Microsoft Released new Out of Cycle IE Patch

(imported topic written by Tim.Rice)

Are there any plans to release a Fixlet for todays Out of Cycle IE Patch?

According to the PCWorld article …

The Fix-It solution only works with 32-bit versions of Internet Explorer, and you must first apply the cumulative update for Internet Explorer from last week’s Patch Tuesday (MS13-069).

(imported comment written by liuhoting)

We’re looking at this. This is pretty unusual in that it’s not quite an actual IE patch, just a workaround. In general though, we don’t release patches for Microsoft Fix-It solutions or security advisories and just wait for the actual patch from Microsoft to come out, but this might be an exception.

(imported comment written by liuhoting)

So I haven’t had a chance to completely test this at all yet, but essentially the relevance and actionscript seem pretty simple… The fix it doesn’t actually care if you have the latest version of IE installed or not. Given that, the critical piece of relevance looks something like:

Q: not exist key whose (value “DisplayName” of it as string as lowercase = “cve-2013-3893”) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of native registry

and the actionscript would be something like:

download
http://download.microsoft.com/download/4/A/4/4A4100CF-5CD5-4A4C-AD20-7D2F7C461582/MicrosoftFixit51001.msi

continue if {(size of it = 1070080 AND sha1 of it = “57451645b7889e7dc3cf4266791e1d86bc4e1ad0”) of file “
MicrosoftFixit51001.msi
” of folder “__Download”}

//IE must be closed in order to deploy this Fixlet.

continue if {not exists running application “iexplore.exe”}

waithidden msiexec.exe /i __Download
MicrosoftFixit51001.msi
/quiet /norestart

action may require restart “57451645b7889e7dc3cf4266791e1d86bc4e1ad0”

(imported comment written by liuhoting)

Hey, we just released the out of band fixlets:

288750502 2887505: Vulnerability in Internet Explorer could allow remote code execution - Enable MSHTML Shim Workaround - IE 6 / 7 / 8 / 9 / 10 / 11

288750504 2887505: Vulnerability in Internet Explorer could allow remote code execution - Disable MSHTML Shim Workaround - IE 6 / 7 / 8 / 9 / 10 / 11

If you gather version 1839 of the Patches for Windows (English) site, you’ll see this content in your consoles.

(imported comment written by sinucus)

I have a few questions about this patch.

Per the KB page:
https://technet.microsoft.com/en-us/security/advisory/2887505

“You must have security update 2870699 installed for this Fix it to provide effective protection against this issue. For more information about security update 2870699, click the following article number to view the article in the Microsoft Knowledge Base:”

I looked at the relevance for your published SHIM and I do not see a relevance statement that checks to see if MS13-069 is installed first. In my systems that do not have MS13-069 installed the SHIM is reporting as true.

Secondly. per the same page

“By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 runs in a restricted mode that is known as
Enhanced Security Configuration
. This mode mitigates this vulnerability.”

How does everyone else read that statement? If you leave the Enhanced Security Configuration enabled, are you 100% protected against this vuln? or do you still need to apply the SHIM?

Thanks

(imported comment written by liuhoting)

Yup, we noticed the other ‘prerequisite’ update too, but the actual SHIM workaround is something you can still apply regardless of whether you’re up to date on security patches, so we wrote the fixlet up to mirror Microsoft’s fixit behavior. It’s possible of course to throw the MS13-069 relevance as a prereq anyways, but then you’re missing a whole bunch of endpoints that don’t have MS13-069 won’t report something like this on the console when they need both MS13-069 and the SHIM.

Also this fixit applies to literally all versions of IE and all Windows OSes. Trying to write the “is MS13-069 applied” relevance is going to be pretty tricky in that circumstance. We could have also stuck that kind of a check in the actionscript but then the action becomes almost unreadable.

We thought simple was probably better in this case.

From my personal perspective, I don’t think Enhanced Security 100% protects against the vulnerability. A lot of the mitigating factors on Microsoft’s page tend to say stuff like “yes, this is a mitigating factor if you have users that have fewer rights than full administrative powers, but there might still be an impact.” I’d apply the SHIM.