==================================================================== CERT-Renater Note d'Information No. 2016/VULN252 _____________________________________________________________________ DATE : 15/06/2016 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Windows version Vista, Server 2008, 7, 8.1, Server 2012, RT 8.1, 10. ====================================================================== https://technet.microsoft.com/en-us/library/security/MS16-072 https://technet.microsoft.com/en-us/library/security/MS16-073 https://technet.microsoft.com/en-us/library/security/MS16-074 https://technet.microsoft.com/en-us/library/security/MS16-075 https://technet.microsoft.com/en-us/library/security/MS16-076 https://technet.microsoft.com/en-us/library/security/MS16-077 https://technet.microsoft.com/en-us/library/security/MS16-078 https://technet.microsoft.com/en-us/library/security/MS16-080 https://technet.microsoft.com/en-us/library/security/MS16-081 https://technet.microsoft.com/en-us/library/security/MS16-082 ____________________________________________________________________ Microsoft Security Bulletin MS16-072: Security Update for Group Policy (3163622) Executive Summary This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker launches a man-in-the-middle (MiTM) attack against the traffic passing between a domain controller and the target machine. This security update is rated Important for all supported releases of Microsoft Windows. Affected Software Windows Vista Windows Server 2008 Windows 7 Windows Server 2008 R2 Windows 8.1 Windows Server 2012 Windows Server 2012 R2 Windows RT 8.1 Windows 10 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2012 (Server Core installation) Windows Server 2012 R2 (Server Core installation) Vulnerability Information Group Policy Elevation of Privilege Vulnerability - CVE-2016-3223 An elevation of privilege vulnerability exists when Microsoft Windows processes group policy updates. An attacker who successfully exploited this vulnerability could potentially escalate permissions or perform additional privileged actions on the target machine. To exploit this vulnerability, an attacker would need to launch a man-in-the-middle (MiTM) attack against the traffic passing between a domain controller and the target machine. An attacker could then create a group policy to grant administrator rights to a standard user. The security update addresses the vulnerability by enforcing Kerberos authentication for certain calls over LDAP. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability Title CVE number Publicly disclosed Exploited Group Policy Elevation of Privilege Vulnerability CVE-2016-3223 No No ____________________________________________________________________ Microsoft Security Bulletin MS16-073 - Important: Security Update for Windows Kernel-Mode Drivers (3164028) Executive Summary This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application. This security update is rated Important for all supported releases of Microsoft Windows. For more information, see the Affected Software and Vulnerability Severity Ratings section. The security update addresses the vulnerabilities by correcting how the Windows kernel-mode driver handles objects in memory, and by correcting VPCI memory handling. Affected Software Operating System Windows Vista Windows Server 2008 Windows 7 Windows Server 2008 R2 Windows 8.1 Windows Server 2012 Windows Server 2012 R2 Windows RT 8.1 Windows 10 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2012 (Server Core installation) Windows Server 2012 R2 (Server Core installation) Vulnerability Information Multiple Win32k Elevation of Privilege Vulnerabilities Multiple elevation of privilege vulnerabilities exist in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited the vulnerabilities could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit the vulnerabilities, an attacker would first have to log on to the target system. An attacker could then run a specially crafted application that could exploit the vulnerabilities and take control over an affected system. The update addresses the vulnerabilities by correcting how the Windows kernel-mode driver handles objects in memory. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability Title CVE number Publicly disclosed Exploited Win32k Elevation of Privilege Vulnerability CVE-2016-3218 No No Win32k Elevation of Privilege Vulnerability CVE-2016-3221 No No Windows Virtual PCI Information Disclosure Vulnerability - CVE-2016-3232 An information disclosure vulnerability exists when the Windows Virtual PCI (VPCI) virtual service provider (VSP) fails to properly handle uninitialized memory. An attacker who successfully exploited this vulnerability could potentially disclose contents of memory to which they should not have access. To exploit the vulnerability, an attacker would first have to log on to the target system. An attacker could then run a specially crafted application that could exploit the vulnerability. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system. The update addresses the vulnerability by correcting VPCI memory handling. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability Title CVE number Publicly disclosed Exploited Windows Virtual PCI Information Disclosure Vulnerability CVE-2016-3232 No No ____________________________________________________________________ Microsoft Security Bulletin MS16-074: Important - Security Update for Microsoft Graphics Component (3164036) Executive Summary This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow elevation of privilege if a user opens a specially crafted document or visits a specially crafted website. This security update is rated Important for all supported releases of Microsoft Windows. Affected Software Windows Vista Windows Server 2008 Windows 7 Windows Server 2008 R2 Windows 8.1 Windows Server 2012 Windows Server 2012 R2 Windows RT 8.1 Windows 10 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2012 (Server Core installation) Windows Server 2012 R2 (Server Core installation) Vulnerability Information Windows Graphics Component Information Disclosure Vulnerability - CVE-2016-3216 An information disclosure vulnerability exists when the Windows Graphics Component (GDI32.dll) fails to properly handle objects in memory, allowing an attacker to retrieve information that could lead to an Address Space Layout Randomization (ASLR) bypass. An attacker who successfully exploited this vulnerability could cause an information disclosure to bypass the ASLR security feature that protects users from a broad class of vulnerabilities. The security feature bypass itself does not allow arbitrary code execution. However, an attacker could use the ASLR bypass vulnerability in conjunction with another vulnerability, such as a remote code execution vulnerability, that could take advantage of the ASLR bypass to run arbitrary code. To exploit this vulnerability, an attacker could convince a use to run a specially crafted application. The security update addresses the vulnerability by correcting how the Windows Graphics Component handles addresses in memory. