Windows Kernel win32k.sys Malformed TrueType Program TTF Font Processing Pool-Based Buffer Overflow MS15-115
2015-11-16T00:00:00
ID EDB-ID:38713 Type exploitdb Reporter Google Security Research Modified 2015-11-16T00:00:00
Description
Windows Kernel win32k.sys Malformed TrueType Program TTF Font Processing Pool-Based Buffer Overflow (MS15-115). CVE-2015-6104. Dos exploit for windows platform
Source: https://code.google.com/p/google-security-research/issues/detail?id=507
We have observed a number of Windows kernel crashes in the win32k.sys driver while processing corrupted TTF font files. An example of a crash log excerpt generated after triggering the bug is shown below:
---
DRIVER_PAGE_FAULT_BEYOND_END_OF_ALLOCATION (d6)
N bytes of memory was allocated and more than N bytes are being referenced.
This cannot be protected by try-except.
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: fffff900c49ab000, memory referenced
Arg2: 0000000000000001, value 0 = read operation, 1 = write operation
Arg3: fffff96000324c14, if non-zero, the address which referenced memory.
Arg4: 0000000000000000, (reserved)
[...]
FAULTING_IP:
win32k!or_all_N_wide_rotated_need_last+70
fffff960`00324c14 410802 or byte ptr [r10],al
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0xD6
CURRENT_IRQL: 0
TRAP_FRAME: fffff88007531690 -- (.trap 0xfffff88007531690)
.trap 0xfffff88007531690
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff880075318ff rbx=0000000000000000 rcx=0000000000000007
rdx=00000000000000ff rsi=0000000000000000 rdi=0000000000000000
rip=fffff96000324c14 rsp=fffff88007531820 rbp=fffffffffffffff5
r8=00000000ffffffff r9=fffff900c1b48995 r10=fffff900c49ab000
r11=0000000000000007 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
win32k!or_all_N_wide_rotated_need_last+0x70:
fffff960`00324c14 410802 or byte ptr [r10],al ds:0b08:fffff900`c49ab000=??
.trap
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff8000294a017 to fffff800028cd5c0
STACK_TEXT:
fffff880`07531528 fffff800`0294a017 : 00000000`00000050 fffff900`c49ab000 00000000`00000001 fffff880`07531690 : nt!KeBugCheckEx
fffff880`07531530 fffff800`028cb6ee : 00000000`00000001 fffff900`c49ab000 fffff900`c4211000 fffff900`c49ab002 : nt! ?? ::FNODOBFM::`string'+0x4174f
fffff880`07531690 fffff960`00324c14 : 00000000`0000001f fffff960`000b8f1f fffff900`c4ed2f08 00000000`0000001f : nt!KiPageFault+0x16e
fffff880`07531820 fffff960`000b8f1f : fffff900`c4ed2f08 00000000`0000001f 00000000`00000002 00000000`00000007 : win32k!or_all_N_wide_rotated_need_last+0x70
fffff880`07531830 fffff960`000eba0d : 00000000`00000000 fffff880`07532780 00000000`00000000 00000000`0000000a : win32k!draw_nf_ntb_o_to_temp_start+0x10f
fffff880`07531890 fffff960`000c5ab8 : 00000000`00000000 fffff900`c49aad60 fffff900`c4ed2ed0 00000000`00ffffff : win32k!vExpandAndCopyText+0x1c5
fffff880`07531c30 fffff960`00874b4b : fffff900`0000000a fffff880`00000002 fffff900`c4484ca0 fffff880`07532368 : win32k!EngTextOut+0xe54
fffff880`07531fc0 fffff900`0000000a : fffff880`00000002 fffff900`c4484ca0 fffff880`07532368 00000000`00000000 : VBoxDisp+0x4b4b
fffff880`07531fc8 fffff880`00000002 : fffff900`c4484ca0 fffff880`07532368 00000000`00000000 fffff880`07532110 : 0xfffff900`0000000a
fffff880`07531fd0 fffff900`c4484ca0 : fffff880`07532368 00000000`00000000 fffff880`07532110 fffff900`c49b6d58 : 0xfffff880`00000002
fffff880`07531fd8 fffff880`07532368 : 00000000`00000000 fffff880`07532110 fffff900`c49b6d58 fffff900`c49b6de8 : 0xfffff900`c4484ca0
fffff880`07531fe0 00000000`00000000 : fffff880`07532110 fffff900`c49b6d58 fffff900`c49b6de8 fffff900`c49b6c30 : 0xfffff880`07532368
---
While the above is only one example, we have seen the issue manifest itself in a variety of ways: either by crashing while trying to write beyond a pool allocation in the win32k!or_all_4_wide_rotated_need_last, win32k!or_all_N_wide_rotated_need_last, win32k!or_all_N_wide_rotated_no_last or win32k!or_all_N_wide_unrotated functions, or in other locations in the kernel due to system instability caused by pool corruption. In all cases, the crash occurs somewhere below a win32k!EngTextOut function call, i.e. it is triggered while trying to display the glyphs of a malformed TTF on the screen, rather than while loading the font in the system.
We believe the condition to be a pool-based buffer overflow triggered by one of the above win32k.sys functions, with a binary -or- operation being performed on bytes outside a pool allocation. This is also confirmed by the fact that various system bugchecks we have observed are a consequence of the kernel trying to dereference addresses with too many bits set, e.g.:
---
rax=fffff91fc29b4c60 rbx=0000000000000000 rcx=fffff900c4ede320
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff96000271f6a rsp=fffff880035b8bd0 rbp=fffff880035b9780
r8=000000000000021d r9=fffff900c4edf000 r10=fffff880056253f4
r11=fffff900c4902eb0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
win32k!PopThreadGuardedObject+0x16:
fffff960`00271f6a 4c8918 mov qword ptr [rax],r11 ds:0030:fffff91f`c29b4c60=????????????????
---
While we have not determined the specific root cause of the vulnerability, the proof-of-concept TTF files triggering the bug were created by taking legitimate fonts and replacing the glyph TrueType programs with ones generated by a dedicated generator. Therefore, the problem is almost certainly caused by some part of the arbitrary TrueType programs.
The issue reproduces on Windows 7 and 8.1. It is easiest to reproduce with Special Pools enabled for win32k.sys (typically leading to an immediate crash in one of the aforementioned functions when the overflow takes place), but it is also possible to observe a system crash on a default Windows installation as a consequence of pool corruption and resulting system instability. In order to reproduce the problem with the provided samples, it is necessary to use a custom program which displays all of the font's glyphs at various point sizes.
