Apply emergency Internet Explorer update to address security vulnerability
This information was sent to U-M IT staff groups on August 19, 2015.
This message is intended for U-M IT staff who are responsible for university machines that have Internet Explorer installed.
Summary
Microsoft has released an emergency security update to resolve a vulnerability in Internet Explorer (IE). The vulnerability could allow remote code execution if a user views a specially crafted webpage using IE. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. IE users can infect their systems merely by browsing to a hacked or malicious website or opening a malicious document. The vulnerability is being actively exploited in the wild, and the update should be applied as soon as possible.
Threats
Reports indicate that the vulnerability (CVE-2015-2502) is being actively exploited in the wild. Successful exploitation of this vulnerability allows remote code execution, allowing an attacker to gain the same user rights as the current user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker could host a specially crafted website designed to exploit this vulnerability through IE and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit this vulnerability.
Affected Systems
Microsoft IE on all supported releases of Microsoft Windows, including Windows Server. For a complete list of affected versions, see the Affected Software section of Microsoft Security Bulletin MS15-093.
Action Items
- Highest priority is to update IE on Windows desktop and laptop computers as soon as possible.
- Windows servers should also be updated, prioritizing Terminal Servers or other systems where users may use IE.
- Windows users should install the patch regardless of whether they use IE as their main browser. IE components can be invoked from a variety of applications, such as Microsoft Office.
Technical Details
CVE-2015-2502 is a remote code execution vulnerability that exists when IE improperly accesses objects in memory. This vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Information for Users
MiWorkspace machines will be patched as soon as possible. If you have IE set for automatic updates, you do not need to do anything. If you do updates manually, please update to the latest version as soon as possible. We recommend that you set IE to update automatically.
In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Spam, Phishing, and Suspicious Email, Instructions for Securing Your Devices and Data, and Use a Secure Internet Connection.
Questions, Concerns, Reports
Please contact [email protected].
References
- Microsoft Security Bulletin MS15-093 - Critical (Microsoft, 8/18/15)
- MS15-093 - OOB fix for Internet Explorer (Qualys Blog, 8/18/15)
- Microsoft Pushes Emergency Patch for IE (Krebs on Security, 8/18/15)