none
additional permission validations to Internet Explorer "MS15-056"

    Question

  • Regarding June 9th - Cumulative Security Update for Internet Explorer (3058515)

    This update addresses "Multiple Elevation of Privilege Vulnerabilities".

    The description at https://technet.microsoft.com/library/security/ms15-056 indicates: "The update addresses the vulnerabilities by adding additional permission validations to Internet Explorer".

    Could someone please describe these additional permission validations?

    Do these additional validations affect deployment of IE Add-Ons (ActiveX) utilizing .CAB/.INF installation?


    • Edited by utahwinters Wednesday, June 10, 2015 7:08 PM
    Wednesday, June 10, 2015 7:06 PM

All replies

  • I think this should not affect IE Add-ons installation unless your activex control want to access the browser history.

    I guess the additional permission validations means that IE will check if you have permission to access the browser history.

    It seems that you got some problme when you deploy your Activex.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Friday, June 12, 2015 6:01 AM
  • It appears that applying the latest security update to IE breaks the ability to install PerUser, ActiveX via CAB / INF.  It also breaks the ordinary admin install too: "Install for All Users of this Machine"

    I get a new error message in the Yellow Notification Bar: "An add-on for this website failed to run."

    I've verified this new bug with Windows 8.1 (x64), 8.0 (x32), Windows 7 (x64 / IE 11), Windows 7 (x32 / IE10 and IE11)

    Control components (DLL and CAB) are all properly code-signed.  I have carefully isolated the problem to the new IE Security Update.

    The INF allows for PerUser and/or All Users install scenarios.  Both scenarios are broken.  The only way to install the CAB is to run Internet Explorer as Administrator then click "Install".  Another approach is to turn off UAC.

    The PerUser install ordinarily copies the CAB contents to the user's "...\AppData\Local\Microsoft\Internet Explorer\Downloaded Program Files\" and then invokes DllMain and DllRegisterServer.  However now after applying this latest Security Update for IE the CAB contents are no longer copied to the "Downloaded Program Files" location.  The CAB file does appear in the user's "...\AppData\Local\Temp\TMPDIR\" during the installation attempt.  (controls that were already installed prior to the update function normally, but if you uninstall and try to install it new from the CAB/INF we get the new error message...)

    sample INF:

    [version]

    signature="$CHICAGO$"

    AdvancedINF=2.0

    [Add.Code]

    MyControlV1.dll=MyControlV1.dll

    [Deployment]

    InstallScope=user|machine

    [MyControlV1.dll]

    file-win32-x86=thiscab

    FileVersion=1,0,0,1

    RegisterServer=yes

    RedirectToHKCU=yes

    Friday, June 12, 2015 6:35 PM
  • I know the post is old, but want to add that there was a regression in the update and was first fixed in later Cumulative update from July 2015.

    Thursday, December 15, 2016 11:52 PM