Attached is an archive with several proof-of-concept TTF files, together with corresponding kernel crash logs from Windows 7 64-bit.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38713.zip
{"id": "EDB-ID:38713", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Windows Kernel win32k.sys Malformed TrueType Program TTF Font Processing Pool-Based Buffer Overflow MS15-115", "description": "Windows Kernel win32k.sys Malformed TrueType Program TTF Font Processing Pool-Based Buffer Overflow (MS15-115). CVE-2015-6104. Dos exploit for windows platform", "published": "2015-11-16T00:00:00", "modified": "2015-11-16T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/38713/", "reporter": "Google Security Research", "references": [], "cvelist": ["CVE-2015-6104"], "lastseen": "2016-02-04T08:41:58", "viewCount": 4, "enchantments": {"score": {"value": 7.4, "vector": "NONE", "modified": "2016-02-04T08:41:58", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-6104"]}, {"type": "symantec", "idList": ["SMNTC-77465"]}, {"type": "mskb", "idList": ["KB3105864"]}, {"type": "nessus", "idList": ["SMB_NT_MS15-115.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310806157"]}, {"type": "kaspersky", "idList": ["KLA10694"]}], "modified": "2016-02-04T08:41:58", "rev": 2}, "vulnersScore": 7.4}, "sourceHref": "https://www.exploit-db.com/download/38713/", "sourceData": "Source: https://code.google.com/p/google-security-research/issues/detail?id=507\r\n\r\nWe have observed a number of Windows kernel crashes in the win32k.sys driver while processing corrupted TTF font files. An example of a crash log excerpt generated after triggering the bug is shown below:\r\n\r\n---\r\nDRIVER_PAGE_FAULT_BEYOND_END_OF_ALLOCATION (d6)\r\nN bytes of memory was allocated and more than N bytes are being referenced.\r\nThis cannot be protected by try-except.\r\nWhen possible, the guilty driver's name (Unicode string) is printed on\r\nthe bugcheck screen and saved in KiBugCheckDriver.\r\nArguments:\r\nArg1: fffff900c49ab000, memory referenced\r\nArg2: 0000000000000001, value 0 = read operation, 1 = write operation\r\nArg3: fffff96000324c14, if non-zero, the address which referenced memory.\r\nArg4: 0000000000000000, (reserved)\r\n\r\n[...]\r\n\r\nFAULTING_IP: \r\nwin32k!or_all_N_wide_rotated_need_last+70\r\nfffff960`00324c14 410802 or byte ptr [r10],al\r\n\r\nMM_INTERNAL_CODE: 0\r\n\r\nDEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT\r\n\r\nBUGCHECK_STR: 0xD6\r\n\r\nCURRENT_IRQL: 0\r\n\r\nTRAP_FRAME: fffff88007531690 -- (.trap 0xfffff88007531690)\r\n.trap 0xfffff88007531690\r\nNOTE: The trap frame does not contain all registers.\r\nSome register values may be zeroed or incorrect.\r\nrax=fffff880075318ff rbx=0000000000000000 rcx=0000000000000007\r\nrdx=00000000000000ff rsi=0000000000000000 rdi=0000000000000000\r\nrip=fffff96000324c14 rsp=fffff88007531820 rbp=fffffffffffffff5\r\n r8=00000000ffffffff r9=fffff900c1b48995 r10=fffff900c49ab000\r\nr11=0000000000000007 r12=0000000000000000 r13=0000000000000000\r\nr14=0000000000000000 r15=0000000000000000\r\niopl=0 nv up ei ng nz na po nc\r\nwin32k!or_all_N_wide_rotated_need_last+0x70:\r\nfffff960`00324c14 410802 or byte ptr [r10],al ds:0b08:fffff900`c49ab000=??\r\n.trap\r\nResetting default scope\r\n\r\nLAST_CONTROL_TRANSFER: from fffff8000294a017 to fffff800028cd5c0\r\n\r\nSTACK_TEXT: \r\nfffff880`07531528 fffff800`0294a017 : 00000000`00000050 fffff900`c49ab000 00000000`00000001 fffff880`07531690 : nt!KeBugCheckEx\r\nfffff880`07531530 fffff800`028cb6ee : 00000000`00000001 fffff900`c49ab000 fffff900`c4211000 fffff900`c49ab002 : nt! ?? ::FNODOBFM::`string'+0x4174f\r\nfffff880`07531690 fffff960`00324c14 : 00000000`0000001f fffff960`000b8f1f fffff900`c4ed2f08 00000000`0000001f : nt!KiPageFault+0x16e\r\nfffff880`07531820 fffff960`000b8f1f : fffff900`c4ed2f08 00000000`0000001f 00000000`00000002 00000000`00000007 : win32k!or_all_N_wide_rotated_need_last+0x70\r\nfffff880`07531830 fffff960`000eba0d : 00000000`00000000 fffff880`07532780 00000000`00000000 00000000`0000000a : win32k!draw_nf_ntb_o_to_temp_start+0x10f\r\nfffff880`07531890 fffff960`000c5ab8 : 00000000`00000000 fffff900`c49aad60 fffff900`c4ed2ed0 00000000`00ffffff : win32k!vExpandAndCopyText+0x1c5\r\nfffff880`07531c30 fffff960`00874b4b : fffff900`0000000a fffff880`00000002 fffff900`c4484ca0 fffff880`07532368 : win32k!EngTextOut+0xe54\r\nfffff880`07531fc0 fffff900`0000000a : fffff880`00000002 fffff900`c4484ca0 fffff880`07532368 00000000`00000000 : VBoxDisp+0x4b4b\r\nfffff880`07531fc8 fffff880`00000002 : fffff900`c4484ca0 fffff880`07532368 00000000`00000000 fffff880`07532110 : 0xfffff900`0000000a\r\nfffff880`07531fd0 fffff900`c4484ca0 : fffff880`07532368 00000000`00000000 fffff880`07532110 fffff900`c49b6d58 : 0xfffff880`00000002\r\nfffff880`07531fd8 fffff880`07532368 : 00000000`00000000 fffff880`07532110 fffff900`c49b6d58 fffff900`c49b6de8 : 0xfffff900`c4484ca0\r\nfffff880`07531fe0 00000000`00000000 : fffff880`07532110 fffff900`c49b6d58 fffff900`c49b6de8 fffff900`c49b6c30 : 0xfffff880`07532368\r\n---\r\n\r\nWhile the above is only one example, we have seen the issue manifest itself in a variety of ways: either by crashing while trying to write beyond a pool allocation in the win32k!or_all_4_wide_rotated_need_last, win32k!or_all_N_wide_rotated_need_last, win32k!or_all_N_wide_rotated_no_last or win32k!or_all_N_wide_unrotated functions, or in other locations in the kernel due to system instability caused by pool corruption. In all cases, the crash occurs somewhere below a win32k!EngTextOut function call, i.e. it is triggered while trying to display the glyphs of a malformed TTF on the screen, rather than while loading the font in the system.\r\n\r\nWe believe the condition to be a pool-based buffer overflow triggered by one of the above win32k.sys functions, with a binary -or- operation being performed on bytes outside a pool allocation. This is also confirmed by the fact that various system bugchecks we have observed are a consequence of the kernel trying to dereference addresses with too many bits set, e.g.:\r\n\r\n---\r\nrax=fffff91fc29b4c60 rbx=0000000000000000 rcx=fffff900c4ede320\r\nrdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000\r\nrip=fffff96000271f6a rsp=fffff880035b8bd0 rbp=fffff880035b9780\r\n r8=000000000000021d r9=fffff900c4edf000 r10=fffff880056253f4\r\nr11=fffff900c4902eb0 r12=0000000000000000 r13=0000000000000000\r\nr14=0000000000000000 r15=0000000000000000\r\niopl=0 nv up ei ng nz na po nc\r\nwin32k!PopThreadGuardedObject+0x16:\r\nfffff960`00271f6a 4c8918 mov qword ptr [rax],r11 ds:0030:fffff91f`c29b4c60=????????????????\r\n---\r\n\r\nWhile we have not determined the specific root cause of the vulnerability, the proof-of-concept TTF files triggering the bug were created by taking legitimate fonts and replacing the glyph TrueType programs with ones generated by a dedicated generator. Therefore, the problem is almost certainly caused by some part of the arbitrary TrueType programs.\r\n\r\nThe issue reproduces on Windows 7 and 8.1. It is easiest to reproduce with Special Pools enabled for win32k.sys (typically leading to an immediate crash in one of the aforementioned functions when the overflow takes place), but it is also possible to observe a system crash on a default Windows installation as a consequence of pool corruption and resulting system instability. In order to reproduce the problem with the provided samples, it is necessary to use a custom program which displays all of the font's glyphs at various point sizes.\r\n\r\nAttached is an archive with several proof-of-concept TTF files, together with corresponding kernel crash logs from Windows 7 64-bit.\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38713.zip\r\n", "osvdbidlist": ["130048"]}
