-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.2140
         Microsoft Security Bulletin MS16-106: Critical - Security
             Update for Microsoft Graphics Component (3185848)
                             14 September 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Microsoft Windows
Publisher:         Microsoft
Operating System:  Windows
Impact/Access:     Administrator Compromise        -- Existing Account            
                   Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Access Confidential Data        -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-3356 CVE-2016-3355 CVE-2016-3354
                   CVE-2016-3349 CVE-2016-3348 

Original Bulletin: 
   https://technet.microsoft.com/en-us/library/security/MS16-106

- --------------------------BEGIN INCLUDED TEXT--------------------

Microsoft Security Bulletin MS16-106: Critical - Security Update for Microsoft
Graphics Component (3185848)

Executive Summary

This security update resolves vulnerabilities in Microsoft Windows. The most 
severe of the vulnerabilities could allow remote code execution if a user 
either visits a specially crafted website or opens a specially crafted 
document. Users whose accounts are configured to have fewer user rights on the
system could be less impacted than users who operate with administrative user
rights.

This security update is rated Critical for supported editions of Windows 10 
Version 1607 and rated Important for all other supported releases of Windows:

The security update addresses the vulnerabilities by correcting how certain 
Windows kernel-mode drivers and the Windows Graphics Device Interface(GDI) 
handle objects in memory and by preventing instances of unintended user-mode 
privilege elevation.

Affected Software

Windows Vista

Windows Server 2008

Windows 7

Winbdows Server 2008 R2

Windows 8.1

Windows Server 2012

Windows Server 2012 R2

Windows RT 8.1

Windows 10

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core 
installation)

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core 
installation)

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core 
installation)

Windows Server 2012 (Server Core installation)

Windows Server 2012 R2 (Server Core installation)

Vulnerability Information

Multiple Win32k Elevation of Privilege Vulnerabilities

Multiple elevation of privilege vulnerabilities exist in the way that certain
Windows kernel-mode drivers handle objects in memory. An attacker who 
successfully exploited these vulnerabilities could run arbitrary code in 
kernel mode. An attacker could then install programs; view, change, or delete
data; or create new accounts with full user rights.

To exploit these vulnerabilities, an attacker would first have to log on to 
the system. An attacker could then run a specially crafted application to take
control of an affected system. The update addresses the vulnerabilities by 
correcting how certain Windows kernel-mode drivers handle objects in memory.

The following table contains links to the standard entry for each 
vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title 				CVE number 	Publicly disclosed 	Exploited

Win32k Elevation of Privilege Vulnerability 	CVE-2016-3348 	No 			No

Win32k Elevation of Privilege Vulnerability 	CVE-2016-3349 	No 			No

GDI Information Disclosure Vulnerability - CVE-2016-3354

An information disclosure vulnerability exists in the way that the Windows 
Graphics Device Interface (GDI) handles objects in memory, allowing an 
attacker to retrieve information from a targeted system. An attacker who 
successfully exploited this vulnerability could use the retrieved information
to circumvent Address Space Layout Randomization (ASLR) in Windows, which 
helps guard against a broad class of vulnerabilities. By itself, the 
information disclosure does not allow arbitrary code execution; however, it 
could allow arbitrary code to be run if the attacker uses it in combination 
with another vulnerability, such as a remote code execution vulnerability, 
that is capable of leveraging the ASLR circumvention.

To exploit this vulnerability, an attacker would have to log on to an affected
system and run a specially crafted application.

The security update addresses the vulnerability, and helps protect the 
integrity of the ASLR security feature, by correcting how GDI handles memory 
addresses.

Vulnerability title 				CVE number 	Publicly disclosed 	Exploited

GDI Information Disclosure Vulnerability 	CVE-2016-3354 	No 			No

GDI Elevation of Privilege Vulnerability - CVE-2016-3355

An elevation of privilege vulnerability exists in the way that the Windows 
Graphics Device Interface (GDI) handles objects in memory. An attacker who 
successfully exploited this vulnerability could run arbitrary code in kernel 
mode. An attacker could then install programs; view, change, or delete data; 
or create new accounts with full user rights.

The update addresses the vulnerability by correcting how GDI handles objects 
in memory and by preventing instances of unintended user-mode privilege 
elevation.

Vulnerability title 				CVE number 	Publicly disclosed 	Exploited

GDI Elevation of Privilege Vulnerability 	CVE-2016-3355 	No 			No

GDI Remote Code Execution Vulnerability - CVE-2016-3356

A remote code execution vulnerability exists in the way that the Windows 
Graphics Device Interface (GDI) handles objects in the memory. An attacker who
successfully exploited this vulnerability could take control of the affected 
system. An attacker could then install programs; view, change, or delete data;
or create new accounts with full user rights. Users whose accounts are 
configured to have fewer user rights on the system could be less impacted than
users who operate with administrative user rights.

There are multiple ways an attacker could exploit the vulnerabilities:

- - In a web-based attack scenario, an attacker could host a specially crafted 
website that is designed to exploit the vulnerabilities and then convince 
users to view the website. An attacker would have no way to force users to 
view the attacker-controlled content. Instead, an attacker would have to 
convince users to take action, typically by getting them to open an email 
attachment or click a link in an email or instant message.

- - In a file sharing attack scenario, an attacker could provide a specially 
crafted document file that is designed to exploit the vulnerabilities, and 
then convince users to open the document file.

The following table contains links to the standard entry for each 
vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title 			CVE number 	Publicly disclosed 	Exploited

GDI Remote Code Execution Vulnerability CVE-2016-3356	No 			No

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBV9iMP4x+lLeg9Ub1AQjkcxAAhrAfKOvX6+kc2+AQg/CQc1EvUw5iE1AQ
euLqmaWmDovHByixC5w9nM/fneDZzndoUKq0a9D/KJEIaKqWnXKF6xs9w4N0dByA
4bxKVu7IK4lYqWcVeX5kzC6zEh1YLl0jJ37CcvLZH8DXN2IKqdcuLFBlAP+7nHEg
bVZYcom2/mx4UHALoFb9o3d0xw5gyDyh0Cb3i2SDZonXLflIGhUdW/KyPuRRJC4M
YlYNN1hTnIzk+cwRnBy6mtgEJeLHkFRIJ738fPkLIArr7noeiNPUEAhuJQGV1HhH
IUcmOFIY3QI7Ydm9BJT52VGxqce0oYUuyAEdSQ3hobSzZqiKTrP1CaBewdJDlJ8/
mzFLJyBqdhdLZxPiWnq+yy5sXRHqfobg8u2LOJVQhwOF+ID9CqKuU7VDvkoIFcyB
KCM4Jg0Aih3wBuBVqK6pbvxPde8WQxCwVsjO/4RLBrRaRYAaDS/dzgIbnb1WjZtY
MLJvHQwTrOWewk0XpXCu9Xoqvv32T5u7JjCc/pHTCHZWopMVlC6i4S2B0hXNg/Xl
TlZ7WwXBJGAI9oDdKJJDOvRs6K8iqXEvAOGQW5l3qKJEjHJy5nWC3k73d7lcifUo
XgjyvyE+Pc/La6Y7boPji3YzblT9RXnOmLTaYYH2Xay88W260lSU9xIU2EMqSeZh
dsNo55DNMto=
=cK2W
-----END PGP SIGNATURE-----