{"id": "MS:CVE-2016-3319", "bulletinFamily": "microsoft", "title": "Windows PDF Remote Code Execution Vulnerability", "description": "A remote code execution vulnerability exists when Microsoft Windows PDF Library improperly handles objects in memory. The vulnerability could corrupt memory in a way that enables an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nTo exploit the vulnerability on Windows 10 systems with Microsoft Edge set as the default browser, an attacker could host a specially crafted website that contains malicious PDF content and then convince users to view the website. The attacker could also take advantage of compromised websites, or websites that accept or host user-provided content or advertisements, by adding specially crafted PDF content to such sites. Only Windows 10 systems with Microsoft Edge set as the default browser can be compromised simply by viewing a website. The browsers for all other affected operating systems do not automatically render PDF content, so an attacker would have no way to force users to view attacker-controlled content. Instead, an attacker would have to convince users to open a specially crafted PDF document, typically by way of an enticement in an email or instant message or by way of an email attachment.\n\nThe update addresses the vulnerability by modifying how affected systems handle objects in memory.\n", "published": "2016-08-12T07:00:00", "modified": "2016-08-12T07:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3319", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2016-3319"], "type": "mscve", "lastseen": "2020-08-07T11:45:32", "edition": 5, "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-3319"]}, {"type": "symantec", "idList": ["SMNTC-92293"]}, {"type": "seebug", "idList": ["SSV:96679"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310808647", "OPENVAS:1361412562310808785"]}, {"type": "mskb", "idList": ["KB3177358", "KB3182248"]}, {"type": "thn", "idList": ["THN:2430321DE5D0D58ADEE21A4CEA8BC6A7"]}, {"type": "talos", "idList": ["TALOS-2016-0170"]}, {"type": "nessus", "idList": ["SMB_NT_MS16-102.NASL", "SMB_NT_MS16-096.NASL"]}, {"type": "threatpost", "idList": ["THREATPOST:30F4296B03191B6F9433E5DFA9CEBFE6"]}, {"type": "kaspersky", "idList": ["KLA10856", "KLA10858"]}], "modified": "2020-08-07T11:45:32", "rev": 2}, "score": {"value": 8.0, "vector": "NONE", "modified": "2020-08-07T11:45:32", "rev": 2}, "vulnersScore": 8.0}, "kbList": ["KB3175887", "KB3163912", "KB3176495", "KB3157569", "KB3176493", "KBNone", "KB3172985", "KB3176492"], "msrc": "", "mscve": "CVE-2016-3319", "msAffectedSoftware": [{"kb": "KB3176492", "kbSupersedence": "KB3163912", "msplatform": "Windows 10 for x64-based Systems", "name": "Microsoft Edge (EdgeHTML-based)"}, {"kb": "KB3176492", "kbSupersedence": "KB3163912", "msplatform": "Windows 10 for 32-bit Systems", "name": "Microsoft Edge (EdgeHTML-based)"}, {"kb": "KB3176493", "kbSupersedence": "KB3172985", "msplatform": "Windows 10 Version 1511 for 32-bit Systems", "name": "Microsoft Edge (EdgeHTML-based)"}, {"kb": "KB3175887", "kbSupersedence": "KB3157569", "msplatform": "", "name": "Windows 8.1 for x64-based systems"}, {"kb": "KB3176492", "kbSupersedence": "KB3163912", "msplatform": "", "name": "Windows 10 for 32-bit Systems"}, {"kb": "KB3176493", "kbSupersedence": "KB3172985", "msplatform": "", "name": "Windows 10 Version 1511 for 32-bit Systems"}, {"kb": "KB3176493", "kbSupersedence": "KB3172985", "msplatform": "", "name": "Windows 