015-6056) has been publicly disclosed. Attackers can exploit this vulnerability to execute arbitrary code with the same privileges as the currently logged-in user. Failed attacks can cause denial-of-service conditions.

Technical Details: 

Microsoft Internet Explorer is prone to multiple vulnerabilities, the most severe of which could allow remote code execution. The vulnerabilities are as follows:

  • Four memory corruption vulnerabilities could allow for remote code execution.
  • Three information disclosure vulnerabilities.
  • Three scripting engine memory corruption vulnerabilities that could allow for remote code execution.
  • Three elevation of privilege vulnerabilities.
  • One VBScript and Jscript ASLR Bypass vulnerability.
Information for Users: 

MiWorkspace machines will be updated as soon as possible. If you have Microsoft Internet Explorer installed on your own devices that are not managed by the university, you should have auto-updating turned on so that you automatically receive security updates. If you do not have auto-updating turned on, update your copy of Internet Explorer as soon as possible.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Spam, Phishing, and Suspicious Email, Instructions for Securing Your Devices and Data, and Use a Secure Internet Connection on the U-M Safe Computing website.

Questions, Concerns, Reports: 

Please contact iia.inform@umich.edu.

Sincerely,
—ITS Information and Infrastructure Assurance