Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.0079 Microsoft Security Bulletin MS16-007: Security Update for Microsoft Windows to Address Remote Code Execution 13 January 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Microsoft Windows Publisher: Microsoft Operating System: Windows Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Increased Privileges -- Existing Account Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2016-0020 CVE-2016-0019 CVE-2016-0018 CVE-2016-0016 CVE-2016-0015 CVE-2016-0014 Original Bulletin: https://technet.microsoft.com/en-us/library/security/MS16-007 - --------------------------BEGIN INCLUDED TEXT-------------------- Microsoft Security Bulletin MS16-007: Security Update for Microsoft Windows to Address Remote Code Execution (3124901) Document Metadata Bulletin Number: MS16-007 Bulletin Title: Security Update for Microsoft Windows to Address Remote Code Execution Severity: Important KB Article: 3124901 Version: 1.0 Published Date: January 12, 2016 Executive Summary This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker is able to log on to a target system and run a specially crafted application. Affected Software Operating System Windows Vista Service Pack 2 (3109560) Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows 8 for 32-bit Systems Windows 8 for x64-based Systems Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2012 Windows Server 2012 R2 Windows RT[2] Windows RT 8.1[2] Windows 10 for 32-bit Systems[3] Windows 10 for x64-based Systems[3] Windows 10 Version 1511 for 32-bit Systems[3] Windows 10 Version 1511 for x64-based Systems[3] Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2012 (Server Core installation) Windows Server 2012 R2 (Server Core installation) [1]To be protected from this vulnerability on Windows 7 and Windows Server 2008 R2 systems, in addition to installing this update customers must also install the 3124275 cumulative update for Internet Explorer 10 or Internet Explorer 11. See MS16-001 for download links. [2]This update is only available via Windows Update. [3]Windows 10 updates are cumulative. In addition to containing non-security updates, they also contain all of the security fixes for all of the Windows 10-affected vulnerabilities shipping with the monthly security release. The update is available via the Windows Update Catalog. Vulnerability Information Multiple DLL Loading Elevation of Privilege Vulnerabilities Multiple elevation of privilege vulnerabilities exist when Windows improperly validates input before loading dynamic link library (DLL) files. An attacker who successfully exploited the vulnerabilities could elevate their privileges on a targeted system. To exploit the vulnerabilities, an attacker would first have to log on to the target system. An attacker could then run a specially crafted application that could exploit the vulnerabilities and take control over an affected system. The update addresses the vulnerabilities by correcting how Windows validates input before loading DLL files. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited DLL Loading Elevation of Privilege Vulnerability CVE-2016-0014 No No MAPI DLL Loading Elevation of Privilege Vulnerability CVE-2016-0020 No No DirectShow Heap Corruption Remote Code Execution Vulnerability - CVE-2016-0015 A remote code execution vulnerability exists when Microsoft DirectShow improperly validates user input. An attacker who successfully exploited this vulnerability could cause arbitrary code to execute in the context of the current user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. For an attack to be successful, this vulnerability requires that a user open a specially crafted file. In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted link to the user and by convincing the user to open it. The security update addresses the vulnerability by modifying how DirectShow validates user input. Microsoft received information about the vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers. Multiple DLL Loading Remote Code Execution Vulnerabilities Multiple remote code execution vulnerabilities exist when Windows improperly validates input before loading dynamic link library (DLL) files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. To exploit the vulnerabilities, an attacker would first have to log on to the target system and then run a specially crafted application. The updates address the vulnerabilities by correcting how Windows validates input before loading DLL files. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Windows DLL Loading Remote Code Execution Vulnerability CVE-2016-0016 Yes No Windows DLL Loading Remote Code Execution Vulnerability CVE-2016-0018 Yes No Windows Remote Desktop Protocol Security Bypass Vulnerability - CVE-2016-0019 A security feature bypass vulnerability exists in Windows Remote Desktop Protocol (RDP) that is caused when Windows 10 hosts running RDP services fail to prevent remote logon to accounts that have no passwords set. An attacker who successfully exploited this vulnerability could gain access to the remote host as another user, possibly with elevated privileges. An attacker could exploit this vulnerability by using an older version of the RDP client to connect to the Windows 10 host. Once connected, the attacker could generate a list of user accounts on the host and attempt to log on as those users. If one of the user accounts has no password set, then the attacker is allowed to log on as that user, despite the default system setting that restricts access to accounts without passwords to local logon only. The security update addresses the vulnerability by enforcing the default setting of not allowing remote logon for accounts without passwords. Microsoft received information about this vulnerability through coordinated vulnerability disclosure. At the time this security bulletin was originally issued, Microsoft was unaware of any attack attempting to exploit this vulnerability. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVpV7736ZAP0PgtI9AQKO9g/+Miu/t/uWwjVu0gBCWPmPWC6vlRZ3VtIB 4z41jSGDrbGdVhQeThobd9mz4lzUzsgOp+Nm3SGZzXekje1dlcOAx/aCHB7VOYGB EY1cEgsl/fleVQ4tID7MmwX/q8BtvuGQKUcOAyMy5dsUdPuYV6T0qpy6L771obJB tVsfYM/yoiPDp8YXnMbRAk3fdiaVeep4RI0CFa4nOqkQkFpYYyE0M5LbSRCH02eH fLE1bS6CGK3XPq6pzRvCYXiwkDfuDzIdpzw4kIIQXM+KO5Uh04N2Yl6vs/9U/oNk HBcH1q0ceRdTptf4+Izf9Up5Vg/ma/LKI/cDo+k/La6S7YPF/UlutrN806C9R9x6 zA5jr9qtZJqNzNJkzZMwgtNGIz2o/ThXFzITAd8GQ9YMQCPd6fOEp+YWj2/IGVyr foK/dZcJ7Byl2mgl808Fy84+IqUQmINmWqN2KrKie3bDTrJiIERESUB6QHpYT5sC 2Y2K8o1QKVAFBX9tloCgl0gGBPHuwU2Il9FEvI6egaLVUbveyqrmmBSyVAytTawh IONs0GFLc/SlW6+ZsbvTTBdE1dRBVgKPH9Wmx/0mPZDjAxh4bXWZBVApQ0NDWFOb rVmQtFFRvHrOHvGRfN7m+/tamQgJl1iOYgPy7xTXSxC+OPUv2+vCbODgCPlur3fR 6aj4cViqjd4= =aijZ -----END PGP SIGNATURE-----