10 Version 1511 for x64-based Systems"}, {"kb": "KB3175887", "kbSupersedence": "KB3157569", "msplatform": "", "name": "Windows RT 8.1"}, {"kb": "KB3176493", "kbSupersedence": "KB3172985", "msplatform": "Windows 10 Version 1511 for x64-based Systems", "name": "Microsoft Edge (EdgeHTML-based)"}, {"kb": "KB3175887", "kbSupersedence": "KB3157569", "msplatform": "", "name": "Windows 8.1 for 32-bit systems"}, {"kb": "KB3175887", "kbSupersedence": "KB3157569", "msplatform": "", "name": "Windows Server 2012"}, {"kb": "KB3176492", "kbSupersedence": "KB3163912", "msplatform": "", "name": "Windows 10 for x64-based Systems"}, {"kb": "KB3176495", "kbSupersedence": "KBNone", "msplatform": "Windows 10 Version 1607 for x64-based Systems", "name": "Microsoft Edge (EdgeHTML-based)"}, {"kb": "KB3176495", "kbSupersedence": "KBNone", "msplatform": "Windows 10 Version 1607 for 32-bit Systems", "name": "Microsoft Edge (EdgeHTML-based)"}, {"kb": "KB3175887", "kbSupersedence": "KB3157569", "msplatform": "", "name": "Windows Server 2012 R2"}], "scheme": null}

{"cve": [{"lastseen": "2020-10-03T12:10:44", "description": "The PDF library in Microsoft Windows 8.1, Windows Server 2012 Gold and R2, Windows 10 Gold and 1511, and Microsoft Edge allows remote attackers to execute arbitrary code via a crafted PDF file, aka \"Microsoft PDF Remote Code Execution Vulnerability.\"", "edition": 3, "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-08-09T21:59:00", "title": "CVE-2016-3319", "type": "cve", "cwe": ["CWE-284"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3319"], "modified": "2018-10-12T22:12:00", "cpe": ["cpe:/o:microsoft:windows_server_2012:r2", "cpe:/a:microsoft:edge:*", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_8.1:*"], "id": "CVE-2016-3319", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3319", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:edge:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}], "symantec": [{"lastseen": "2018-03-14T22:41:50", "bulletinFamily": "software", "cvelist": ["CVE-2016-3319"], "description": "### Description\n\nMicrosoft Windows and Edge are prone to a remote code-execution vulnerability. An attacker can leverage this issue to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely result in denial of service conditions.\n\n### Technologies Affected\n\n * Microsoft Edge \n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1511 for 32-bit Systems \n * Microsoft Windows 10 version 1511 for x64-based Systems \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nIf global access isn't needed, filter access to the affected computer at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of exploits.\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, run the application with the minimal amount of privileges required for functionality.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Implement multiple redundant layers of security.** \nVarious memory-protection schemes (such as nonexecutable and randomly mapped memory segments) may hinder an attacker's ability to exploit this vulnerability to execute arbitrary code.