
====================================================================

                            CERT-Renater

                Note d'Information No. 2016/VULN057
_____________________________________________________________________

DATE                : 12/02/2016

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):  Windows versions Vista, Server 2008, 7, 8.1, 10,
                        Server 2012.

======================================================================
KB3134228
https://technet.microsoft.com/en-us/library/security/MS16-014
_____________________________________________________________________


Bulletin Title: Security Update for Microsoft Windows to Address Remote
Code Execution

Severity: Important

KB Article: 3134228

Version: 1.0

Published Date: February 9, 2016


Executive Summary

This security update resolves vulnerabilities in Microsoft Windows. The
most severe of the vulnerabilities could allow remote code execution if
an attacker is able to log on to a target system and run a specially
crafted application.

This security update is rated Important for all supported releases of
Microsoft Windows.


Affected Software

Windows Vista Service Pack 2

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for Itanium-based Systems Service Pack 2

Windows 7 for 32-bit Systems Service Pack 1

Windows 7 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1

Windows 8.1 for 32-bit Systems

Windows 8.1 for x64-based Systems

Windows Server 2012

Windows Server 2012 R2

Windows RT 8.1[1]

Windows 10 for 32-bit Systems[2]

Windows 10 for x64-based Systems[2]

Windows 10 Version 1511 for 32-bit Systems[2]

Windows 10 Version 1511 for x64-based Systems[2]

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core
installation)

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core
installation)

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core 
installation)

Windows Server 2012 (Server Core installation)

Windows Server 2012 R2 (Server Core installation)

[1]This update is only available via Windows Update.

[2]Windows 10 updates are cumulative. In addition to containing
non-security updates, they also contain all of the security fixes for
all of the Windows 10-affected vulnerabilities shipping with the
monthly security release. The update is available via the Windows
Update Catalog.


Vulnerability Information

Windows Elevation of Privilege Vulnerability - CVE-2016-0040

An elevation of privilege vulnerability exists when the Windows kernel
improperly handles objects in memory. An attacker who successfully
exploited the vulnerability could run arbitrary code in kernel mode. An
attacker could then install programs; view, change, or delete data; or
create new accounts with full user rights.

To exploit the vulnerability, an attacker would first have to log on to
the system. An attacker could then run a specially crafted application
that could exploit the vulnerabilities and take control over an
affected system. The update addresses the vulnerabilities by correcting
how the Windows kernel handles objects in memory.

Vulnerability Title   CVE number    Publicly disclosed    Exploited

Windows Elevation of
Privilege Vulnerability  CVE-2016-0040 	 Yes 	          No


Multiple DLL Loading Remote Code Execution Vulnerabilities

Multiple remote code execution vulnerabilities exist when Windows
improperly validates input before loading dynamic link library (DLL)
files. An attacker who successfully exploited these vulnerabilities
could take control of an affected system. An attacker could then
install programs; view, change, or delete data; or create new accounts
with full user rights. Users whose accounts are configured to have
fewer user rights on the system could be less impacted than users who
operate with administrative user rights.

To exploit the vulnerabilities, an attacker would first have to log on
to the target system and then run a specially crafted application. The
updates address the vulnerabilities by correcting how Windows validates
input before loading DLL files.

The following table contains links to the standard entry for each
vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title 	CVE number   Publicly disclosed   Exploited

DLL Loading Remote Code
Execution Vulnerability 	CVE-2016-0041	No 	No

Windows DLL Loading Remote
Code Execution Vulnerability CVE-2016-0042	No 	No


Windows DLL Loading Denial of Service Vulnerability - CVE-2016-0044

A denial of service vulnerability exists in Windows when Microsoft Sync
Framework processes specially crafted input that uses the change batch
structure. An attacker who successfully exploited the vulnerability
could cause the target SyncShareSvc service to stop responding. Note
that the denial of service would not allow an attacker to execute code
or to elevate their user rights. However, it could prevent
authenticated users from using the SyncShareSvc service.

To exploit the vulnerability an authenticated attacker must send a
specially-crafted network packet to a server running the SyncShareSvc
service.
The update addresses the vulnerability by correcting how Microsoft Sync
Framework validates input.

The following table contains links to the standard entry for each
vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title 	CVE number   Publicly disclosed    Exploited

Windows DLL Loading Denial
of Service Vulnerability   CVE-2016-0044   No 	           No


Windows Kerberos Security Feature Bypass - CVE-2016-0049

A security feature bypass exists in Windows when Kerberos fails to
check the password change of a user signing into a workstation. An
attacker could bypass Kerberos authentication on a target machine and
decrypt drives protected by BitLocker.

An attacker could bypass Kerberos authentication by connecting a
workstation to a malicious Kerberos Key Distribution Center (KDC). The
update addresses the bypass by adding an additional authentication
check.

The following table contains links to the standard entry for each
vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title 	CVE number    Publicly disclosed    Exploited

Windows Kerberos Security
Feature Bypass Vulnerability   CVE-2016-0049   No           No


==========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================