February 2015 security updates for Internet Explorer


Microsoft Security Bulletin MS15-009

This critical security update resolves one publicly reported and 40 privately reported vulnerabilities in Internet Explorer. For more information, please see Microsoft Security Bulletin MS15-009.

Security Update for Flash Player (3021953)

This security update for Adobe Flash Player in Internet Explorer 10 and 11 on supported editions of Windows 8, Windows 8.1 and Windows Server 2012 and Windows Server 2012 R2 is also available. The details of the vulnerabilities are documented in Adobe security bulletin APSB15-04. This update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash binaries contained within Internet Explorer 10 and Internet Explorer 11. For more information, see the Microsoft Security Advisory 2755801.

Disabling SSL 3.0 fallback and disabling SSL 3.0

As communicated in our December 2014 security updates blog, today we’re releasing an update that prevents insecure fallback to SSL 3.0 in Internet Explorer 11 for Protected Mode sites. This setting is turned on by default. For more information, please see KB3038778.

When will Internet Explorer disable SSL 3.0?

In the April 14, 2015 Internet Explorer update, we plan to disable SSL 3.0 by default in Internet Explorer 11.

How can I test if my server will be impacted?

Disabling SSL 3.0 in your browser will allow you to see which sites use a connection over SSL 3.0 and need to be updated. We encourage users to use the workarounds and easy, one-click Fix it provided in Security Advisory 3009008 to disable SSL 3.0 in your browser.

Staying up-to-date

Most customers have automatic updates enabled and will not need to take any action because these updates will be downloaded and installed automatically. Customers who have automatic updates disabled need to check for updates and install this update manually.

Comments (16)

  1. The IE11 Universal Cross Domain Vulnerability (UXSS) does not appear to be fixed by today's 11.0.16 Update. When can we expect a fix? innerht.ml/…/ie-uxss.html

  2. When blogging about security updates, could you please mention the resulting version number shown by Help > About?

  3. Vitor Canova says:

    Obligatory EricLaw's comment above 😉

  4. kyle.pflug@live.com says:

    @EricLaw [exMSFT] –

    We’re not aware of this vulnerability being actively exploited and are working to address it with an update.

  5. Is there some reason that the SSL3 change was tied to Protected Mode rather than Zones like other conditional behaviors of this nature? Does this mean that all WebOC hosts will remain vulnerable (because WebOC hosts run all sites outside of Protected Mode)?

    As the UXSS vulnerability does not crash the browser or otherwise send telemetry to Microsoft, your early warning systems will not be effective in detecting attacks against the vulnerability.

  6. kyle.pflug@live.com says:

    The change for disabling SSL 3.0 fallback (whether configured for protected mode or all sites) applies to Internet Explorer 11 only. It currently does not apply to WebOC hosts by design. Disabling SSL 3.0 fallback is an interim step towards deprecating SSL 3.0, and we recommend customers disable SSL 3.0 per Microsoft Security Advisory 3009008 (technet.microsoft.com/…/3009008.aspx). We plan to disable SSL 3.0 by default in the April 14, 2015 Internet Explorer update, which will apply to WebOC as well.

  7. PA Bear MS-MVP says:

    Will SSL 3.0 be disabled by default in IE10 & lower after installing the April 14, 2015 Internet Explorer update or just IE11?

  8. 127 says:

    imho, ssl3 should be also disabled for IE9 @Vista/2008(non-r2) and IE10@2012(non-r2)

    due to: blogs.msdn.com/…/stay-up-to-date-with-internet-explorer.aspx

  9. DH says:

    I agree with 127. As this is a security update it seems like it should be applied even to those browsers in extended support. It'd be nice to see IE 9/10 on those platforms also have their TLS 1.2 enabled by default.

  10. 127 says:

    @DH

    TLS 1.2 is not supported by Vista/2008

  11. 日本語で失礼 says:

    英語わからないので日本語で失礼しますね。英語サイトに住みません。

    今回のパッチはXSS(クロスサイトスクリプティング)のはまだみたいですね。

    こちらはかなり深刻なようなので緊急パッチ配布をお願い致しますね!

  12. 127 says:

    btw

    when IE will Support blocking of outdated Flash (much more needed these that)

    blogs.msdn.com/…/internet-explorer-begins-blocking-out-of-date-activex-controls.aspx

    Also older java version block Need to be updated

  13. sr says:

    Blocking-out-of-date-activex-controls – does this work on Citrix Xenapp 6.5 installed on windows 2008 r2 ent server?

    Thanks

  14. sullijwiii says:

    I have been a staunch supporter of IE since Win3.1 (I think that version had IE). Through all the problems and issues I hung in there as I like the way it is laid out and always believed it to work better since MS ties into the OS. Past updates have caused me issues but I still hung in there. But as of today with this newest upgrade I am so fed up with IE as I am tired of getting the error that says IE has stopped working. It happens fairly regular in fact every time on my mini laptop that has the Atom processor.

    and for the past 2 months since another update, when I click on a link it now opens on the same page even though I have it set to open in a new tab. This worked so well for the longest time and it changed, all I get from searching this issue out that some web pages aren't set up for that and some explanation that doesn't make any sense.

    I am so disappointed I have to switch over to FireFox and it seems to always have updates and I really don't like its layout. My old friend IE has become to much of a problem though.

  15. William Donnelly says:

    I am no expert on computing, I do use Internet explorer on my lap top, over the last week I keep getting pop ups telling me that I have a script error on almost every page or programme I am looking at, is there any way I can get rid of it, please I have looked at chrome but am not happy with it.