Kaspersky Threats

Erkennungsdatum

?

02/09/2016

Schweregrad

?

Kritisch

Beschreibung

Multiple serious vulnerabilities have been found in Microsoft Windows. Malicious users can exploit these vulnerabilities to cause denial of service, execute arbitrary code, bypass security restrictions or gain privileges.

Below is a complete list of vulnerabilities

An unknown vulnerability at Windows Reader can be exploited remotely via a specially designed file to execute arbitrary code;
An improper API calls handling at Windows PDF library can be exploited remotely via a specially designed PDF document to execute arbitrary code;
An improper parsing at Windows Journal can be exploited remotely via a specially designed Journal file to execute arbitrary code;
An improper memory objects handling at Windows Kernel can be exploited by logged in attacker via a specially designed application to gain privileges;
An improper input validation at DLL loading can be exploited by logged in attacker via a specially designed application to execute arbitrary code;
An unknown vulnerability at Microsoft Sync Framework can be exploited by authenticated remote attacker via a specially designed network packet to cause denial of service;
Lack of password change check at Kerberos can be exploited locally via a specially designed Kerberos Key Distribution Center to bypass security feature;
An improper input validation at Web Distributed Authoring and Versioning client can be exploited by logged in attacker via a specially designed application to gain privileges;
An improper memory objects handling at Remote Desktop Protocol can be exploited by authenticated attacker via a specially designed application to gain privileges;
An improper memory objects handling at Windows kernel-mode driver can be exploited by logged in attacker via a specially designed application to gain privileges;
An improper handling of Remote Authentication Dial-In User Service (RADIUS) requests at Network Policy Server can be exploited remotely via a specially designed requests to cause denial of service.

Technical details

To mitigate vulnerability (3) you can also implement one of workarounds proposed by Microsoft: stop opening suspicious file attachments, remove journal files association, disable Windows Journal feature or deny access to Journal.exe. For further instructions about this workarounds look at MS16-013 advisory.

Successful exploitation of vulnerability (4) allows attacker to run arbitrary code in kernel mode.

To exploit vulnerability (6) attacker could send specially designed input that use „change batch“ structure. Successful exploitation of this vulnerability can cause target SyncShareSvc service to stop responding.

Vulnerability (7) can be exploited via connecting workstation to a malicious Key Distribution Center. Successful exploitation of this vulnerability allows attacker to bypass Kerberos authentication and decrypt drives protected by BitLocker. Attack by this vector available only if domain user logged in on the target machine and target system must have BitLocker enabled without a PIN or USB key. You can mitigate this vulnerability by disabling cashing of domain logon information. For further workaround instructions look at MS16-014 advisory.

To mitigate vulnerability (8) you can disable WebDAV driver. For further workaround instructions look at MS16-016 advisory.

To mitigate vulnerability (9) you can disable RDP. For further instructions look at MS16-017 advisory.

Beeinträchtigte Produkte

Microsoft Windows Vista Service Pack 2
Microsoft Windows Server 2008 Service Pack 2
Microsoft Windows 7 Service Pack 1
Microsoft Windows Server 2008 R2 Service Pack 1
Microsoft Windows 8.1
Microsoft Windows RT 8.1
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Microsoft Windows 10
Microsoft Windows 10 1511

Lösung

Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)

Ursprüngliche Informationshinweise

CVE-2016-0041
CVE-2016-0040
CVE-2016-0036
CVE-2016-0051
CVE-2016-0050
CVE-2016-0049
CVE-2016-0048
CVE-2016-0046
CVE-2016-0044
CVE-2016-0042
CVE-2016-0038
CVE-2016-0058

Folgen

?

ACE

[?]

DoS

[?]

SB

[?]

PE

[?]

CVE-IDS

?

CVE-2016-00417.2Critical
CVE-2016-00407.2Critical
CVE-2016-00367.2Critical
CVE-2016-00517.2Critical
CVE-2016-00505.0Critical
CVE-2016-00492.1Critical
CVE-2016-00487.2Critical
CVE-2016-00469.3Critical
CVE-2016-00445.0Critical
CVE-2016-00427.2Critical
CVE-2016-00389.3Critical
CVE-2016-00589.3Critical

Offizielle Informationshinweise von Microsoft

Microsoft Sicherheitsupdate-Guide

KB-Liste

3124280
3126587
3135173
3135174
3126593
3134214
3136082
3126434
3138938
3115858
3126446
3134228
3136041
3133043
3134700
3134811
3123294