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Windows Graphics Component Information Disclosure Vulnerability CVE-2016-3216 No No Win32k Elevation of Privilege Vulnerability - CVE-2016-3219 An elevation of privilege vulnerability exists when the Windows improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to take control of the affected system. The update addresses the vulnerability by correcting how the Windows kernel-mode driver handles objects in memory and by helping to prevent unintended elevation of privilege from user-mode. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Win32k Elevation of Privilege Vulnerability CVE-2016-3219 No No ATMFD.dll Elevation of Privilege Vulnerability - CVE-2016-3220 An elevation of privilege vulnerability exists in Adobe Type Manager Font Driver (ATMFD.dll) when it fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code and take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit the vulnerability, an attacker would first have to log on to a arget system and then run a specially crafted application. The security update addresses the vulnerability by correcting how ATMFD.dll handles objects in memory. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited ATMFD.dll Elevation of Privilege Vulnerability CVE-2016-3220 No No ____________________________________________________________________ Microsoft Security Bulletin MS16-075: Security Update for Windows SMB Server (3164038) Executive Summary This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. This security update is rated Important for all supported releases of Microsoft Windows. Affected Software Windows Vista Windows Server 2008 Windows 7 Windows Server 2008 R2 Windows 8.1 Windows Server 2012 Windows Server 2012 R2 Windows RT 8.1 Windows 10 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2012 (Server Core installation) Windows Server 2012 R2 (Server Core installation) Vulnerability Information Windows SMB Server Elevation of Privilege Vulnerability - CVE-2016-3225 An elevation of privilege vulnerability exists in the Microsoft Server Message Block (SMB) when an attacker forwards an authentication request intended for another service running on the same machine. An attacker who successfully exploited this vulnerability could execute arbitrary code with elevated permissions. To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses the vulnerability by correcting how Windows Server Message Block (SMB) Server handles credential forwarding requests. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Windows SMB Server Elevation of Privilege Vulnerability CVE-2016-3225 Yes No ____________________________________________________________________ Microsoft Security Bulletin MS16-076: Security Update for Netlogon (3167691) Executive Summary This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker with access to a domain controller (DC) on a target network runs a specially crafted application to establish a secure channel to the DC as a replica domain controller. This security update is rated Important for all supported editions of Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. Affected Software Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2 Windows Server 2012 (Server Core installation) Windows Server 2012 R2 (Server Core installation) Vulnerability Information Windows Netlogon Memory Corruption Remote Code Execution- CVE-2016-3228 This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution when Windows improperly handles objects in memory. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. To exploit the vulnerability, a domain-authenticated attacker could make a specially crafted NetLogon request to a domain controller. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. This update corrects how Windows handles objects in memory to prevent corruption. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability Title CVE number Publicly disclosed Exploited Windows Netlogon Memory Corruption Remote Code Execution Vulnerability CVE-2016-3228 No No ____________________________________________________________________ Microsoft Security Bulletin MS16-077: Security Update for WPAD (3165191) Executive Summary This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if the Web Proxy Auto Discovery (WPAD) protocol falls back to a vulnerable proxy discovery process on a target system. This security update is rated Important for all supported releases of Microsoft Windows. Affected Software Windows Vista Windows Server 2008 Windows 7 Windows Server 2008 R2 Windows 8.1 Windows Server 2012 Windows Server 2012 R2 Windows RT 8.1 Windows 10 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2012 (Server Core installation) Windows Server 2012 R2 (Server Core installation) Vulnerability Information Windows WPAD Elevation of Privilege Vulnerability - CVE-2016-3213 An elevation of privilege vulnerability exists in Microsoft Windows when the Web Proxy Auto Discovery (WPAD) protocol falls back to a vulnerable proxy discovery process. An attacker who successfully exploited this vulnerability could bypass security and gain elevated privileges on a targeted system. To exploit the vulnerability, an attacker could respond to NetBIOS name requests for WPAD. The update addresses the vulnerability by correcting how Windows handles proxy discovery. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability Title CVE number Publicly disclosed Exploited Windows WPAD Elevation of Privilege Vulnerability CVE-2016-3213 No No Windows WPAD Proxy Discovery Elevation of Privilege Vulnerability - CVE-2016-3236 An elevation of privilege vulnerability exists when Microsoft Windows improperly handles certain proxy discovery scenarios using the Web Proxy Auto Discovery (WPAD) protocol method. An attacker who successfully exploited the vulnerability could potentially access and control network traffic for which the attacker does not have sufficient privileges. The update addresses the vulnerability by correcting WPAD automatic proxy detection in Windows. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability Title CVE number Publicly disclosed Exploited Windows WPAD Proxy Discovery Elevation of Privilege Vulnerability CVE-2016-3236 Yes No ____________________________________________________________________ Microsoft Security Bulletin MS16-078: Security Update for Windows Diagnostic Hub (3165479) Executive Summary This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application. This security update is rated Important for all supported editions of Microsoft Windows 10. Affected Software Windows 10 Vulnerability Information Windows Diagnostics Hub Elevation of Privilege Vulnerability - CVE-2016-3231 An elevation of privilege vulnerability exists when the Windows Diagnostics Hub Standard Collector Service fails to properly sanitize input, leading to an unsecure library loading behavior. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability by correcting how the Windows Diagnostics Hub Standard Collector Service sanitizes input, to help preclude unintended elevated system privileges. The following table contains a link to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability Title CVE number Publicly disclosed Exploited Windows Diagnostics Hub Elevation of Privilege Vulnerability CVE-2016-3231 No No ____________________________________________________________________ Microsoft Security Bulletin MS16-080: Security Update for Microsoft Windows PDF (3164302) Executive Summary This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted .pdf file. An attacker who successfully exploited the vulnerabilities could cause arbitrary code to execute in the context of the current user. However, an attacker would have no way to force a user to open a specially crafted .pdf file. This security update is rated Important for all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, and Windows 10. Affected Software Windows 8.1 Windows Server 2012 Windows Server 2012 R2 Windows 10 Vulnerability Information Multiple Windows PDF Information Disclosure Vulnerabilities Information disclosure vulnerabilities exist in Microsoft Windows when a user opens a specially crafted .pdf file. An attacker who successfully exploited the vulnerabilities could read information in the context of the current user. To exploit the vulnerabilities, an attacker would have to trick the user into opening the .pdf file. The update addresses the vulnerabilities by modifying how Windows parses .pdf files. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Windows PDF Information Disclosure Vulnerability CVE-2016-3201 No No Windows PDF Information Disclosure Vulnerability CVE-2016-3215 No No Windows PDF Remote Code Execution Vulnerability - CVE-2016-3203 A remote code execution vulnerability exists in Microsoft Windows if a user opens a specially crafted .pdf file. An attacker who successfully exploited the vulnerability could cause arbitrary code to execute in the context of the current user. To exploit the vulnerability, an attacker must entice the user to open a specially crafted .pdf file. The update addresses the vulnerability by modifying how Windows parses .pdf files. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Windows PDF Remote Code Execution Vulnerability CVE-2016-3203 No No ____________________________________________________________________ Microsoft Security Bulletin MS16-081: Security Update for Active Directory (3160352) Executive Summary This security update resolves a vulnerability in Active Directory. The vulnerability could allow denial of service if an authenticated attacker creates multiple machine accounts. To exploit the vulnerability an attacker must have an account that has privileges to join machines to the domain. This security update is rated Important for all supported editions of Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. Affected Software Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2012 (Server Core installation) Windows Server 2012 R2 (Server Core installation) Vulnerability Information Active Directory Denial of Service Vulnerability - CVE-2016-3226 A denial of service vulnerability exists in Active Directory when an authenticated attacker creates multiple machine accounts. An attacker who successfully exploited this vulnerability could cause the Active Directory service to become non-responsive. To exploit this vulnerability an attacker must have valid credentials. An attacker could exploit this vulnerability by creating multiple machine accounts, resulting in denial of service. The update addresses the vulnerability by correcting how machine accounts are created. The following table contains a link to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability Title CVE number Publicly disclosed Exploited Active Directory Denial of Service Vulnerability CVE-2016-3226 No No ____________________________________________________________________ Microsoft Security Bulletin MS16-082: Security Update for Microsoft Windows Search Component (3165270) Executive Summary This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an attacker logs on to a target system and runs a specially crafted application. This security update is rated Important for all supported editions of Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10. Affected Software Windows 7 Windows Server 2008 R2 Windows 8.1 Windows Server 2012 Windows Server 2012 R2 Windows RT 8.1 Windows 10 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2012 (Server Core installation) Windows Server 2012 R2 (Server Core installation) Vulnerability Information Windows Search Component Denial of Service Vulnerability - CVE-2016-3230 This vulnerability occurs when the Windows Search component fails to properly handle certain objects in memory. An attacker who successfully exploited this vulnerability could cause server performance to degrade sufficiently to cause a denial of service condition. To exploit this vulnerability, an attacker could use it to cause a denial of service attack and disrupt server availability. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability Title CVE number Publicly disclosed Exploited Windows Search Component Denial of Service Vulnerability CVE-2016-3230 Yes No ========================================================== Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================