==================================================================== CERT-Renater Note d'Information No. 2016/VULN323 _____________________________________________________________________ DATE : 14/09/2016 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Windows versions Vista, Server 2008, 7, 8.1, Server 2012, RT 8.1, 10 running Microsoft Graphics Component. ===================================================================== KB3185848 https://technet.microsoft.com/en-us/library/security/MS16-106 ____________________________________________________________________ Microsoft Security Bulletin MS16-106: Critical - Security Update for Microsoft Graphics Component (3185848) Executive Summary This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This security update is rated Critical for supported editions of Windows 10 Version 1607 and rated Important for all other supported releases of Windows: The security update addresses the vulnerabilities by correcting how certain Windows kernel-mode drivers and the Windows Graphics Device Interface(GDI) handle objects in memory and by preventing instances of unintended user-mode privilege elevation. Affected Software Windows Vista Windows Server 2008 Windows 7 Winbdows Server 2008 R2 Windows 8.1 Windows Server 2012 Windows Server 2012 R2 Windows RT 8.1 Windows 10 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2012 (Server Core installation) Windows Server 2012 R2 (Server Core installation) Vulnerability Information Multiple Win32k Elevation of Privilege Vulnerabilities Multiple elevation of privilege vulnerabilities exist in the way that certain Windows kernel-mode drivers handle objects in memory. An attacker who successfully exploited these vulnerabilities could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit these vulnerabilities, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerabilities by correcting how certain Windows kernel-mode drivers handle objects in memory. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Win32k Elevation of Privilege Vulnerability CVE-2016-3348 No No Win32k Elevation of Privilege Vulnerability CVE-2016-3349 No No GDI Information Disclosure Vulnerability - CVE-2016-3354 An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system. An attacker who successfully exploited this vulnerability could use the retrieved information to circumvent Address Space Layout Randomization (ASLR) in Windows, which helps guard against a broad class of vulnerabilities. By itself, the information disclosure does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability, such as a remote code execution vulnerability, that is capable of leveraging the ASLR circumvention. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability, and helps protect the integrity of the ASLR security feature, by correcting how GDI handles memory addresses. Vulnerability title CVE number Publicly disclosed Exploited GDI Information Disclosure Vulnerability CVE-2016-3354 No No GDI Elevation of Privilege Vulnerability - CVE-2016-3355 An elevation of privilege vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The update addresses the vulnerability by correcting how GDI handles objects in memory and by preventing instances of unintended user-mode privilege elevation. Vulnerability title CVE number Publicly disclosed Exploited GDI Elevation of Privilege Vulnerability CVE-2016-3355 No No GDI Remote Code Execution Vulnerability - CVE-2016-3356 A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. There are multiple ways an attacker could exploit the vulnerabilities: - - In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerabilities and then convince users to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to open an email attachment or click a link in an email or instant message. - - In a file sharing attack scenario, an attacker could provide a specially crafted document file that is designed to exploit the vulnerabilities, and then convince users to open the document file. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited GDI Remote Code Execution Vulnerability CVE-2016-3356 No No ========================================================== Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================