Topic
  • 5 replies
  • Latest Post - ‏2013-09-21T02:41:31Z by liuhoting
Tim.Rice
Tim.Rice
79 Posts

Pinned topic Microsoft Released new Out of Cycle IE Patch

‏2013-09-17T21:51:49Z |

Are there any plans to release a Fixlet for todays Out of Cycle IE Patch?

http://www.pcworld.com/article/2048912/microsoft-rushes-urgent-fix-for-internet-explorer.html#tk.rss_all

http://support.microsoft.com/kb/2887505

According to the PCWorld article ...

The Fix-It solution only works with 32-bit versions of Internet Explorer, and you must first apply the cumulative update for Internet Explorer from last week's Patch Tuesday (MS13-069).

  • liuhoting
    liuhoting
    32 Posts

    Re: Microsoft Released new Out of Cycle IE Patch

    ‏2013-09-17T23:01:08Z  

    We're looking at this. This is pretty unusual in that it's not quite an actual IE patch, just a workaround. In general though, we don't release patches for Microsoft Fix-It solutions or security advisories and just wait for the actual patch from Microsoft to come out, but this might be an exception.

  • liuhoting
    liuhoting
    32 Posts

    Re: Microsoft Released new Out of Cycle IE Patch

    ‏2013-09-18T00:29:12Z  
    • liuhoting
    • ‏2013-09-17T23:01:08Z

    We're looking at this. This is pretty unusual in that it's not quite an actual IE patch, just a workaround. In general though, we don't release patches for Microsoft Fix-It solutions or security advisories and just wait for the actual patch from Microsoft to come out, but this might be an exception.

    So I haven't had a chance to completely test this at all yet, but essentially the relevance and actionscript seem pretty simple... The fix it doesn't actually care if you have the latest version of IE installed or not. Given that, the critical piece of relevance looks something like:

    Q: not exist key whose (value "DisplayName" of it as string as lowercase = "cve-2013-3893") of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of native registry

    and the actionscript would be something like:

    download http://download.microsoft.com/download/4/A/4/4A4100CF-5CD5-4A4C-AD20-7D2F7C461582/MicrosoftFixit51001.msi

    continue if {(size of it = 1070080 AND sha1 of it = "57451645b7889e7dc3cf4266791e1d86bc4e1ad0") of file "MicrosoftFixit51001.msi" of folder "__Download"}

    //IE must be closed in order to deploy this Fixlet.
    continue if {not exists running application "iexplore.exe"}

    waithidden msiexec.exe /i __Download\MicrosoftFixit51001.msi /quiet /norestart

    action may require restart "57451645b7889e7dc3cf4266791e1d86bc4e1ad0"  
     

  • liuhoting
    liuhoting
    32 Posts

    Re: Microsoft Released new Out of Cycle IE Patch

    ‏2013-09-18T05:05:44Z  
    • liuhoting
    • ‏2013-09-18T00:29:12Z

    So I haven't had a chance to completely test this at all yet, but essentially the relevance and actionscript seem pretty simple... The fix it doesn't actually care if you have the latest version of IE installed or not. Given that, the critical piece of relevance looks something like:

    Q: not exist key whose (value "DisplayName" of it as string as lowercase = "cve-2013-3893") of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of native registry

    and the actionscript would be something like:

    download http://download.microsoft.com/download/4/A/4/4A4100CF-5CD5-4A4C-AD20-7D2F7C461582/MicrosoftFixit51001.msi

    continue if {(size of it = 1070080 AND sha1 of it = "57451645b7889e7dc3cf4266791e1d86bc4e1ad0") of file "MicrosoftFixit51001.msi" of folder "__Download"}

    //IE must be closed in order to deploy this Fixlet.
    continue if {not exists running application "iexplore.exe"}

    waithidden msiexec.exe /i __Download\MicrosoftFixit51001.msi /quiet /norestart

    action may require restart "57451645b7889e7dc3cf4266791e1d86bc4e1ad0"  
     

    Hey, we just released the out of band fixlets:

    288750502    2887505: Vulnerability in Internet Explorer could allow remote code execution - Enable MSHTML Shim Workaround - IE 6 / 7 / 8 / 9 / 10 / 11 
    288750504    2887505: Vulnerability in Internet Explorer could allow remote code execution - Disable MSHTML Shim Workaround - IE 6 / 7 / 8 / 9 / 10 / 11     
     


    If you gather version 1839 of the Patches for Windows (English) site, you'll see this content in your consoles.

