Share via


February 2015 security updates for Internet Explorer

Microsoft Security Bulletin MS15-009

This critical security update resolves one publicly reported and 40 privately reported vulnerabilities in Internet Explorer. For more information, please see Microsoft Security Bulletin MS15-009.

Security Update for Flash Player (3021953)

This security update for Adobe Flash Player in Internet Explorer 10 and 11 on supported editions of Windows 8, Windows 8.1 and Windows Server 2012 and Windows Server 2012 R2 is also available. The details of the vulnerabilities are documented in Adobe security bulletin APSB15-04. This update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash binaries contained within Internet Explorer 10 and Internet Explorer 11. For more information, see the Microsoft Security Advisory 2755801.

Disabling SSL 3.0 fallback and disabling SSL 3.0

As communicated in our December 2014 security updates blog, today we’re releasing an update that prevents insecure fallback to SSL 3.0 in Internet Explorer 11 for Protected Mode sites. This setting is turned on by default. For more information, please see KB3038778.

When will Internet Explorer disable SSL 3.0?

In the April 14, 2015 Internet Explorer update, we plan to disable SSL 3.0 by default in Internet Explorer 11.

How can I test if my server will be impacted?

Disabling SSL 3.0 in your browser will allow you to see which sites use a connection over SSL 3.0 and need to be updated. We encourage users to use the workarounds and easy, one-click Fix it provided in Security Advisory 3009008 to disable SSL 3.0 in your browser.

Staying up-to-date

Most customers have automatic updates enabled and will not need to take any action because these updates will be downloaded and installed automatically. Customers who have automatic updates disabled need to check for updates and install this update manually.

Comments

  • Anonymous
    February 10, 2015
    The IE11 Universal Cross Domain Vulnerability (UXSS) does not appear to be fixed by today's 11.0.16 Update. When can we expect a fix? innerht.ml/.../ie-uxss.html

  • Anonymous
    February 10, 2015
    When blogging about security updates, could you please mention the resulting version number shown by Help > About?

  • Anonymous
    February 10, 2015
    Obligatory EricLaw's comment above ;)

  • Anonymous
    February 10, 2015
    The comment has been removed

  • Anonymous
    February 10, 2015
    Is there some reason that the SSL3 change was tied to Protected Mode rather than Zones like other conditional behaviors of this nature? Does this mean that all WebOC hosts will remain vulnerable (because WebOC hosts run all sites outside of Protected Mode)? As the UXSS vulnerability does not crash the browser or otherwise send telemetry to Microsoft, your early warning systems will not be effective in detecting attacks against the vulnerability.

  • Anonymous
    February 11, 2015
    The change for disabling SSL 3.0 fallback (whether configured for protected mode or all sites) applies to Internet Explorer 11 only. It currently does not apply to WebOC hosts by design. Disabling SSL 3.0 fallback is an interim step towards deprecating SSL 3.0, and we recommend customers disable SSL 3.0 per Microsoft Security Advisory 3009008 (technet.microsoft.com/.../3009008.aspx). We plan to disable SSL 3.0 by default in the April 14, 2015 Internet Explorer update, which will apply to WebOC as well.

  • Anonymous
    February 11, 2015
    Will SSL 3.0 be disabled by default in IE10 & lower after installing the April 14, 2015 Internet Explorer update or just IE11?

  • Anonymous
    February 11, 2015
    imho, ssl3 should be also disabled for IE9 @Vista/2008(non-r2) and IE10@2012(non-r2) due to: blogs.msdn.com/.../stay-up-to-date-with-internet-explorer.aspx

  • Anonymous
    February 11, 2015
    I agree with 127. As this is a security update it seems like it should be applied even to those browsers in extended support. It'd be nice to see IE 9/10 on those platforms also have their TLS 1.2 enabled by default.

  • Anonymous
    February 11, 2015
    @DH TLS 1.2 is not supported by Vista/2008

  • Anonymous
    February 11, 2015
    The comment has been removed

  • Anonymous
    February 12, 2015
    The comment has been removed

  • Anonymous
    February 22, 2015
    جنس   http://freepornmovies1.com/جنس   http://freepornmovies1.com/جنس   http://freepornmovies1.com/

  • Anonymous
    February 23, 2015
    Blocking-out-of-date-activex-controls - does this work on Citrix Xenapp 6.5 installed on windows 2008 r2 ent server? Thanks

  • Anonymous
    March 26, 2015
    The comment has been removed

  • Anonymous
    March 29, 2015
    I am no expert on computing, I do use Internet explorer on my lap top, over the last week I keep getting pop ups telling me that I have a script error on almost every page or programme I am looking at, is there any way I can get rid of it, please I have looked at chrome but am not happy with it.