{"cve": [{"lastseen": "2020-10-03T12:49:54", "description": "The Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 Gold and 1511 allows remote attackers to execute arbitrary code via a crafted embedded font, aka \"Windows Graphics Memory Remote Code Execution Vulnerability,\" a different vulnerability than CVE-2015-6103.", "edition": 3, "cvss3": {}, "published": "2015-11-11T12:59:00", "title": "CVE-2015-6104", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-6104"], "modified": "2019-05-17T20:01:00", "cpe": ["cpe:/o:microsoft:windows_vista:-", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_8:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_rt:-", "cpe:/o:microsoft:windows_7:-"], "id": "CVE-2015-6104", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6104", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*", "cpe:2.3:o:microsoft:windows_8:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}], "symantec": [{"lastseen": "2018-03-12T00:30:34", "bulletinFamily": "software", "cvelist": ["CVE-2015-6104"], "description": "### Description\n\nMicrosoft Windows is prone to a remote code-execution vulnerability. Successful exploits allow attackers to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will result in a denial-of-service condition.\n\n### Technologies Affected\n\n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1511 for 32-bit Systems \n * Microsoft Windows 10 version 1511 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8 for 32-bit Systems \n * Microsoft Windows 8 for x64-based Systems \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows RT \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Vista Service Pack 2 \n * Microsoft Windows Vista x64 Edition Service Pack 2 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nIf global access isn't needed, block access at the network perimeter to computers hosting the vulnerable operating system.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity such as unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Do not use client software to access unknown or untrusted hosts from critical systems.** \nTo limit the risk of exploits, never connect to unknown or untrusted services.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2015-11-10T00:00:00", "published": "2015-11-10T00:00:00", "id": "SMNTC-77465", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/77465", "type": "symantec", "title": "Microsoft Windows Graphics Memory CVE-2015-6104 Remote Code Execution Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "mskb": [{"lastseen": "2021-01-01T22:43:45", "bulletinFamily": "microsoft", "cvelist": ["CVE-2015-6113", "CVE-2015-6103", "CVE-2015-6109", "CVE-2015-6101", "CVE-2015-6100", "CVE-2015-6104", "CVE-2015-6102"], "description": "<html><body><p>Resolves vulnerabilities in Windows that could allow remote code execution if an attacker convinces a user to open a specially crafted document or to go to an untrusted webpage that contains embedded fonts.</p><h2>Summary</h2><div class=\"kb-summary-section section\">This security update resolves vulnerabilities in Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker convinces a user to open a specially crafted document or to go to an untrusted webpage that contains embedded fonts. <br/><br/>To learn more about the vulnerability, see <a href=\"https://technet.microsoft.com/library/security/ms15-115\" id=\"kb-link-2\" target=\"_self\">Microsoft Security Bulletin MS15-115</a>. </div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><span class=\"text-base\">Important </span><ul class=\"sbody-free_list\"><li>All future security and nonsecurity updates for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 require update <a href=\"https://support.microsoft.com/en-us/help/2919355\" id=\"kb-link-3\" target=\"_self\">2919355</a> to be installed. We recommend that you install update <a href=\"https://support.microsoft.com/en-us/help/2919355\" id=\"kb-link-4\" target=\"_self\">2919355</a> on your Windows RT 8.1-based, Windows 8.1-based, or Windows Server 2012 R2-based computer so that you receive future updates. </li><li>If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see <a href=\"https://technet.microsoft.com/en-us/library/hh825699\" id=\"kb-link-5\" target=\"_self\">Add language packs to Windows</a>.<br/></li></ul></div><h2>More information about this security update</h2><div class=\"kb-moreinformation-section section\"><br/>The following articles contain additional information about this security update as it relates to individual product versions. The articles may contain known issue information.<br/><ul class=\"sbody-free_list\"><li><a href=\"https://support.microsoft.com/help/3097877\" id=\"kb-link-6\" target=\"_self\">3097877</a> MS15-115: Description of the security update for Windows: November 10, 2015<br/><br/><br/><span class=\"text-base\">Note </span>This security update was rereleased on November 11, 2015, for Windows 7 and Windows Server 2008 R2 to resolve the following issues:<br/><ul class=\"sbody-free_list\"><li>Resolves crashing that occurred in all supported versions of Microsoft Outlook when users were reading certain emails. </li><li>Resolves problems that occurred while users were logging on to the system. For example, after a user restarted the computer and then pressed Ctrl+Alt+Delete at the logon screen, the screen flashed and then went black. The user was then unable to continue. There may be other, similar logon issues that are related to this issue. </li></ul>If you cannot log on to your Windows 7-based computer because of this issue, we recommend that you uninstall security update 3097877 and then install all the latest updates from <a href=\"http://windows.microsoft.com/en-us/windows7/install-windows-updates\" id=\"kb-link-7\" target=\"_self\">Windows Update</a>. KB <a href=\"https://support.microsoft.com/help/3097877\" id=\"kb-link-8\" target=\"_self\">3097877</a> provides ways to uninstall the update. <br/><br/><br/></li><li><a href=\"https://support.microsoft.com/help/3101746\" id=\"kb-link-9\" target=\"_self\">3101746</a> MS15-115: Description of the security update for Windows: November 10, 2015<br/></li><li><a href=\"https://support.microsoft.com/help/3105213\" id=\"kb-link-10\" target=\"_self\">3105213</a> Cumulative update for Windows 10: November 10, 2015 </li><li><a href=\"https://support.microsoft.com/help/3105211\" id=\"kb-link-11\" target=\"_self\">3105211</a> Cumulative update for Windows 10 Version 1511: November 10, 2015</li></ul></div><h2>How to get and install the update</h2><div class=\"kb-resolution-section section\"><a class=\"bookmark\" id=\"obtaintheupdate\"></a><h3 class=\"sbody-h3\">Method 1: Windows Update</h3><div class=\"kb-collapsible kb-collapsible-expanded\">This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see<br/><a href=\"https://www.microsoft.com/security/pc-security/updates.aspx\" id=\"kb-link-13\" target=\"_self\">Get security updates automatically</a>.