MS15-124: Vulnerability in Internet Explorer could lead to ASLR bypass - Enable the User32 Exception Handler Hardening Feature - KB3125869

IBM,
Can you remove this workaround from the Enterprise Security site. The Fixlet is a workaround (enable and disable) only and should not be categorized in the same way as standard Microsoft security updates. (MSB’s)
Many org’s query for relevant Fixlets, and this is being flagged as required although its not an update available via Microsoft’s Windows Update services natively, or MBSA.
Thanks.

1 Like

Agree with this as this caused confusion with our reporting also. While the fixlets should be available, the “disable” is classed as Category “Undo Workaround” which indicates that the initial “enable” fixlet should be categorised as “Workaround” or something similar; but not Security Update and neither should start with “MS*” as we filter security patching results by any fixlet starting with this.

1 Like

Hi,

This is Yunfei from the content dev team. Thanks for the feedback, this pair of enable/disable Fixlet is indeed a bit tricky.

Microsoft has released a bulletin revision specifically for it -

V1.1 (December 16, 2015): Bulletin revised to further clarify the steps users must take to be protected from the vulnerability described in CVE-2015-6161. This bulletin, MS15-124, provides protections for this issue, but user action is required to enable them; the cumulative update for Internet Explorer does not enable the protections by default. Before applying the protections, Microsoft recommends that customers perform testing appropriate to their environment and system configurations.

Arguably this is not a workaround, but a necessary step to protect from a vulnerability. However, it also makes sense that you would like this one out of your reports.

Maybe we will remove its categorization (change to ‘Unspecified’ as MS did not specify what it is) and keep its title. Does this solve your concern?

Hi, I would prefer if you would update the Fixlet title to start CVE-2015-6161 (or even the KB) opposed to MS15-124. I suspect not all your customers make use of the categorization fields when querying data.

Hi Nick,

Thank you so much for the recommendation. However while you do not want this Fixlet to be labelled with security bulletin number MS15-124, there are customers asking specifically for it - keeping MS15-124 in the title should cater for their needs.

That being said, does the change proposed in my last reply solve your issue with the reports? If no, I may need to think of other way out.

Thank you!

No, the action takes you to a Microsoft FixIt, this is a workaround not a security update (per patch Tuesday). The Fixlet should not follow the same naming convention as regular MSB’s.
We can code around this however we shouldn’t have to. I know other customers who are exhibiting the same issue as we are in terms of reporting. You have published other workarounds that don’t conform to this standard. Hope this clarifies.

1 Like

Hi Nick, thanks for the elaboration. We will update the content soon. Thank you!