CVE-2015-6047 in Internet Explorer
Summary
by MITRE
The broker EditWith feature in Microsoft Internet Explorer 8 through 11 allows remote attackers to bypass the AppContainer protection mechanism and gain privileges via a DelegateExecute launch of an arbitrary application, as demonstrated by a transition from Low Integrity to Medium Integrity, aka "Internet Explorer Elevation of Privilege Vulnerability."
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/20/2022
The CVE-2015-6047 vulnerability represents a critical elevation of privilege flaw in Microsoft Internet Explorer versions 8 through 11 that directly undermines the operating system's security sandboxing mechanisms. This vulnerability specifically targets the broker EditWith feature, which is designed to facilitate secure application launching through the Windows AppContainer protection model. The flaw enables remote attackers to bypass these essential security boundaries by exploiting a DelegateExecute launch mechanism that allows arbitrary applications to be initiated with elevated privileges. The vulnerability operates at the core of Windows security architecture by manipulating how applications are launched and executed within different integrity levels, effectively creating a pathway for attackers to transition from low integrity contexts to medium integrity contexts.
The technical implementation of this vulnerability stems from improper validation within Internet Explorer's broker component that handles the EditWith functionality. When users interact with certain web content, the browser triggers the broker to execute applications through the DelegateExecute mechanism, which should normally enforce strict integrity level controls. However, the flaw allows malicious web content to manipulate this process to launch arbitrary executables with elevated privileges. This bypass occurs because the broker does not properly validate the integrity level transitions or enforce the AppContainer restrictions that should prevent such privilege escalation. The vulnerability is particularly dangerous because it leverages legitimate Windows security mechanisms while subverting their intended protective purposes, making detection more challenging for security systems that might not recognize this as an anomalous behavior pattern.
The operational impact of CVE-2015-6047 is severe and multifaceted, as it provides attackers with a reliable method to achieve privilege escalation without requiring user interaction beyond visiting a malicious website. Once successfully exploited, the vulnerability allows attackers to execute arbitrary code with medium integrity privileges, which can then be leveraged to escalate further to higher privilege levels or access sensitive system resources. This makes the vulnerability particularly attractive to threat actors seeking persistent access to compromised systems, as it can be used to install backdoors, modify system files, or exfiltrate data. The attack surface is broad since it affects all versions of Internet Explorer from version 8 through 11, covering a significant portion of legacy systems that many organizations still maintain in their environments, particularly in enterprise settings where older browsers may be required for compatibility reasons.
From a cybersecurity perspective, this vulnerability aligns with the CWE-276 principle of improper privilege management, specifically addressing the improper handling of application execution contexts within the Windows security model. The vulnerability also maps to several ATT&CK techniques including T1068 for exploit for privilege escalation and T1059 for command and scripting interpreter usage, as attackers can leverage this flaw to execute arbitrary commands with elevated privileges. Organizations affected by this vulnerability should implement immediate mitigations including applying the relevant Microsoft security updates, disabling the EditWith feature through group policy configurations, and implementing additional security controls such as application whitelisting and enhanced monitoring of process creation events. The vulnerability underscores the importance of maintaining up-to-date security patches and demonstrates how flaws in seemingly benign browser features can have far-reaching implications for system security, particularly when they interact with core operating system security mechanisms like AppContainer and integrity level enforcement.