<br/><br/><span class=\"text-base\">Note</span> For Windows RT and Windows RT 8.1, this update is available through Windows Update only.<br/></div><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Method 2: Microsoft Download Center</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\">You can get the stand-alone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.<br/><br/>Click the download link in <a href=\"https://technet.microsoft.com/library/security/ms15-115\" id=\"kb-link-14\" target=\"_self\">Microsoft Security Bulletin MS15-115</a> that corresponds to the version of Windows that you are running.<br/></div><br/></span></div></div></div></div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Security update deployment information</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\"><h4 class=\"sbody-h4\">Windows Vista (all editions)</h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file names</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows Vista:<br/><span class=\"text-base\">Windows6.0-KB3097877-x86.msu</span><span class=\"text-base\"><br/><span class=\"text-base\">Windows6.0-KB3101746-x86.msu</span></span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Vista:<br/><span class=\"text-base\">Windows6.0-KB3097877-x64.msu</span><span class=\"text-base\"><br/><span class=\"text-base\">Windows6.0-KB3101746-x64.msu</span></span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-15\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">A system restart is required after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">WUSA.exe does not support uninstall of updates. To uninstall an update installed by WUSA, click <span class=\"text-base\">Control Panel</span>, and then click <span class=\"text-base\">Security</span>. Under Windows Update, click <span class=\"text-base\">View installed updates</span>, and select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3097877\" id=\"kb-link-16\" target=\"_self\">Microsoft Knowledge Base Article 3097877</a><br/>See <a href=\"https://support.microsoft.com/help/3101746\" id=\"kb-link-17\" target=\"_self\">Microsoft Knowledge Base Article 3101746</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> A registry key does not exist to validate the presence of this update.</td></tr></table></div><h4 class=\"sbody-h4\">Windows Server 2008 (all editions)</h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file names</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows Server 2008:<br/><span class=\"text-base\">Windows6.0-KB3097877-x86.msu</span><span class=\"text-base\"><br/><span class=\"text-base\">Windows6.0-KB3101746-x86.msu</span></span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Server 2008:<br/><span class=\"text-base\">Windows6.0-KB3097877-x64.msu</span><span class=\"text-base\"><br/><span class=\"text-base\">Windows6.0-KB3101746-x64.msu</span></span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported Itanium-based editions of Windows Server 2008:<br/><span class=\"text-base\">Windows6.0-KB3097877-ia64.msu</span><span class=\"text-base\"><br/><span class=\"text-base\">Windows6.0-KB3101746-ia64.msu</span></span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-18\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">A system restart is required after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">WUSA.exe does not support uninstall of updates. To uninstall an update installed by WUSA, click <span class=\"text-base\">Control Panel</span>, and then click <span class=\"text-base\">Security</span>. Under Windows Update, click <span class=\"text-base\">View installed updates</span>, and select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3097877\" id=\"kb-link-19\" target=\"_self\">Microsoft Knowledge Base Article 3097877</a><br/>See <a href=\"https://support.microsoft.com/help/3101746\" id=\"kb-link-20\" target=\"_self\">Microsoft Knowledge Base Article 3101746</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> A registry key does not exist to validate the presence of this update.</td></tr></table></div><h4 class=\"sbody-h4\">Windows 7 (all editions)</h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 7:<br/><span class=\"text-base\">Windows6.1-KB3097877-x86.msu </span><span class=\"text-base\"><br/><span class=\"text-base\">Windows6.1-KB3101746-x86.msu </span></span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 7:<br/><span class=\"text-base\">Windows6.1-KB3097877-x64.msu </span><span class=\"text-base\"><br/><span class=\"text-base\">Windows6.1-KB3101746-x64.msu </span></span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-21\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">A system restart is required after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update installed by WUSA, use the /Uninstall setup switch or click <span class=\"text-base\">Control Panel</span>, click <span class=\"text-base\">System and Security</span>, and then under Windows Update, click <span class=\"text-base\">View installed updates</span>, and select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3097877\" id=\"kb-link-22\" target=\"_self\">Microsoft Knowledge Base Article 3097877</a><br/>See <a href=\"https://support.microsoft.com/help/3101746\" id=\"kb-link-23\" target=\"_self\">Microsoft Knowledge Base Article 3101746</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> A registry key does not exist to validate the presence of this update.</td></tr></table></div><h4 class=\"sbody-h4\">Windows Server 2008 R2 (all editions)</h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Server 2008 R2:<br/><span class=\"text-base\">Windows6.1-KB3097877-x64.msu</span><span class=\"text-base\"><br/><span class=\"text-base\">Windows6.1-KB3101746-x64.msu</span></span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported Itanium-based editions of Windows Server 2008 R2:<br/><span class=\"text-base\">Windows6.1-KB3097877-ia64.msu</span><span class=\"text-base\"><br/><span class=\"text-base\">Windows6.1-KB3101746-ia64.msu</span></span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-24\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">A system restart is required after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or click <span class=\"text-base\">Control Panel</span>, click <span class=\"text-base\">System and Security</span>, and then under Windows Update, click <span class=\"text-base\">View installed updates</span>, and select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3097877\" id=\"kb-link-25\" target=\"_self\">Microsoft Knowledge Base Article 3097877</a><br/>See <a href=\"https://support.microsoft.com/help/3101746\" id=\"kb-link-26\" target=\"_self\">Microsoft Knowledge Base Article 3101746</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> A registry key does not exist to validate the presence of this update.