SB2015021001 - Multiple vulnerabilities in Microsoft Internet Explorer
Published: February 10, 2015 Updated: February 7, 2017
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 40 secuirty vulnerabilities.
1) Privilege escalation (CVE-ID: CVE-2015-0055)
The vulnerability allows a remote attacker to gain elevated privileges on the target system.
The vulnerability exists due to improper validation of permissions. A remote attacker can create a specially crafted Web site, trick the victim into visiting it and run scripts with elevated privileges.
Successful exploitation of this vulnerability results in privilege escalation on the vulnerable system.
2) Privilege escalation (CVE-ID: CVE-2015-0054)
The vulnerability allows a remote attacker to gain elevated privileges on the target system.
The vulnerability exists due to improper validation of permissions. A remote attacker can create a specially crafted Web site, trick the victim into visiting it and run scripts with elevated privileges.
Successful exploitation of this vulnerability results in privilege escalation on the vulnerable system.
3) Security bypass (CVE-ID: CVE-2015-0071)
The vulnerabiity allows a remote attacker to bypass security restrictions on the target system.The weakness exists due to failure to use Address Space Layout Randomization (ASLR). A remote attacker can create a specially crafted Web site, trick the victim into visiting it, bypass ASLR mechanism and predict memory locations that if connected with another vulnerability allows to execute arbitrary code.
Successful exploitation of this vulnerability results in security bypass on the vulnerable system.
Note: the vulnerability was being actively exploited.
4) Cross-site scripting (CVE-ID: CVE-2015-0070)
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.The vulnerability exists due to insufficient sanitization of user-input. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user’s browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
5) Security bypass (CVE-ID: CVE-2015-0069)
The vulnerabiity allows a remote attacker to bypass security restrictions on the target system.The weakness exists due to failure to use Address Space Layout Randomization (ASLR). A remote attacker can create a specially crafted Web site, trick the victim into visiting it, bypass ASLR mechanism and predict memory locations that if connected with another vulnerability allows to execute arbitrary code.
Successful exploitation of this vulnerability results in security bypass on the vulnerable system.
6) Security bypass (CVE-ID: CVE-2015-0051)
The vulnerabiity allows a remote attacker to bypass security restrictions on the target system.The weakness exists due to failure to use Address Space Layout Randomization (ASLR). A remote attacker can create a specially crafted Web site, trick the victim into visiting it, bypass ASLR mechanism and predict memory locations that if connected with another vulnerability allows to execute arbitrary code.
Successful exploitation of this vulnerability results in security bypass on the vulnerable system.
7) Memory corruption (CVE-ID: CVE-2015-0067)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in arbitrary code execution on the vulnerable system.
8) Memory corruption (CVE-ID: CVE-2015-0066)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in arbitrary code execution on the vulnerable system.
9) Memory corruption (CVE-ID: CVE-2015-0053)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in arbitrary code execution on the vulnerable system.
10) Memory corruption (CVE-ID: CVE-2015-0052)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in arbitrary code execution on the vulnerable system.
11) Memory corruption (CVE-ID: CVE-2015-0050)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in arbitrary code execution on the vulnerable system.
12) Memory corruption (CVE-ID: CVE-2015-0049)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in arbitrary code execution on the vulnerable system.
13) Memory corruption (CVE-ID: CVE-2015-0048)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in arbitrary code execution on the vulnerable system.
14) Memory corruption (CVE-ID: CVE-2015-0046)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in arbitrary code execution on the vulnerable system.
15) Memory corruption (CVE-ID: CVE-2015-0045)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in arbitrary code execution on the vulnerable system.
16) Memory corruption (CVE-ID: CVE-2015-0044)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in arbitrary code execution on the vulnerable system.
17) Memory corruption (CVE-ID: CVE-2015-0043)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in arbitrary code execution on the vulnerable system.
18) Memory corruption (CVE-ID: CVE-2015-0042)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in arbitrary code execution on the vulnerable system.
19) Memory corruption (CVE-ID: CVE-2015-0041)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in arbitrary code execution on the vulnerable system.
20) Memory corruption (CVE-ID: CVE-2015-0040)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in arbitrary code execution on the vulnerable system.
21) Memory corruption (CVE-ID: CVE-2015-0039)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in arbitrary code execution on the vulnerable system.
22) Memory corruption (CVE-ID: CVE-2015-0038)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in arbitrary code execution on the vulnerable system.
23) Memory corruption (CVE-ID: CVE-2015-0037)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in arbitrary code execution on the vulnerable system.
24) Memory corruption (CVE-ID: CVE-2015-0036)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in arbitrary code execution on the vulnerable system.
25) Memory corruption (CVE-ID: CVE-2015-0035)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in arbitrary code execution on the vulnerable system.
26) Memory corruption (CVE-ID: CVE-2015-0031)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in arbitrary code execution on the vulnerable system.
27) Memory corruption (CVE-ID: CVE-2015-0030)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in arbitrary code execution on the vulnerable system.
28) Memory corruption (CVE-ID: CVE-2015-0029)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in arbitrary code execution on the vulnerable system.
29) Memory corruption (CVE-ID: CVE-2015-0028)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in arbitrary code execution on the vulnerable system.
30) Memory corruption (CVE-ID: CVE-2015-0027)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in arbitrary code execution on the vulnerable system.
31) Memory corruption (CVE-ID: CVE-2015-0026)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in arbitrary code execution on the vulnerable system.
32) Memory corruption (CVE-ID: CVE-2015-0025)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in arbitrary code execution on the vulnerable system.
33) Memory corruption (CVE-ID: CVE-2015-0023)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in arbitrary code execution on the vulnerable system.
34) Memory corruption (CVE-ID: CVE-2015-0022)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in arbitrary code execution on the vulnerable system.
35) Memory corruption (CVE-ID: CVE-2015-0021)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in arbitrary code execution on the vulnerable system.
36) Memory corruption (CVE-ID: CVE-2015-0020)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in arbitrary code execution on the vulnerable system.
37) Memory corruption (CVE-ID: CVE-2015-0019)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in arbitrary code execution on the vulnerable system.
38) Memory corruption (CVE-ID: CVE-2015-0018)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in arbitrary code execution on the vulnerable system.
39) Memory corruption (CVE-ID: CVE-2015-0017)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in arbitrary code execution on the vulnerable system.
40) Use-after-free error (CVE-ID: CVE-2014-8967)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to use-after-free error when applying a CSS style of display:run-in to a page and performing particular manipulations. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in arbitrary code execution on the vulnerable system.
Remediation
Install update from vendor's website.