ADVISORY: Multiple Internet Explorer vulnerabilities identified; apply updates as soon as possible

Wednesday, March 11, 2015
Summary: 

Multiple new vulnerabilities have been discovered in Microsoft Internet Explorer (IE), and at least one is already being actively exploited. Apply updates from Microsoft as soon as possible.

Problem: 

Multiple vulnerabilities have been discovered in Microsoft Internet Explorer (IE), which could allow an attacker to take complete control of an affected system. These vulnerabilities could allow an attacker to execute remote code by luring a victim to a malicious website. When the website is visited, the attacker's script will run with the same permissions as the affected user account. Successful exploitation of these vulnerabilities could result in an attacker gaining elevated privileges on the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Affected Systems: 

Microsoft Internet Explorer 6, 7, 8, 9, 10, and 11.

Action Items: 

We recommend that you take the following actions:

  • Apply appropriate updates provided by Microsoft to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
Technical Details: 

Multiple vulnerabilities related to improper accessing of objects in memory. These include memory corruption vulnerabilities, elevation of privilege vulnerabilities, and a VBScript memory corruption vulnerability. These vulnerabilities could allow an attacker to execute remote code by luring a victim to a malicious website. When the website is visited, the attacker's script will run with the same permissions as the affected user account.

Information for Users: 
  • MiWorkspace users do not need to do anything. MiWorkspace machines will be updated automatically as soon as possible.
  • If you have Internet Explorer installed on your own devices that are not managed by the university, please do the following:
    • Update Internet Explorer (IE) by running Windows Update to apply the appropriate Microsoft patches.
    • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Do not to click links from unknown sources, do not click suspicious links in email, and do not open email attachments unless you are expecting them and trust the person who sent them. For more information, see Spam, Phishing, and Suspicious Email andInstructions for Securing Your Devices and Data on the U-M Safe Computing website.

 

Questions, Concerns, Reports: 

Please contact iia.inform@umich.edu.