</td></tr></table></div><h4 class=\"sbody-h4\">Windows 8 and Windows 8.1 (all editions)</h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 8:<br/><span class=\"text-base\">Windows8-RT-KB3097877-x86.msu </span><span class=\"text-base\"><br/><span class=\"text-base\">Windows8-RT-KB3101746-x86.msu </span></span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 8:<br/><span class=\"text-base\">Windows8-RT-KB3097877-x64.msu </span><span class=\"text-base\"><br/><span class=\"text-base\">Windows8-RT-KB3101746-x64.msu </span></span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 8.1:<br/><span class=\"text-base\">Windows8.1-KB3097877-x86.msu </span><span class=\"text-base\"><br/><span class=\"text-base\">Windows8.1-KB3101746-x86.msu</span></span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 8.1:<br/><span class=\"text-base\">Windows8.1-KB3097877-x64.msu </span><span class=\"text-base\"><br/><span class=\"text-base\">Windows8.1-KB3101746-x64.msu </span></span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-27\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">A system restart is required after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or click <span class=\"text-base\">Control Panel</span>, click <span class=\"text-base\">System and Security</span>, click <span class=\"text-base\">Windows Update</span>, and then under See also, click <span class=\"text-base\">Installed updates</span> and select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3097877\" id=\"kb-link-28\" target=\"_self\">Microsoft Knowledge Base Article 3097877</a><br/>See <a href=\"https://support.microsoft.com/help/3101746\" id=\"kb-link-29\" target=\"_self\">Microsoft Knowledge Base Article 3101746</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> A registry key does not exist to validate the presence of this update.</td></tr></table></div><h4 class=\"sbody-h4\">Windows Server 2012 and Windows Server 2012 R2 (all editions)</h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported editions of Windows Server 2012:<br/><span class=\"text-base\">Windows8-RT-KB3097877-x64.msu</span><br/><span class=\"text-base\">Windows8-RT-KB3101746-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported editions of Windows Server 2012 R2:<br/><span class=\"text-base\">Windows8.1-KB3097877-x64.msu</span><br/><span class=\"text-base\">Windows8.1-KB3101746-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-30\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">A system restart is required after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or click <span class=\"text-base\">Control Panel</span>, click <span class=\"text-base\">System and Security</span>, click <span class=\"text-base\">Windows Update</span>, and then under See also, click <span class=\"text-base\">Installed updates</span> and select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3097877\" id=\"kb-link-31\" target=\"_self\">Microsoft Knowledge Base Article 3097877</a><br/>See <a href=\"https://support.microsoft.com/help/3101746\" id=\"kb-link-32\" target=\"_self\">Microsoft Knowledge Base Article 3101746</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> A registry key does not exist to validate the presence of this update.</td></tr></table></div><h4 class=\"sbody-h4\">Windows RT and Windows RT 8.1 (all editions)</h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Deployment</span></td><td class=\"sbody-td\">These updates are available via <a href=\"http://go.microsoft.com/fwlink/?linkid=21130\" id=\"kb-link-33\" target=\"_self\">Windows Update</a> only.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart Requirement</span></td><td class=\"sbody-td\">A system restart is required after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal Information</span></td><td class=\"sbody-td\">Click <span class=\"text-base\">Control Panel</span>, click <span class=\"text-base\">System and Security</span>, click <span class=\"text-base\">Windows Update</span>, and then under See also, click <span class=\"text-base\">Installed updates</span> and select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File Information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3097877\" id=\"kb-link-34\" target=\"_self\">Microsoft Knowledge Base Article 3097877</a><br/>See <a href=\"https://support.microsoft.com/help/3101746\" id=\"kb-link-35\" target=\"_self\">Microsoft Knowledge Base Article 3101746</a></td></tr></table></div><h4 class=\"sbody-h4\">Windows 10 (all editions)</h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 10:<br/><span class=\"text-base\">Windows10.0-KB3105213-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 10:<br/><span class=\"text-base\">Windows10.0-KB3105213-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 10 Version 1511:<br/><span class=\"text-base\">Windows10.0-KB3105211-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 10 Version 1511:<br/><span class=\"text-base\">Windows10.0-KB3105211-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-36\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">A system restart is required after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or click <span class=\"text-base\">Control Panel</span>, click <span class=\"text-base\">System and Security</span>, click <span class=\"text-base\">Windows Update</span>, and then under See also, click <span class=\"text-base\">Installed updates</span> and select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3105213\" id=\"kb-link-37\" target=\"_self\">Microsoft Knowledge Base Article 3105213</a><br/>See <a href=\"https://support.microsoft.com/help/3105211\" id=\"kb-link-38\" target=\"_self\">Microsoft Knowledge Base Article 3105211</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> A registry key does not exist to validate the presence of this update.</td></tr></table></div></div><br/></span></div></div></div><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">File hash information</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\"><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">Package Name</th><th class=\"sbody-th\">Package Hash SHA 1</th><th class=\"sbody-th\">Package Hash SHA 2</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB3101746-ia64.msu</td><td class=\"sbody-td\">77C06D8223FA31556FB662A99F2A6CA93F7468A2</td><td class=\"sbody-td\">5E1C75C5104C7C775E95EDFCF5D4496D657B3F135C75D3C1D123FDD1F8B47961</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB3101746-x64.msu</td><td class=\"sbody-td\">BD847847276CD286FEF6910886D8CFD791EBE875</td><td class=\"sbody-td\">C0C7781125EE8E814EC7B3EAC1022E8FAEAE6A13E73EAEBCEE5A683FC8AC0E1A</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB3101746-x86.msu</td><td class=\"sbody-td\">2B9FA873CEE179A5DC793B5D035E554ADB5D1189</td><td class=\"sbody-td\">8D1D33FFC9D4279E915E4441468562D1CCD04BB0055E9447AD665A0D93C56EBE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB3097877-ia64.msu</td><td class=\"sbody-td\">96F13C7CFF546C9AD18D15337E0071BC2BDA57A3</td><td class=\"sbody-td\">2A7789142C34B9FAA81F4F7789D634AF4CA88DC8A06BE6693D66C0D08D2859C9</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB3097877-x64.msu</td><td class=\"sbody-td\">2B6133381E9668BABAA92D5F6DFC21EED74264C3</td><td class=\"sbody-td\">912384A98CB81CDA6FC85CB892B7198F8079766D20E35C308BEF8546DAAAD269</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB3097877-x86.msu</td><td class=\"sbody-td\">D1E87B12BF81F6C5E34B1654906EF878EC456A9D</td><td class=\"sbody-td\">ED5E507BF101F06B50B73F0753CCA52FFE8226E1476A207805CA2C83DB258146</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8.1-KB3101746-arm.msu</td><td class=\"sbody-td\">E75DF3DB8A76C55475B42936A86FCA3978290946</td><td class=\"sbody-td\">BA78B31BCF2DB4F0959D3C96DF1F3E8EB90832BBD99791E9ABCEAF8ACDC5C5F1</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8.1-KB3101746-x64.msu</td><td