==================================================================== CERT-Renater Note d'Information No. 2016/VULN009 _____________________________________________________________________ DATE : 13/01/2016 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Windows version Vista, Server 2008 running VBScript versions 5.7, 5.8. ====================================================================== KB3125540 https://technet.microsoft.com/en-us/library/security/MS16-003 _____________________________________________________________________ Microsoft Security Bulletin MS16-003: Cumulative Security Update for JScript and VBScript to Address Remote Code Execution (3125540) Document Metadata Bulletin Number: MS16-003 Bulletin Title: Cumulative Security Update for JScript and VBScript to Address Remote Code Execution Severity: Critical KB Article: 3125540 Version: 1.0 Published Date: January 12, 2016 Executive Summary This security update resolves a vulnerability in the VBScript scripting engine in Microsoft Windows. The vulnerability could allow remote code execution if a user visits a specially crafted website. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Affected Software VBScript 5.7 VBScript 5.8 Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation only) Vulnerability Information Scripting Engine Memory Corruption Vulnerability - CVE-2016-0002 A remote code execution vulnerability exists in the way that the VBScript engine renders when handling objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The update addresses the vulnerability by modifying how the VBScript scripting engine handles objects in memory. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Scripting Engine Memory Corruption Vulnerability CVE-2016-0002 No No ========================================================== Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================