  • sinucus
    sinucus
    71 Posts

    Re: Microsoft Released new Out of Cycle IE Patch

    ‏2013-09-20T14:54:27Z  
    • liuhoting
    • ‏2013-09-18T05:05:44Z

    Hey, we just released the out of band fixlets:

    288750502    2887505: Vulnerability in Internet Explorer could allow remote code execution - Enable MSHTML Shim Workaround - IE 6 / 7 / 8 / 9 / 10 / 11 
    288750504    2887505: Vulnerability in Internet Explorer could allow remote code execution - Disable MSHTML Shim Workaround - IE 6 / 7 / 8 / 9 / 10 / 11     
     


    If you gather version 1839 of the Patches for Windows (English) site, you'll see this content in your consoles.

    I have a few questions about this patch.

    Per the KB page: https://technet.microsoft.com/en-us/security/advisory/2887505

    "You must have security update 2870699 installed for this Fix it to provide effective protection against this issue. For more information about security update 2870699, click the following article number to view the article in the Microsoft Knowledge Base:"

    I looked at the relevance for your published SHIM and I do not see a relevance statement that checks to see if MS13-069 is installed first. In my systems that do not have MS13-069 installed the SHIM is reporting as true.

    Secondly. per the same page

    "By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability."

    How does everyone else read that statement? If you leave the Enhanced Security Configuration enabled, are you 100% protected against this vuln? or do you still need to apply the SHIM?

    Thanks

  • liuhoting
    liuhoting
    32 Posts

    Re: Microsoft Released new Out of Cycle IE Patch

    ‏2013-09-21T02:41:31Z  
    • sinucus
    • ‏2013-09-20T14:54:27Z

    I have a few questions about this patch.

    Per the KB page: https://technet.microsoft.com/en-us/security/advisory/2887505

    "You must have security update 2870699 installed for this Fix it to provide effective protection against this issue. For more information about security update 2870699, click the following article number to view the article in the Microsoft Knowledge Base:"

    I looked at the relevance for your published SHIM and I do not see a relevance statement that checks to see if MS13-069 is installed first. In my systems that do not have MS13-069 installed the SHIM is reporting as true.

    Secondly. per the same page

    "By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability."

    How does everyone else read that statement? If you leave the Enhanced Security Configuration enabled, are you 100% protected against this vuln? or do you still need to apply the SHIM?

    Thanks

    Yup, we noticed the other 'prerequisite' update too, but the actual SHIM workaround is something you can still apply regardless of whether you're up to date on security patches, so we wrote the fixlet up to mirror Microsoft's fixit behavior. It's possible of course to throw the MS13-069 relevance as a prereq anyways, but then you're missing a whole bunch of endpoints that don't have MS13-069 won't report something like this on the console when they need both MS13-069 and the SHIM.

    Also this fixit applies to literally all versions of IE and all Windows OSes. Trying to write the "is MS13-069 applied" relevance is going to be pretty tricky in that circumstance. We could have also stuck that kind of a check in the actionscript but then the action becomes almost unreadable.

    We thought simple was probably better in this case.

    From my personal perspective, I don't think Enhanced Security 100% protects against the vulnerability. A lot of the mitigating factors on Microsoft's page tend to say stuff like "yes, this is a mitigating factor if you have users that have fewer rights than full administrative powers, but there *might* still be an impact." I'd apply the SHIM.