class=\"sbody-td\">185499C2BD878854A4944FC43F66A2068D8C2BCB</td><td class=\"sbody-td\">0474440D1E1807A74C6605DCFE47AFBA4EC38F7B6911046CB14086198D35ADFC</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8.1-KB3101746-x86.msu</td><td class=\"sbody-td\">899F9CD746720CA080F9E4FFDB7B8E00947327F9</td><td class=\"sbody-td\">2A73562162DFDE1516489D40E9A45CB6EB193B14FEA27FB766803750346071E6</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8-RT-KB3101746-arm.msu</td><td class=\"sbody-td\">4C156F90382FC41667D87A836B64A8AD4906A17B</td><td class=\"sbody-td\">0D570D1863C75B5423DC2AA378E339F0A2C3EE4E9E65A134C3A20B2AF52E36E6</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8-RT-KB3101746-x64.msu</td><td class=\"sbody-td\">7FB82FC393465D0B6139268BEFCA14687583788C</td><td class=\"sbody-td\">9A571AC2A765742F064BF1625BA679B6C778A62A18F12A6071D3E2D5650D86C2</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8-RT-KB3101746-x86.msu</td><td class=\"sbody-td\">BFBC230D49F184E196144DCDB0D93EE6C241997F</td><td class=\"sbody-td\">8DAEE22651F2EC5AD7D7A6B269B61F654F8D304AB33802BC171751AF0AE24CE5</td></tr></table></div></div><br/></span></div></div></div><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">How to get help and support for this security update</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\">Help for installing updates: <a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-39\" target=\"_self\">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals: <a href=\"https://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-40\" target=\"_self\">TechNet Security Troubleshooting and Support</a><br/><br/>Help for protecting your Windows-based computer from viruses and malware: <a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-41\" target=\"_self\">Virus Solution and Security Center</a><br/><br/>Local support according to your country: <a href=\"https://support.microsoft.com/common/international.aspx\" id=\"kb-link-42\" target=\"_self\">International Support</a></div><br/></span></div></div></div></div></body></html>", "edition": 2, "modified": "2015-11-13T00:59:59", "id": "KB3105864", "href": "https://support.microsoft.com/en-us/help/3105864/", "published": "2015-11-10T00:00:00", "title": "MS15-115: Security update for Windows to address remote code execution: November 10, 2015", "type": "mskb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-06-10T19:50:06", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-6113", "CVE-2015-6103", "CVE-2015-6109", "CVE-2015-6101", "CVE-2015-6100", "CVE-2015-6104", "CVE-2015-6102"], "description": "This host is missing a critical security\n update according to Microsoft Bulletin MS15-115.", "modified": "2020-06-09T00:00:00", "published": "2015-11-11T00:00:00", "id": "OPENVAS:1361412562310806157", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310806157", "type": "openvas", "title": "Microsoft Windows Remote Code Execution Vulnerabilities (3105864)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Remote Code Execution Vulnerabilities (3105864)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.806157\");\n script_version(\"2020-06-09T05:48:43+0000\");\n script_cve_id(\"CVE-2015-6100\", \"CVE-2015-6101\", \"CVE-2015-6102\", \"CVE-2015-6103\",\n \"CVE-2015-6104\", \"CVE-2015-6109\", \"CVE-2015-6113\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-09 05:48:43 +0000 (Tue, 09 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2015-11-11 10:53:23 +0530 (Wed, 11 Nov 2015)\");\n script_name(\"Microsoft Windows Remote Code Execution Vulnerabilities (3105864)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Bulletin MS15-115.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - The way that Windows handles objects in memory. An attacker who successfully\n exploited the vulnerabilities could run arbitrary code in kernel mode.\n\n - The Windows fails to properly initialize memory addresses, allowing an\n attacker to retrieve information that could lead to a Kernel Address Space\n Layout Randomization (KASLR) bypass.\n\n - The Adobe Type Manager Library in Windows improperly handles specially\n crafted embedded fonts.\n\n - The Windows kernel fails to properly validate permissions, allowing an\n attacker to inappropriately interact with the filesystem from low\n integrity level user-mode applications.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to do Kernel Address Space Layout Randomization (KASLR) bypass and execute\n arbitrary code taking complete control of the affected system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 8/8.1 x32/x64\n\n - Microsoft Edge on Microsoft Windows 10 x32/x64\n\n - Microsoft Windows Server 2012/R2\n\n - Microsoft Windows 10 Version 1511 x32/x64\n\n - Microsoft Windows 7 x32/x64 Service Pack 1 and prior\n\n - Microsoft Windows Vista x32/x64 Service Pack 2 and prior\n\n - Microsoft Windows Server 2008 R2 x64 Service Pack 1 and prior\n\n - Microsoft Windows Server 2008 x32/x64 Service Pack 2 and prior\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3097877\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3101746\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/ms15-115\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(winVista:3, win7:2, win7x64:2,\n win2008:3, win2008r2:2, win8:1, win8x64:1, win2012:1,\n win2012R2:1, win8_1:1, win8_1x64:1, win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_systemroot();\nif(!sysPath ){\n exit(0);\n}\n\ndllVer = fetch_file_version(sysPath:sysPath, file_name:\"system32\\Win32k.sys\");\nexeVer = fetch_file_version(sysPath:sysPath, file_name:\"system32\\Ntoskrnl.exe\");\nif(!dllVer && !exeVer){\n exit(0);\n}\n\n## Currently not supporting for Vista and Windows Server 2008 64 bit\nif(hotfix_check_sp(winVista:3, win2008:3) > 0)\n{\n if(dllVer)\n {\n if(version_is_less(version:dllVer, test_version:\"6.0.6002.19525\"))\n {\n VULN2 = TRUE ;\n Vulnerable_range = \"Less than 6.0.6002.19525\";\n }\n\n else if(version_in_range(version:dllVer, test_version:\"6.0.6002.23000\", test_version2:\"6.0.6002.23834\"))\n {\n VULN2 = TRUE ;\n Vulnerable_range = \"6.0.6002.23000 - 6.0.6002.23834\";\n }\n }\n\n if(exeVer)\n {\n if(version_is_less(version:exeVer, test_version:\"6.0.6002.19514\"))\n {\n VULN3 = TRUE ;\n Vulnerable_range = \"Less than 6.0.6002.19514\";\n }\n\n else if(version_in_range(version:exeVer, test_version:\"6.0.6002.23000\", test_version2:\"6.0.6002.23823\"))\n {\n VULN3 = TRUE ;\n Vulnerable_range = \"6.0.6002.23000 - 6.0.6002.23823\";\n }\n }\n}\n\nelse if(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) > 0)\n{\n if(dllVer)\n {\n if(version_is_less(version:dllVer, test_version:\"6.1.7601.19044\"))\n {\n VULN2 = TRUE ;\n Vulnerable_range = \"Less than 6.1.7601.19044\";\n }\n\n else if(version_in_range(version:dllVer, test_version:\"6.1.7601.22000\", test_version2:\"6.1.7601.23249\"))\n {\n VULN2 = TRUE ;\n Vulnerable_range = \"6.1.7601.22000 - 6.1.7601.23249\";\n }\n }\n\n if(exeVer)\n {\n if(version_is_less(version:exeVer, test_version:\"6.1.7601.19045\"))\n {\n VULN3 = TRUE ;\n Vulnerable_range = \"Less than 6.1.7601.19045\";\n }\n\n else if(exeVer && version_in_range(version:exeVer, test_version:\"6.1.7601.22000\", test_version2:\"6.1.7601.23249\"))\n {\n VULN3 = TRUE ;\n Vulnerable_range = \"6.1.7601.22000 - 6.1.7601.23249\";\n }\n }\n}\n\nelse