Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.2940
Microsoft Security Bulletin MS16-155: Security Update for
.NET Framework (3205640)
13 December 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Microsoft .NET Framework
Publisher: Microsoft
Operating System: Windows Vista
Windows Server 2008
Windows 7
Windows Server 2008 R2
Windows 8.1
Windows Server 2012
Windows Server 2012 R2
Windows RT 8.1
Windows 10
Windows Server 2016
Impact/Access: Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2016-7270
Original Bulletin:
https://technet.microsoft.com/en-us/library/security/MS16-155
- --------------------------BEGIN INCLUDED TEXT--------------------
Microsoft Security Bulletin MS16-155: Security Update for .NET Framework
(3205640)
Published Date: December 14, 2016
Version: 1.0
Executive Summary
This security update resolves a vulnerability in Microsoft .NET 4.6.2
Frameworks Data Provider for SQL Server. A security vulnerability exists in
Microsoft .NET Framework 4.6.2 that could allow an attacker to access
information that is defended by the Always Encrypted feature.
This security update is rated Important for Microsoft .NET Framework 4.6.2.
Affected Software
Windows Vista
Windows Server 2008
Windows 7
Windows Server 2008 R2
Windows 8.1
Windows Server 2012 and Windows Server 2012 R2
Windows RT 8.1
Windows 10
Windows Server 2016
Vulnerability Information
.NET Framework Information Disclosure Vulnerabiltiy CVE-2016-7270
An information disclosure vulnerability exists in Microsoft .NET 4.6.2
Frameworks Data Provider for SQL Server that could allow an attacker to access
information that should be defended by the Always Encrypted feature. The
vulnerability is caused when .NET Framework improperly uses a
developer-supplied key. When this key is misused, it is also possible for
access to data to be temporarily lost.
To exploit the vulnerability, an attacker who can access the incorrectly
encrypted data could attempt to decrypt the data using an easily guessable
key.
Vulnerability title CVE number Publicly disclosed Exploited
.NET Framework Information Disclosure CVE-2016-7270 Yes No
Vulnerabiltiy
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWFCq/ox+lLeg9Ub1AQhebRAAndNq3zraIEc7gDk3OIbcyiZm513SMMxd
RuOFC3zKIEcyaAS0gpgc1sFs/mxQVzdMm1GICMMsDwe52NDmUtOqR6/19jvXzLou
tl05BjbMAqlgUH2RBlNGGnAOE9TwIIbkkAkTm7Igrp+x81UeDwBxW3qfJd/tCOsl
acEfFX1qGMyk7eLle3XlWoOZCYcNlxQMqnB/c4mqjv3OhvSl6qcJqL/jJDCEtNNl
/yOhfOAO6t/qepeQN/IKVUOWI+M8INdgqgcnM5zeqCUHgFmAnwmGVRHI7AJD7hYT
IVCA1V/EtUSS07bZuENW0aeucvloOjbiPUNqvSjeIlT6g/3tzWl/CQ/RESt4vHYF
CRowwl0y877PnNX0hZhIQgkHu8cZBI8bJh2dyyVpG49jZrtgn5U4QjMfcQz1OUm1
eI4r7+E5qRJvVSSEQSk17qZ5hIROf1jJHGRst/6rXQzRKK42pkplurgqiQ9rkIFt
+S7srkcDtmMcaYMlXCkvtKwuZkCKNwiZvCNUGfjmZn4pvr3QdHyLxOn5zbyfso+v
luWzyOTFcDOleqXqCwdQwLklwUe4/z5x2hFD3C1E0i2l9A8qGLRI4EDTKEcrmKfw
u2/5EW7QFm8VRBUSuMC+yEebCIbcDDyWetX5u2wu1ccjzhR6vRQC+gOI/QHYUd8z
ddHJYcLv1U0=
=3XCi
-----END PGP SIGNATURE-----