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2016-08-09T00:00:00", "published": "2016-08-09T00:00:00", "id": "SMNTC-92293", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/92293", "type": "symantec", "title": "Microsoft Windows and Edge CVE-2016-3319 Remote Code Execution Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T11:56:24", "description": "### Description\r\nAn exploitable out of bounds write vulnerability exists in the PDF parsing API in the latest versions of Microsoft Windows. A specially crafted PDF file can cause an out of bounds write resulting in arbitrary code execution. Vulnerability can be triggered via malicious web page or a saved PDF file delivered by other means.\r\n\r\n### Tested Versions\r\nMicrosoft Windows PDF API Windows.Data.Pdf.dll version 10.0.10.586.162\r\n\r\n### Product URLs\r\nhttp://www.microsoft.com\r\n\r\n### CVSSv3 Score\r\n7.5 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\r\n\r\n### Details\r\nThe vulnerability is present in the Microsoft native PDF API which is available since Windows 8.1. In Windows 10, Microsoft Edge is the default application for opening PDF files enabling potential vulnerabilities in native PDF API to be exploited over the Web.\r\n\r\nThere exists a vulnerability in the way Microsoft PDF API parses jpeg2000 files embedded in the PDF documents. A specially crafted jpeg2000 file can trigger a out of bounds memory overwrite and lead to remote code execution.\r\nJpeg2000 files consist of a number of containers or boxes. Contiguous Codestream box contains the actual image data in the jp2 file and can have a number of child boxes. Contiguous Codestream box starts with a \"jp2c\" marker.\r\n\r\nAccording to the standard, jp2c box can contain SIZ marker segment (image and tile size info), a COD marker segment (coding style default info), a QCD marker segment (quantization default information) and a number of tile part elements which can in turn contain their own COD, CQD and other child elements. Start markers for SIZ is 0xFF51, COD 0xFF52, QCD is 0xFF5C and tile part is 0xFF90. An example of the file layout can be as follows:\r\n\r\n```\r\n+------------------+\r\n| |\r\n| Codestream Box |\r\n| |\r\n+-------+----------+\r\n |\r\n | +---------+\r\n +------------+ SIZ |\r\n | +---------+\r\n | +---------+\r\n +------------+ COD |\r\n | +---------+\r\n | +---------+\r\n +------------+ CQD |\r\n | +---------+\r\n | +---------------+\r\n +------------+ Tile Parts |\r\n +------+--------+\r\n |\r\n | +-----------+\r\n +------+ Tile Part |\r\n | +-----+-----+\r\n | | +---------+\r\n | +---+ COD* |\r\n | | +---------+\r\n | | +---------+\r\n | +---+ CQD* |\r\n | | +---------+\r\n | | +---------+\r\n | +---+ COM* |\r\n | | +---------+\r\n | | +---------+\r\n | +---+ SOT |\r\n | +---------+\r\n |\r\n | +-------------+ *Optional\r\n +-------+ Tile Part |\r\n +-------------+\r\n```\r\nAccording to the standard, tile part elements can contain only COD, CQD, COM, and SOT elements where COD, CQD and COM are optional. In the supplied testcase triggering the vulnerability a tile part element has an unexpected SIZ element which gets parsed and leads to a vulnerability.\r\n\r\nElements are parsed one by one in a `CCodeStreamDecoder::DecodeMarkers` method where for each marker type, a suitable decoder is called:\r\n\r\n```\r\n.text:6E1EC62D push esi\r\n.text:6E1EC62E mov esi, [ebp+var_74]\r\n.text:6E1EC631 mov ecx, edi ; _DWORD\r\n.text:6E1EC633 push esi\r\n.text:6E1EC634 call ds:___guard_check_icall_fptr ; CType1NoOpReceiver<IType1EncodingReceiver>::Begin(void)\r\n.text:6E1EC63A call edi ; calls the decoder for specific marker\r\n.text:6E1EC63C jmp short loc_6E\r\n```\r\n\r\nWhen parsing a SIZ element, `edi` in the above code calls the `CCodeStreamDecoder::s_SIZMarkerDecoder` method. In it, various values are initialized. Amongst other things, SIZ marker specifies the number of components (csiz) as an 16 bit integer. This value is used to resize a vectors holding COD and CQD information:\r\n```\r\n.text:6E1EE747 mov eax, [edi]\r\n.text:6E1EE749 mov esi, [eax+10h]\r\n.text:6E1EE74C mov ecx, esi ; _DWORD\r\n.text:6E1EE74E call ds:___guard_check_icall_fptr ; CType1NoOpReceiver<IType1EncodingReceiver>::Begin(void)\r\n.text:6E1EE754 mov ecx, edi\r\n.text:6E1EE756 call esi ; [1]\r\n.text:6E1EE758 movzx esi, ax\r\n.text:6E1EE75B lea ecx, [ebx+78h]\r\n.text:6E1EE75E push esi\r\n.text:6E1EE75F mov [esp+0C4h+var_8C], esi\r\n.text:6E1EE763 mov [ebx+3Ch], esi\r\n.text:6E1EE766 call std::vector<QCD_MARKER,std::allocator<QCD_MARKER>>::resize(uint) [2]\r\n.text:6E1EE76B push esi\r\n.text:6E1EE76C lea ecx, [ebx+84h]\r\n.text:6E1EE772 call std::vector<COD_MARKER,std::allocator<COD_MARKER>>::resize(uint) [3]\r\n\r\n```\r\nIn the above disassembly, at [1] csiz value is read from the bytestream, at [2], it's used to resize the QCDMARKER vector, and at [3] the same for CODMARKER vector. The pointers to both are stored at `ebx+78h` and `ebx+84h` respectively.\r\n\r\nNext, COD marker decoder is called, `CCodeStreamDecoder::s_CODMarkerDecoder`, where the above resized vector is used in it's elements initialized in a loop:\r\n\r\n```\r\n.text:6E1ED9BD mov ecx, [edi+84h] [1]\r\n.text:6E1ED9C3 lea eax, [esp+0A4h+var_88]\r\n.text:6E1ED9C7 push eax\r\n.text:6E1ED9C8 add ecx, esi [2]\r\n.text:6E1ED9CA call COD_MARKER::operator=(COD_MARKER const &) [3]\r\n.text:6E1ED9CF inc ebx\r\n.text:6E1ED9D0 add esi, 48h [4]\r\n.text:6E1ED9D3 cmp ebx, [edi+3Ch] [5]\r\n.text:6E1ED9D6 jb short loc_6E1\r\n```\r\nAt [1] a pointer to the vector is retrieved, at [2] `esi` is used as an index into the vector values, and is added to `ecx`, at [3] the current vector element is used with its assignment operator, at [4] index is increased, and at [5] the counter is compared to the previously mentioned csiz value.\r\n\r\nA similar codepath is executed while parsing the CQD marker.\r\n\r\nWith page heap enabled , the supplied testcase crashes with the following:\r\n```\r\neax=0d4fe801 ebx=00000003 ecx=0d9a1000 edx=00000000 esi=0d4fe8d0 edi=0d9a1000\r\neip=6e2cc0cb esp=0d4fe8a0 ebp=0d4fe8a8 iopl=0 nv up ei pl nz ac pe nc\r\ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216\r\nWindows_Data_Pdf!COD_MARKER::operator=+0xe:\r\n6e2cc0cb 8807 mov byte ptr [edi],al ds:002b:0d9a1000=??\r\n0:014> k 5\r\n # ChildEBP RetAddr\r\n00 0d4fe8a8 6e2cd9fa Windows_Data_Pdf!COD_MARKER::operator=+0xe\r\n01 0d4fe95c 6e2cc63c Windows_Data_Pdf!CCodeStreamDecoder::s_CODMarkerDecoder+0x1ea\r\n02 0d4fe9fc 6e2c9127 Windows_Data_Pdf!CCodeStreamDecoder::DecodeMarkers+0x91\r\n03 0d4fec0c 6e2c8b47 Windows_Data_Pdf!JPXDecoder::Decode+0x80\r\n04 0d4fec70 6e2c8740 Windows_Data_Pdf!PDF::CJPXDecoderByteStream::_Decode+0xdf\r\n\r\n```\r\n\r\nIt's crashing in the CODMARKER assignment operator with a write access violation. A step by step examination leads to the details of the crash. Firstly, CODMARKER vector is resized to 3 inside `CCodeStreamDecoder::s_SIZMarkerDecoder` method:\r\n```\r\nBreakpoint 2 hit\r\neax=00000000 ebx=0d3cee0c ecx=0d3cee90 edx=00000000 esi=00000003 edi=0d3cf03c\r\neip=6e2ce772 esp=0d3cec8c ebp=0d3ced54 iopl=0 nv up ei pl nz na pe