KLA10751 Multiple vulnerabilities in Microsoft Windows

Multiple serious vulnerabilities have been found in Microsoft Windows. Malicious users can exploit these vulnerabilities to cause denial of service, execute arbitrary code, bypass security restrictions or gain privileges.

Below is a complete list of vulnerabilities

1. An unknown vulnerability at Windows Reader can be exploited remotely via a specially designed file to execute arbitrary code;
2. An improper API calls handling at Windows PDF library can be exploited remotely via a specially designed PDF document to execute arbitrary code;
3. An improper parsing at Windows Journal can be exploited remotely via a specially designed Journal file to execute arbitrary code;
4. An improper memory objects handling at Windows Kernel can be exploited by logged in attacker via a specially designed application to gain privileges;
5. An improper input validation at DLL loading can be exploited by logged in attacker via a specially designed application to execute arbitrary code;
6. An unknown vulnerability at Microsoft Sync Framework can be exploited by authenticated remote attacker via a specially designed network packet to cause denial of service;
7. Lack of password change check at Kerberos can be exploited locally via a specially designed Kerberos Key Distribution Center to bypass security feature;
8. An improper input validation at Web Distributed Authoring and Versioning client can be exploited by logged in attacker via a specially designed application to gain privileges;
9. An improper memory objects handling at Remote Desktop Protocol can be exploited by authenticated attacker via a specially designed application to gain privileges;
10. An improper memory objects handling at Windows kernel-mode driver can be exploited by logged in attacker via a specially designed application to gain privileges;
11. An improper handling of Remote Authentication Dial-In User Service (RADIUS) requests at Network Policy Server can be exploited remotely via a specially designed requests to cause denial of service.

Technical details

To mitigate vulnerability (3) you can also implement one of workarounds proposed by Microsoft: stop opening suspicious file attachments, remove journal files association, disable Windows Journal feature or deny access to Journal.exe. For further instructions about this workarounds look at MS16-013 advisory.

Successful exploitation of vulnerability (4) allows attacker to run arbitrary code in kernel mode.

To exploit vulnerability (6) attacker could send specially designed input that use “change batch” structure. Successful exploitation of this vulnerability can cause target SyncShareSvc service to stop responding.

Vulnerability (7) can be exploited via connecting workstation to a malicious Key Distribution Center. Successful exploitation of this vulnerability allows attacker to bypass Kerberos authentication and decrypt drives protected by BitLocker. Attack by this vector available only if domain user logged in on the target machine and target system must have BitLocker enabled without a PIN or USB key. You can mitigate this vulnerability by disabling cashing of domain logon information. For further workaround instructions look at MS16-014 advisory.

To mitigate vulnerability (8) you can disable WebDAV driver. For further workaround instructions look at MS16-016 advisory.

To mitigate vulnerability (9) you can disable RDP. For further instructions look at MS16-017 advisory.

Original advisories

CVE-2016-0041

CVE-2016-0040

CVE-2016-0036

CVE-2016-0051

CVE-2016-0050

CVE-2016-0049

CVE-2016-0048

CVE-2016-0046

CVE-2016-0044

CVE-2016-0042

CVE-2016-0038

CVE-2016-0058

Exploitation

Public exploits exist for this vulnerability.

Malware exists for this vulnerability. Usually such malware is classified as Exploit. More details.

Related products

Microsoft-Windows-Vista-4

Microsoft-Windows-Server-2012

Microsoft-Windows-8

Microsoft-Windows-7

Microsoft-Windows-Server-2008

Windows-RT

Microsoft-Windows-10

CVE list

CVE-2016-0041 critical

CVE-2016-0040 critical

CVE-2016-0036 critical

CVE-2016-0051 critical

CVE-2016-0050 high

CVE-2016-0049 high

CVE-2016-0048 critical

CVE-2016-0046 critical

CVE-2016-0044 critical

CVE-2016-0042 critical

CVE-2016-0038 critical

CVE-2016-0058 critical

KB list

3124280

3126587

3135173

3135174

3126593

3134214

3136082

3126434

3138938

3115858

3126446

3134228

3136041

3133043

3134700

3134811

3123294

Solution

Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)

Impacts

• ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

• DoS

Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.

• SB

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

• PE

Privilege escalation. Exploitation of vulnerabilities with this impact can lead to performing by abuser actions, which are normally disallowed for current role.

Affected Products

• Microsoft Windows Vista Service Pack 2Microsoft Windows Server 2008 Service Pack 2Microsoft Windows 7 Service Pack 1Microsoft Windows Server 2008 R2 Service Pack 1Microsoft Windows 8.1Microsoft Windows RT 8.1Microsoft Windows Server 2012Microsoft Windows Server 2012 R2Microsoft Windows 10Microsoft Windows 10 1511