Link zum Original

Erkennungsdatum ?	02/09/2016
Schweregrad ?	Kritisch
Beschreibung	Multiple serious vulnerabilities have been found in Microsoft Windows. Malicious users can exploit these vulnerabilities to cause denial of service, execute arbitrary code, bypass security restrictions or gain privileges. Below is a complete list of vulnerabilities An unknown vulnerability at Windows Reader can be exploited remotely via a specially designed file to execute arbitrary code; An improper API calls handling at Windows PDF library can be exploited remotely via a specially designed PDF document to execute arbitrary code; An improper parsing at Windows Journal can be exploited remotely via a specially designed Journal file to execute arbitrary code; An improper memory objects handling at Windows Kernel can be exploited by logged in attacker via a specially designed application to gain privileges; An improper input validation at DLL loading can be exploited by logged in attacker via a specially designed application to execute arbitrary code; An unknown vulnerability at Microsoft Sync Framework can be exploited by authenticated remote attacker via a specially designed network packet to cause denial of service; Lack of password change check at Kerberos can be exploited locally via a specially designed Kerberos Key Distribution Center to bypass security feature; An improper input validation at Web Distributed Authoring and Versioning client can be exploited by logged in attacker via a specially designed application to gain privileges; An improper memory objects handling at Remote Desktop Protocol can be exploited by authenticated attacker via a specially designed application to gain privileges; An improper memory objects handling at Windows kernel-mode driver can be exploited by logged in attacker via a specially designed application to gain privileges; An improper handling of Remote Authentication Dial-In User Service (RADIUS) requests at Network Policy Server can be exploited remotely via a specially designed requests to cause denial of service. Technical details To mitigate vulnerability (3) you can also implement one of workarounds proposed by Microsoft: stop opening suspicious file attachments, remove journal files association, disable Windows Journal feature or deny access to Journal.exe. For further instructions about this workarounds look at MS16-013 advisory. Successful exploitation of vulnerability (4) allows attacker to run arbitrary code in kernel mode. To exploit vulnerability (6) attacker could send specially designed input that use „change batch“ structure. Successful exploitation of this vulnerability can cause target SyncShareSvc service to stop responding. Vulnerability (7) can be exploited via connecting workstation to a malicious Key Distribution Center. Successful exploitation of this vulnerability allows attacker to bypass Kerberos authentication and decrypt drives protected by BitLocker. Attack by this vector available only if domain user logged in on the target machine and target system must have BitLocker enabled without a PIN or USB key. You can mitigate this vulnerability by disabling cashing of domain logon information. For further workaround instructions look at MS16-014 advisory. To mitigate vulnerability (8) you can disable WebDAV driver. For further workaround instructions look at MS16-016 advisory. To mitigate vulnerability (9) you can disable RDP. For further instructions look at MS16-017 advisory.
Beeinträchtigte Produkte	Microsoft Windows Vista Service Pack 2 Microsoft Windows Server 2008 Service Pack 2 Microsoft Windows 7 Service Pack 1 Microsoft Windows Server 2008 R2 Service Pack 1 Microsoft Windows 8.1 Microsoft Windows RT 8.1 Microsoft Windows Server 2012 Microsoft Windows Server 2012 R2 Microsoft Windows 10 Microsoft Windows 10 1511
Lösung	Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)
Ursprüngliche Informationshinweise	CVE-2016-0041 CVE-2016-0040 CVE-2016-0036 CVE-2016-0051 CVE-2016-0050 CVE-2016-0049 CVE-2016-0048 CVE-2016-0046 CVE-2016-0044 CVE-2016-0042 CVE-2016-0038 CVE-2016-0058
Folgen ?	ACE [?] DoS [?] SB [?] PE [?]
CVE-IDS ?	CVE-2016-00417.2Critical CVE-2016-00407.2Critical CVE-2016-00367.2Critical CVE-2016-00517.2Critical CVE-2016-00505.0Critical CVE-2016-00492.1Critical CVE-2016-00487.2Critical CVE-2016-00469.3Critical CVE-2016-00445.0Critical CVE-2016-00427.2Critical CVE-2016-00389.3Critical CVE-2016-00589.3Critical
Offizielle Informationshinweise von Microsoft	Microsoft Sicherheitsupdate-Guide
KB-Liste	3124280 3126587 3135173 3135174 3126593 3134214 3136082 3126434 3138938 3115858 3126446 3134228 3136041 3133043 3134700 3134811 3123294
	Link zum Original