Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.2140 Microsoft Security Bulletin MS16-106: Critical - Security Update for Microsoft Graphics Component (3185848) 14 September 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Microsoft Windows Publisher: Microsoft Operating System: Windows Impact/Access: Administrator Compromise -- Existing Account Execute Arbitrary Code/Commands -- Remote with User Interaction Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2016-3356 CVE-2016-3355 CVE-2016-3354 CVE-2016-3349 CVE-2016-3348 Original Bulletin: https://technet.microsoft.com/en-us/library/security/MS16-106 - --------------------------BEGIN INCLUDED TEXT-------------------- Microsoft Security Bulletin MS16-106: Critical - Security Update for Microsoft Graphics Component (3185848) Executive Summary This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This security update is rated Critical for supported editions of Windows 10 Version 1607 and rated Important for all other supported releases of Windows: The security update addresses the vulnerabilities by correcting how certain Windows kernel-mode drivers and the Windows Graphics Device Interface(GDI) handle objects in memory and by preventing instances of unintended user-mode privilege elevation. Affected Software Windows Vista Windows Server 2008 Windows 7 Winbdows Server 2008 R2 Windows 8.1 Windows Server 2012 Windows Server 2012 R2 Windows RT 8.1 Windows 10 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2012 (Server Core installation) Windows Server 2012 R2 (Server Core installation) Vulnerability Information Multiple Win32k Elevation of Privilege Vulnerabilities Multiple elevation of privilege vulnerabilities exist in the way that certain Windows kernel-mode drivers handle objects in memory. An attacker who successfully exploited these vulnerabilities could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit these vulnerabilities, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerabilities by correcting how certain Windows kernel-mode drivers handle objects in memory. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Win32k Elevation of Privilege Vulnerability CVE-2016-3348 No No Win32k Elevation of Privilege Vulnerability CVE-2016-3349 No No GDI Information Disclosure Vulnerability - CVE-2016-3354 An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system. An attacker who successfully exploited this vulnerability could use the retrieved information to circumvent Address Space Layout Randomization (ASLR) in Windows, which helps guard against a broad class of vulnerabilities. By itself, the information disclosure does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability, such as a remote code execution vulnerability, that is capable of leveraging the ASLR circumvention. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability, and helps protect the integrity of the ASLR security feature, by correcting how GDI handles memory addresses. Vulnerability title CVE number Publicly disclosed Exploited GDI Information Disclosure Vulnerability CVE-2016-3354 No No GDI Elevation of Privilege Vulnerability - CVE-2016-3355 An elevation of privilege vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The update addresses the vulnerability by correcting how GDI handles objects in memory and by preventing instances of unintended user-mode privilege elevation. Vulnerability title CVE number Publicly disclosed Exploited GDI Elevation of Privilege Vulnerability CVE-2016-3355 No No GDI Remote Code Execution Vulnerability - CVE-2016-3356 A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. There are multiple ways an attacker could exploit the vulnerabilities: - - In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerabilities and then convince users to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to open an email attachment or click a link in an email or instant message. - - In a file sharing attack scenario, an attacker could provide a specially crafted document file that is designed to exploit the vulnerabilities, and then convince users to open the document file. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited GDI Remote Code Execution Vulnerability CVE-2016-3356 No No - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBV9iMP4x+lLeg9Ub1AQjkcxAAhrAfKOvX6+kc2+AQg/CQc1EvUw5iE1AQ euLqmaWmDovHByixC5w9nM/fneDZzndoUKq0a9D/KJEIaKqWnXKF6xs9w4N0dByA 4bxKVu7IK4lYqWcVeX5kzC6zEh1YLl0jJ37CcvLZH8DXN2IKqdcuLFBlAP+7nHEg bVZYcom2/mx4UHALoFb9o3d0xw5gyDyh0Cb3i2SDZonXLflIGhUdW/KyPuRRJC4M YlYNN1hTnIzk+cwRnBy6mtgEJeLHkFRIJ738fPkLIArr7noeiNPUEAhuJQGV1HhH IUcmOFIY3QI7Ydm9BJT52VGxqce0oYUuyAEdSQ3hobSzZqiKTrP1CaBewdJDlJ8/ mzFLJyBqdhdLZxPiWnq+yy5sXRHqfobg8u2LOJVQhwOF+ID9CqKuU7VDvkoIFcyB KCM4Jg0Aih3wBuBVqK6pbvxPde8WQxCwVsjO/4RLBrRaRYAaDS/dzgIbnb1WjZtY MLJvHQwTrOWewk0XpXCu9Xoqvv32T5u7JjCc/pHTCHZWopMVlC6i4S2B0hXNg/Xl TlZ7WwXBJGAI9oDdKJJDOvRs6K8iqXEvAOGQW5l3qKJEjHJy5nWC3k73d7lcifUo XgjyvyE+Pc/La6Y7boPji3YzblT9RXnOmLTaYYH2Xay88W260lSU9xIU2EMqSeZh dsNo55DNMto= =cK2W -----END PGP SIGNATURE-----