Microsoft Security Bulletin MS15-088 - Important

Published: August 11, 2015

Version: 1.0

This security update helps to resolve an information disclosure vulnerability in Microsoft Windows, Internet Explorer, and Microsoft Office. To exploit the vulnerability an attacker would first have to use another vulnerability in Internet Explorer to execute code in the sandboxed process. The attacker could then execute Notepad, Visio, PowerPoint, Excel, or Word with an unsafe command line parameter to effect information disclosure. To be protected from the vulnerability, customers must apply the updates provided in this bulletin, as well as the update for Internet Explorer provided in MS15-079. Likewise, customers running an affected Microsoft Office product must also install the applicable updates provided in MS15-081.

This security update is rated Important for all supported releases of Microsoft Windows. For more information, see the Affected Software section.

This security update, in conjunction with the updates for Internet Explorer and Microsoft Office, addresses the vulnerability by improving how Notepad and Microsoft Office programs are executed from Internet Explorer. For more information about the vulnerability, see the Vulnerability Information section.

For more information about the updates required to address this vulnerability, see Microsoft Knowledge Base Article 3082458, Microsoft Knowledge Base Article 3082442, and Microsoft Knowledge Base Article 3080790.

The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.

^[1]This update is available via Windows Update only.

^[2]The Windows 10 update is cumulative. In addition to containing non-security updates, it also contains all of the security fixes for all of the Windows 10-affected vulnerabilities shipping with this month’s security release. The update is available via the Windows Update Catalog only. See Microsoft Knowledge Base Article 3081436 for more information and download links.

*The Updates Replaced column shows only the latest update in any chain of superseded updates. For a comprehensive list of updates replaced, go to the Microsoft Update Catalog, search for the update KB number, and then view update details (updates replaced information is provided on the Package Details tab).

Note Windows Server Technical Preview 2 is affected. Customers running this operating system are encouraged to apply the update, which is available via Windows Update. 

The vulnerability discussed in this bulletin is also discussed in other bulletins being released in August. Do I need to install multiple updates to be protected from the vulnerability?
Yes. To be protected from this vulnerability, customers must apply all of the updates provided in this bulletin for their affected software, as well as the update for Internet Explorer provided in MS15-079. Likewise, customers running an affected Microsoft Office product must also install the applicable updates provided in MS15-081. Customers who do not install all of the updates available for their affected software will not be fully protected from the vulnerability.

The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the August bulletin summary.

An information disclosure vulnerability exists in Microsoft Windows, Internet Explorer, and Microsoft Office when files at a medium integrity level become accessible to Internet Explorer running in Enhanced Protection Mode (EPM).

To exploit this vulnerability, an attacker would first need to leverage another vulnerability and execute code in Internet Explorer with EPM, and then execute Excel, Notepad, PowerPoint, Visio, or Word using an unsafe command line parameter. The update addresses the vulnerability by improving how Notepad and Microsoft Office programs are executed from Internet Explorer.

This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CVE-2015-2423. When this bulletin was originally released, Microsoft had not received any information to indicate that this issue had been publicly used to attack customers.

Microsoft has not identified any mitigating factors for this vulnerability.

The following workarounds may be helpful in your situation:

• Remove notepad.exe from Internet Explorer elevation policy

  Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

  1. Run regedit.exe.

  2. In Registry Editor, expand the following registry key:

     "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy"
     

  3. Select {dc6bf185-7ae4-444e-8c35-e447b0d2bd1e}, click File, and then click Export.

  4. In the Export Registry File dialog, enter notepad.exe_backup.reg, and then click Save.

  5. Click File, select Delete, and then click Yes.

  6. Log off and log on again, or restart the computer.

  Impact of workaround: Internet Explorer will be disallowed from executing Notepad with elevated privileges.

  How to undo the workaround.

  1. Run regedit.exe.
  2. In Registry Editor, click File, and then click Import.
  3. In the Import Registry File dialog, select the backup file that you created in the initial procedure, notepad.exe_backup.reg, and then click Open.
  4. Log off and log on again, or restart the computer.

For Security Update Deployment information, see the Microsoft Knowledge Base article referenced in the Executive Summary.

Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgments for more information.

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

• V1.0 (August 11, 2015): Bulletin published.

Page generated 2015-08-12 7:56Z-07:00.