Microsoft Edge wasted no time making its presence felt on Patch Tuesday today when Microsoft released the first security bulletin for the company’s new browser.
Released two weeks ago along with the public debut of Windows 10, Edge, like its big brother Internet Explorer, got its own critical cumulative update today with patches for four vulnerabilities, including a trio of memory corruption vulnerabilities and an ASLR bypass.
The Edge bulletin, MS15-091, is one of 14 bulletins, four of which are rated critical, including a separate cumulative update for Internet Explorer, MS15-079. None of the Edge vulnerabilities have been publicly disclosed or exploited, but the same cannot be said for IE; CVE-2015-2423, an unsafe command line parameter passing vulnerability, has been publicly disclosed and affects not only IE, but also Windows and Office. It has not been exploited publicly, Microsoft said.
Microsoft promised enhanced security with Edge by adding new memory protections such as MemGC (Memory Garbage Collector) that defends against use-after-free bugs, and removing support for toolbars and Browser Helper Objects, ActiveX, VML and VB Script. Another memory protection called Control Flow Guard (CFG) constrains memory corruption attacks from freely moving about.
Microsoft said the three memory corruption vulnerabilities in Edge enable remote code execution attacks, while the ASLR bypass also leads to remote code execution if chained together with an exploit for a separate vulnerability.
The Internet Explorer bulletin includes patches for 13 vulnerabilities in the browser. The publicly disclosed vulnerability is rated important on Windows clients going back to Internet Explorer 7, and rated low on Windows Servers.
“An information-disclosure vulnerability exists in Microsoft Windows, Internet Explorer, and Microsoft Office when files at a medium integrity level become accessible to Internet Explorer running in Enhanced Protection Mode (EPM),” Microsoft said in the bulletin. “To exploit this vulnerability, an attacker would first need to leverage another vulnerability and execute code in Internet Explorer with EPM, and then execute Excel, Notepad, PowerPoint, Visio, or Word using an unsafe command line parameter. The update addresses the vulnerability by improving how Notepad and Microsoft Office programs are executed from Internet Explorer.”
As a temporary workaround, Microsoft suggests either removing notepad.exe from the IE elevation policy, or removing IE elevation policies for Word, Excel, PowerPoint and Visio. Microsoft today also released two other bulletins related to this vulnerability, MS15-088 and MS15-081, both of which it said must be applied in order to be fully protected.
The rest of the IE bulletin patches 10 memory corruption vulnerabilities and two ASLR bypasses; all of the memory-related bugs could lead to remote code execution, as do the ASLR bypasses if chained together with other exploits.
The Office bulletin, MS15-081, patches eight remote code execution vulnerabilities including CVE-2015-2423. Microsoft patched five memory corruption vulnerabilities where Office improperly handles objects in memory that could be exploited by a malicious Office document sent via email or hosted online.
A separate Office RCE vulnerability was patched in which Office failed to properly validate templates. A crafted file could be emailed or hosted online, or in a man-in-the-middle attack, a template could be modified with malicious code, Microsoft said.
The remaining Office bug is an integer underflow vulnerability where Office decreases an integer value beyond its intended minimum value, Microsoft said, adding that it could be exploited via a malicious Office doc sent via email or hosted online.
MS15-080 is the remaining critical bulletin and patches 16 vulnerabilities in Microsoft Graphics Component. Most of the vulnerabilities involve font parsing issues in a number of Windows components, including the Windows Adobe Type Manager Library, the Windows DirectWrite library, Office, the Windows kernel, Windows shell and other OS processes.
There are a half-dozen remote code execution OpenType font parsing vulnerabilities, five TrueType font parsing vulnerabilities, and a RCE vulnerability in Microsoft Office Graphics Component addressed in this bulletin. The bulletin also includes patches for a kernel ASLR bypass, a Windows kernel-mode driver security bypass, a Windows Shell security bypass, and an elevation of privilege vulnerability in the Windows Client-Server Run-time Subsystem.
Two other bulletins, MS15-082 and MS15-083, also address remote code execution vulnerabilities in Remote Desktop Protocol (RDP) and Server Message Block (SMB) respectively, but were rated important by Microsoft.
The remaining bulletins were also rated important: