==================================================================== CERT-Renater Note d'Information No. 2016/VULN350 _____________________________________________________________________ DATE : 14/10/2016 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Windows version Vista, Server 2008, 7 running Microsoft Internet Messaging API. ===================================================================== KB3196067 https://technet.microsoft.com/en-us/library/security/MS16-126 ____________________________________________________________________ Microsoft Security Bulletin MS16-126 - Moderate Security Update for Microsoft Internet Messaging API (3196067) Published: October 11, 2016 Version: 1.0 Executive Summary This security update resolves a vulnerability in Microsoft Windows. An information disclosure vulnerability exists when the Microsoft Internet Messaging API improperly handles objects in memory. An attacker who successfully exploited this vulnerability could test for the presence of files on disk. The security update affects Microsoft Windows Vista, Windows Server 2008, Windows 7 and Windows Sever 2008 R2 and is rated moderate on client and low on server operating systems. Note that you must install two updates to be protected from the vulnerability discussed in this bulletin: The update in this bulletin, and the update in MS16-118. See Update FAQ section below for more information. The update addresses the vulnerability by changing the way the Microsoft Internet Messaging API handles objects in memory. Affected Software Windows Vista Windows Server 2008 Windows 7 Windows Server 2008 R2 Vulnerability Information Internet Explorer Information Disclosure Vulnerability CVE-2016-3298 An information disclosure vulnerability exists when the Microsoft Internet Messaging API improperly handles objects in memory. An attacker who successfully exploited this vulnerability could allow the attacker to test for the presence of files on disk. For an attack to be successful an attacker must persuade a user to open a malicious website. The update addresses the vulnerability by changing the way the Microsoft Internet Messaging API handles objects in memory. The following table contain a link to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Internet Explorer Information Disclosure Vulnerability CVE-2016-3298 No Yes ========================================================== Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================