if(hotfix_check_sp(win8:1, win8x64:1, win2012:1) > 0)\n{\n if(dllVer)\n {\n if(version_is_less(version:dllVer, test_version:\"6.2.9200.17554\"))\n {\n VULN2 = TRUE ;\n Vulnerable_range = \"Less than 6.2.9200.17554\";\n }\n\n else if(version_in_range(version:dllVer, test_version:\"6.2.9200.20000\", test_version2:\"6.2.9200.21670\"))\n {\n VULN2 = TRUE ;\n Vulnerable_range = \"6.2.9200.20000 - 6.2.9200.21670\";\n }\n }\n\n if(exeVer)\n {\n if(version_is_less(version:exeVer, test_version:\"6.2.9200.17557\"))\n {\n VULN3 = TRUE ;\n Vulnerable_range = \"Less than 6.2.9200.17557\";\n }\n\n else if(version_in_range(version:exeVer, test_version:\"6.2.9200.20000\", test_version2:\"6.2.9200.21673\"))\n {\n VULN3 = TRUE ;\n Vulnerable_range = \"6.2.9200.20000 - 6.2.9200.21673\";\n }\n }\n}\n\n## Win 8.1 and win2012R2\nelse if(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) > 0)\n{\n if(dllVer && version_is_less(version:dllVer, test_version:\"6.3.9600.18093\"))\n {\n VULN2 = TRUE ;\n Vulnerable_range = \"Less than 6.3.9600.18093\";\n }\n\n else if(exeVer && version_is_less(version:exeVer, test_version:\"6.3.9600.18090\"))\n {\n VULN3 = TRUE ;\n Vulnerable_range = \"Less than 6.3.9600.18090\";\n }\n}\n\nelse if(hotfix_check_sp(win10:1, win10x64:1) > 0 && dllVer)\n{\n if(version_is_less(version:dllVer, test_version:\"10.0.10240.16384\"))\n {\n Vulnerable_range = \"Less than 10.0.10240.16384\";\n VULN2 = TRUE ;\n }\n\n else if(version_in_range(version:dllVer, test_version:\"10.0.10586.0\", test_version2:\"10.0.10586.2\"))\n {\n Vulnerable_range = \"10.0.10586.0 - 10.0.10586.2\";\n VULN2 = TRUE ;\n }\n}\n\nif(VULN2)\n{\n report = 'File checked: ' + sysPath + \"\\system32\\Win32k.sys\" + '\\n' +\n 'File version: ' + dllVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n}\n\nif(VULN3)\n{\n report = 'File checked: ' + sysPath + \"\\system32\\Ntoskrnl.exe\" + '\\n' +\n 'File version: ' + exeVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-01T05:43:45", "description": "The remote Windows host is affected by the following vulnerabilities :\n\n - Multiple elevation of privilege vulnerabilities exist\n that are related to the handling of objects in memory.\n A local attacker can exploit these, via a crafted\n application, to run arbitrary code in kernel mode.\n (CVE-2015-6100, CVE-2015-6101)\n\n - Multiple information disclosure vulnerabilities exist\n due to a failure to properly initialize memory\n addresses. A local attacker can exploit these, via a\n specially crafted application, to bypass the Kernel\n Address Space Layout Randomization (KASLR) and retrieve\n the base address of the Kernel driver from a compromised\n process. (CVE-2015-6102, CVE-2015-6109)\n\n - Multiple remote code execution vulnerabilities exist\n in the Adobe Type Manager Library due to improper\n handling of specially crafted fonts. An unauthenticated,\n remote attacker can exploit these, via a crafted\n document or web page, to execute arbitrary code.\n (CVE-2015-6103, CVE-2015-6104)\n\n - A security feature bypass vulnerability exists due to\n improper validation of permissions. A local attacker can\n exploit this to interact with the file system in an\n inappropriate manner to modify files, by using a\n crafted, low-integrity-level, user-mode application.\n (CVE-2015-6113)", "edition": 25, "published": "2015-11-10T00:00:00", "title": "MS15-115: Security Update for Microsoft Windows to Address Remote Code Execution (3105864)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-6113", "CVE-2015-6103", "CVE-2015-6109", "CVE-2015-6101", "CVE-2015-6100", "CVE-2015-6104", "CVE-2015-6102"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS15-115.NASL", "href": "https://www.tenable.com/plugins/nessus/86822", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86822);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2018/11/15 20:50:31\");\n\n script_cve_id(\n \"CVE-2015-6100\",\n \"CVE-2015-6101\",\n \"CVE-2015-6102\",\n \"CVE-2015-6103\",\n \"CVE-2015-6104\",\n \"CVE-2015-6109\",\n \"CVE-2015-6113\"\n );\n script_bugtraq_id(\n 77458,\n 77460,\n 77462,\n 77463,\n 77464,\n 77465,\n 77466\n );\n script_xref(name:\"MSFT\", value:\"MS15-115\");\n script_xref(name:\"MSKB\", value:\"3097877\");\n script_xref(name:\"MSKB\", value:\"3101746\");\n script_xref(name:\"MSKB\", value:\"3105211\");\n script_xref(name:\"MSKB\", value:\"3105213\");\n script_xref(name:\"IAVA\", value:\"2015-A-0299\");\n\n script_name(english:\"MS15-115: Security Update for Microsoft Windows to Address Remote Code Execution (3105864)\");\n script_summary(english:\"Checks the version of win32k.sys, ntdll.dll, and msobjs.dll.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is affected by the following vulnerabilities :\n\n - Multiple elevation of privilege vulnerabilities exist\n that are related to the handling of objects in memory.\n A local attacker can exploit these, via a crafted\n application, to run arbitrary code in kernel mode.\n (CVE-2015-6100, CVE-2015-6101)\n\n - Multiple information disclosure vulnerabilities exist\n due to a failure to properly initialize memory\n addresses. A local attacker can exploit these, via a\n specially crafted application, to bypass the Kernel\n Address Space Layout Randomization (KASLR) and retrieve\n the base address of the Kernel driver from a compromised\n process. (CVE-2015-6102, CVE-2015-6109)\n\n - Multiple remote code execution vulnerabilities exist\n in the Adobe Type Manager Library due to improper\n handling of specially crafted fonts. An unauthenticated,\n remote attacker can exploit these, via a crafted\n document or web page, to execute arbitrary code.\n (CVE-2015-6103, CVE-2015-6104)\n\n - A security feature bypass vulnerability exists due to\n improper validation of permissions. A local attacker can\n exploit this to interact with the file system in an\n inappropriate manner to modify files, by using a\n crafted, low-integrity-level, user-mode application.\n (CVE-2015-6113)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2015/ms15-115\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Vista, 2008, 7, 2008 R2,\n8, 2012, 8.1, 2012 R2, and 10.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/11/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/11/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/11/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS15-115';\nkbs = make_list(\n \"3097877\",\n \"3101746\",\n \"3105211\",\n \"3105213\"\n);\nvuln = 0;\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0', win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # 8.1 / 2012 R2\n hotfix_is_vulnerable(os:\"6.3\", sp:0, file:\"win32k.sys\", version:\"6.3.9600.18093\", min_version:\"6.3.9600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"3097877\") ||\n # 8 / 2012\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"win32k.sys\", version:\"6.2.9200.17554\", min_version:\"6.2.9200.