Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.2140
Microsoft Security Bulletin MS16-106: Critical - Security
Update for Microsoft Graphics Component (3185848)
14 September 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Microsoft Windows
Publisher: Microsoft
Operating System: Windows
Impact/Access: Administrator Compromise -- Existing Account
Execute Arbitrary Code/Commands -- Remote with User Interaction
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2016-3356 CVE-2016-3355 CVE-2016-3354
CVE-2016-3349 CVE-2016-3348
Original Bulletin:
https://technet.microsoft.com/en-us/library/security/MS16-106
- --------------------------BEGIN INCLUDED TEXT--------------------
Microsoft Security Bulletin MS16-106: Critical - Security Update for Microsoft
Graphics Component (3185848)
Executive Summary
This security update resolves vulnerabilities in Microsoft Windows. The most
severe of the vulnerabilities could allow remote code execution if a user
either visits a specially crafted website or opens a specially crafted
document. Users whose accounts are configured to have fewer user rights on the
system could be less impacted than users who operate with administrative user
rights.
This security update is rated Critical for supported editions of Windows 10
Version 1607 and rated Important for all other supported releases of Windows:
The security update addresses the vulnerabilities by correcting how certain
Windows kernel-mode drivers and the Windows Graphics Device Interface(GDI)
handle objects in memory and by preventing instances of unintended user-mode
privilege elevation.
Affected Software
Windows Vista
Windows Server 2008
Windows 7
Winbdows Server 2008 R2
Windows 8.1
Windows Server 2012
Windows Server 2012 R2
Windows RT 8.1
Windows 10
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core
installation)
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core
installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core
installation)
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2 (Server Core installation)
Vulnerability Information
Multiple Win32k Elevation of Privilege Vulnerabilities
Multiple elevation of privilege vulnerabilities exist in the way that certain
Windows kernel-mode drivers handle objects in memory. An attacker who
successfully exploited these vulnerabilities could run arbitrary code in
kernel mode. An attacker could then install programs; view, change, or delete
data; or create new accounts with full user rights.
To exploit these vulnerabilities, an attacker would first have to log on to
the system. An attacker could then run a specially crafted application to take
control of an affected system. The update addresses the vulnerabilities by
correcting how certain Windows kernel-mode drivers handle objects in memory.
The following table contains links to the standard entry for each
vulnerability in the Common Vulnerabilities and Exposures list:
Vulnerability title CVE number Publicly disclosed Exploited
Win32k Elevation of Privilege Vulnerability CVE-2016-3348 No No
Win32k Elevation of Privilege Vulnerability CVE-2016-3349 No No
GDI Information Disclosure Vulnerability - CVE-2016-3354
An information disclosure vulnerability exists in the way that the Windows
Graphics Device Interface (GDI) handles objects in memory, allowing an
attacker to retrieve information from a targeted system. An attacker who
successfully exploited this vulnerability could use the retrieved information
to circumvent Address Space Layout Randomization (ASLR) in Windows, which
helps guard against a broad class of vulnerabilities. By itself, the
information disclosure does not allow arbitrary code execution; however, it
could allow arbitrary code to be run if the attacker uses it in combination
with another vulnerability, such as a remote code execution vulnerability,
that is capable of leveraging the ASLR circumvention.
To exploit this vulnerability, an attacker would have to log on to an affected
system and run a specially crafted application.
The security update addresses the vulnerability, and helps protect the
integrity of the ASLR security feature, by correcting how GDI handles memory
addresses.
Vulnerability title CVE number Publicly disclosed Exploited
GDI Information Disclosure Vulnerability CVE-2016-3354 No No
GDI Elevation of Privilege Vulnerability - CVE-2016-3355
An elevation of privilege vulnerability exists in the way that the Windows
Graphics Device Interface (GDI) handles objects in memory. An attacker who
successfully exploited this vulnerability could run arbitrary code in kernel
mode. An attacker could then install programs; view, change, or delete data;
or create new accounts with full user rights.
The update addresses the vulnerability by correcting how GDI handles objects
in memory and by preventing instances of unintended user-mode privilege
elevation.
Vulnerability title CVE number Publicly disclosed Exploited
GDI Elevation of Privilege Vulnerability CVE-2016-3355 No No
GDI Remote Code Execution Vulnerability - CVE-2016-3356
A remote code execution vulnerability exists in the way that the Windows
Graphics Device Interface (GDI) handles objects in the memory. An attacker who
successfully exploited this vulnerability could take control of the affected
system. An attacker could then install programs; view, change, or delete data;
or create new accounts with full user rights. Users whose accounts are
configured to have fewer user rights on the system could be less impacted than
users who operate with administrative user rights.
There are multiple ways an attacker could exploit the vulnerabilities:
- - In a web-based attack scenario, an attacker could host a specially crafted
website that is designed to exploit the vulnerabilities and then convince
users to view the website. An attacker would have no way to force users to
view the attacker-controlled content. Instead, an attacker would have to
convince users to take action, typically by getting them to open an email
attachment or click a link in an email or instant message.
- - In a file sharing attack scenario, an attacker could provide a specially
crafted document file that is designed to exploit the vulnerabilities, and
then convince users to open the document file.
The following table contains links to the standard entry for each
vulnerability in the Common Vulnerabilities and Exposures list:
Vulnerability title CVE number Publicly disclosed Exploited
GDI Remote Code Execution Vulnerability CVE-2016-3356 No No
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBV9iMP4x+lLeg9Ub1AQjkcxAAhrAfKOvX6+kc2+AQg/CQc1EvUw5iE1AQ
euLqmaWmDovHByixC5w9nM/fneDZzndoUKq0a9D/KJEIaKqWnXKF6xs9w4N0dByA
4bxKVu7IK4lYqWcVeX5kzC6zEh1YLl0jJ37CcvLZH8DXN2IKqdcuLFBlAP+7nHEg
bVZYcom2/mx4UHALoFb9o3d0xw5gyDyh0Cb3i2SDZonXLflIGhUdW/KyPuRRJC4M
YlYNN1hTnIzk+cwRnBy6mtgEJeLHkFRIJ738fPkLIArr7noeiNPUEAhuJQGV1HhH
IUcmOFIY3QI7Ydm9BJT52VGxqce0oYUuyAEdSQ3hobSzZqiKTrP1CaBewdJDlJ8/
mzFLJyBqdhdLZxPiWnq+yy5sXRHqfobg8u2LOJVQhwOF+ID9CqKuU7VDvkoIFcyB
KCM4Jg0Aih3wBuBVqK6pbvxPde8WQxCwVsjO/4RLBrRaRYAaDS/dzgIbnb1WjZtY
MLJvHQwTrOWewk0XpXCu9Xoqvv32T5u7JjCc/pHTCHZWopMVlC6i4S2B0hXNg/Xl
TlZ7WwXBJGAI9oDdKJJDOvRs6K8iqXEvAOGQW5l3qKJEjHJy5nWC3k73d7lcifUo
XgjyvyE+Pc/La6Y7boPji3YzblT9RXnOmLTaYYH2Xay88W260lSU9xIU2EMqSeZh
dsNo55DNMto=
=cK2W
-----END PGP SIGNATURE-----