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"3097877\") ||\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"win32k.sys\", version:\"6.2.9200.21671\", min_version:\"6.2.9200.20000 \", dir:\"\\system32\", bulletin:bulletin, kb:\"3097877\") ||\n # 7 / 2008 R2\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"win32k.sys\", version:\"6.1.7601.19054\", min_version:\"6.1.7600.18000\", dir:\"\\system32\", bulletin:bulletin, kb:\"3097877\") ||\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"win32k.sys\", version:\"6.1.7601.23259\", min_version:\"6.1.7601.22000\", dir:\"\\system32\", bulletin:bulletin, kb:\"3097877\") ||\n # Vista / 2008\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"win32k.sys\", version:\"6.0.6002.19525\", min_version:\"6.0.6002.18000\", dir:\"\\system32\", bulletin:bulletin, kb:\"3097877\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"win32k.sys\", version:\"6.0.6002.23835\", min_version:\"6.0.6002.20000\", dir:\"\\system32\", bulletin:bulletin, kb:\"3097877\")\n)\n vuln++;\n\nif (\n # 8.1 / 2012 R2\n hotfix_is_vulnerable(os:\"6.3\", sp:0, file:\"ntdll.dll\", version:\"6.3.9600.18007\", min_version:\"6.3.9600.18000\", dir:\"\\system32\", bulletin:bulletin, kb:\"3101746\") ||\n # 8 / 2012\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"msobjs.dll\", version:\"6.2.9200.16384\", min_version:\"6.2.9200.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"3101746\") ||\n # 7 / 2008 R2\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"ntdll.dll\", version:\"6.1.7601.19045\", min_version:\"6.1.7600.18000\", dir:\"\\system32\", bulletin:bulletin, kb:\"3101746\") ||\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"ntdll.dll\", version:\"6.1.7601.23250\", min_version:\"6.1.7601.22000\", dir:\"\\system32\", bulletin:bulletin, kb:\"3101746\") ||\n # Vista / 2008\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"ntdll.dll\", version:\"6.0.6002.19514\", min_version:\"6.0.6002.18000\", dir:\"\\system32\", bulletin:bulletin, kb:\"3101746\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"ntdll.dll\", version:\"6.0.6002.23824\", min_version:\"6.0.6002.20000\", dir:\"\\system32\", bulletin:bulletin, kb:\"3101746\")\n)\n vuln++;\nif (\n # 10\n hotfix_is_vulnerable(os:\"10\", sp:0, file:\"win32kfull.sys\", version:\"10.0.10586.3\", min_version:\"10.0.10586.0\", dir:\"\\system32\", bulletin:bulletin, kb:\"3105211\") ||\n hotfix_is_vulnerable(os:\"10\", sp:0, file:\"win32kfull.sys\", version:\"10.0.10240.16590\", dir:\"\\system32\", bulletin:bulletin, kb:\"3105213\")\n)\n vuln++;\n\nif (vuln)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2020-09-02T11:42:14", "bulletinFamily": "info", "cvelist": ["CVE-2015-6113", "CVE-2015-6103", "CVE-2015-6064", "CVE-2015-6109", "CVE-2015-6101", "CVE-2015-6100", "CVE-2015-6104", "CVE-2015-6102", "CVE-2015-6095", "CVE-2015-6073", "CVE-2015-2478", "CVE-2015-6112", "CVE-2015-6098", "CVE-2015-6111", "CVE-2015-6088", "CVE-2015-6078", "CVE-2015-6097"], "description": "### *Detect date*:\n11/10/2015\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Microsoft Windows. Malicious users can exploit these vulnerabilities to spoof user interface, cause denial of service, gain privileges, bypass security restrictions, execute arbitrary code or obtain sensitive information.\n\n### *Affected products*:\nMicrosoft Windows 10 \nMicrosoft Windows 10 Version 1511 \nMicrosoft Windows Vista Service Pack 2 \nMicrosoft Windows Server 2008 Service Pack 2 \nMicrosoft Windows 7 Service Pack 1 \nMicrosoft Windows Server 2008 R2 Service Pack 1 \nMicrosoft Windows 8 \nMicrosoft Windows 8.1 \nMicrosoft Windows Server 2012 \nMicrosoft Windows Server 2012 R2\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2015-6064](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-6064>) \n[CVE-2015-6113](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-6113>) \n[CVE-2015-6078](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-6078>) \n[CVE-2015-2478](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2478>) \n[CVE-2015-6088](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-6088>) \n[CVE-2015-6098](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-6098>) \n[CVE-2015-6097](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-6097>) \n[CVE-2015-6073](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-6073>) \n[CVE-2015-6100](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-6100>) \n[CVE-2015-6112](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-6112>) \n[CVE-2015-6111](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-6111>) \n[CVE-2015-6109](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-6109>) \n[CVE-2015-6104](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-6104>) \n[CVE-2015-6103](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-6103>) \n[CVE-2015-6102](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-6102>) \n[CVE-2015-6101](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-6101>) \n[CVE-2015-6095](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-6095>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows Vista](<https://threats.kaspersky.com/en/product/Microsoft-Windows-Vista-4/>)\n\n### *CVE-IDS*:\n[CVE-2015-6064](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6064>)9.3Critical \n[CVE-2015-6113](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6113>)3.6Warning \n[CVE-2015-6078](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6078>)9.3Critical \n[CVE-2015-2478](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2478>)7.2High \n[CVE-2015-6088](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6088>)4.3Warning \n[CVE-2015-6098](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6098>)7.2High \n[CVE-2015-6097](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6097>)9.3Critical \n[CVE-2015-6073](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6073>)9.3Critical \n[CVE-2015-6100](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6100>)7.2High \n[CVE-2015-6112](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6112>)5.8High \n[CVE-2015-6111](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6111>)6.8High \n[CVE-2015-6109](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6109>)2.1Warning \n[CVE-2015-6104](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6104>)9.3Critical \n[CVE-2015-6103](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6103>)9.3Critical \n[CVE-2015-6102](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6102>)2.1Warning \n[CVE-2015-6101](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6101>)7.2High \n[CVE-2015-6095](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6095>)4.9Warning\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[3081320](<http://support.microsoft.com/kb/3081320>) \n[3100213](<http://support.microsoft.com/kb/3100213>) \n[3105864](<http://support.microsoft.com/kb/3105864>) \n[3097877](<http://support.microsoft.com/kb/3097877>) \n[3105211](<http://support.microsoft.com/kb/3105211>) \n[3102939](<http://support.microsoft.com/kb/3102939>) \n[3105256](<http://support.microsoft.com/kb/3105256>) \n[3092601](<http://support.microsoft.com/kb/3092601>) \n[3101246](<http://support.microsoft.com/kb/3101246>) \n[3105213](<http://support.microsoft.com/kb/3105213>) \n[3104519](<http://support.microsoft.com/kb/3104519>) \n[3101722](<http://support.microsoft.com/kb/3101722>) \n[3104521](<http://support.microsoft.com/kb/3104521>) \n[3101746](<http://support.microsoft.com/kb/3101746>)\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:", "edition": 43, "modified": "2020-06-18T00:00:00", "published": "2015-11-10T00:00:00", "id": "KLA10694", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10694", "title": "\r KLA10694Multiple vulnerabilities in Microsoft Windows ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}