nc\r\ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206\r\nWindows_Data_Pdf!CCodeStreamDecoder::s_SIZMarkerDecoder+0x172:\r\n6e2ce772 e8e4ebffff call Windows_Data_Pdf!std::vector<COD_MARKER,std::allocator<COD_MARKER> >::resize (6e2cd35b)\r\n0:013> ub\r\nWindows_Data_Pdf!CCodeStreamDecoder::s_SIZMarkerDecoder+0x158:\r\n6e2ce758 0fb7f0 movzx esi,ax\r\n6e2ce75b 8d4b78 lea ecx,[ebx+78h]\r\n6e2ce75e 56 push esi\r\n6e2ce75f 89742438 mov dword ptr [esp+38h],esi\r\n6e2ce763 89733c mov dword ptr [ebx+3Ch],esi\r\n6e2ce766 e884ecffff call Windows_Data_Pdf!std::vector<QCD_MARKER,std::allocator<QCD_MARKER> >::resize (6e2cd3ef)\r\n6e2ce76b 56 push esi\r\n6e2ce76c 8d8b84000000 lea ecx,[ebx+84h]\r\n0:013> dd ecx\r\n0d3cee90 00000000 00000000 00000000 00000000\r\n0d3ceea0 00000000 00000000 00000000 00000000\r\n0d3ceeb0 00000000 0d3ceec8 00000011 00000000\r\n0d3ceec0 0d7e0f1c 6e087f00 6e30c61f 00000064\r\n0d3ceed0 0000000f e16b33b0 0d00ef58 6e30c298\r\n0d3ceee0 6e2c965e 0d7e0f08 6e2c966a e16b3398\r\n0d3ceef0 0d3cef30 6e2c96c2 6e2c96f3 00000000\r\n0d3cef00 0000001c 00000000 00000000 00000000\r\n0:013> p\r\nBreakpoint 2 hit\r\neax=00000000 ebx=0d3cee0c ecx=0d3cee90 edx=00000000 esi=00000003 edi=0d3cf03c\r\neip=6e2ce772 esp=0d3cec8c ebp=0d3ced54 iopl=0 nv up ei pl nz na pe nc\r\ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206\r\nWindows_Data_Pdf!CCodeStreamDecoder::s_SIZMarkerDecoder+0x172:\r\n6e2ce772 e8e4ebffff call Windows_Data_Pdf!std::vector<COD_MARKER,std::allocator<COD_MARKER> >::resize (6e2cd35b)\r\n0:013> p\r\neax=000000d8 ebx=0d3cee0c ecx=6e2cd399 edx=00000000 esi=00000003 edi=0d3cf03c\r\neip=6e2ce777 esp=0d3cec90 ebp=0d3ced54 iopl=0 nv up ei pl nz ac pe nc\r\ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216\r\nWindows_Data_Pdf!CCodeStreamDecoder::s_SIZMarkerDecoder+0x177:\r\n6e2ce777 8d4340 lea eax,[ebx+40h]\r\n0:013> dd 0d3cee90\r\n0d3cee90 0d842f28 0d843000 0d843000 00000000\r\n0d3ceea0 00000000 00000000 00000000 00000000\r\n0d3ceeb0 00000000 0d3ceec8 00000011 00000000\r\n0d3ceec0 0d7e0f1c 6e087f00 6e30c61f 00000064\r\n0d3ceed0 0000000f e16b33b0 0d00ef58 6e30c298\r\n0d3ceee0 6e2c965e 0d7e0f08 6e2c966a e16b3398\r\n0d3ceef0 0d3cef30 6e2c96c2 6e2c96f3 00000000\r\n0d3cef00 0000001c 00000000 00000000 00000000\r\n```\r\n\r\nIn the above debugging output, it can be seen that the resize argument is 3 and that `this` is pointing to `0x0d3cee90`. Also, after the call, the location at `0d3cee90` is initialized with pointers to vector start and end, so initially the COD_MARKER vector starts at `0d842f28`. Placing a breakpoint at above mentioned COD vector assignment code inside `CCodeStreamDecoder::s_CODMarkerDecoder` gives:\r\n```\r\nBreakpoint 3 hit\r\neax=0d3cecc8 ebx=00000000 ecx=0d842f28 edx=000000bb esi=00000000 edi=0d3cee0c\r\neip=6e2cd9ca esp=0d3ceca8 ebp=0d3ced54 iopl=0 nv up ei pl nz na pe nc\r\ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206\r\nWindows_Data_Pdf!CCodeStreamDecoder::s_CODMarkerDecoder+0x1ba:\r\n6e2cd9ca e8eee6ffff call Windows_Data_Pdf!COD_MARKER::operator= (6e2cc0bd)\r\n0:013> ub\r\nWindows_Data_Pdf!CCodeStreamDecoder::s_CODMarkerDecoder+0x1a3:\r\n6e2cd9b3 c60701 mov byte ptr [edi],1\r\n6e2cd9b6 395f3c cmp dword ptr [edi+3Ch],ebx\r\n6e2cd9b9 7655 jbe Windows_Data_Pdf!CCodeStreamDecoder::s_CODMarkerDecoder+0x200 (6e2cda10)\r\n6e2cd9bb 8bf3 mov esi,ebx\r\n6e2cd9bd 8b8f84000000 mov ecx,dword ptr [edi+84h]\r\n6e2cd9c3 8d44241c lea eax,[esp+1Ch]\r\n6e2cd9c7 50 push eax\r\n6e2cd9c8 03ce add ecx,esi\r\n0:013> dd ecx\r\n0d842f28 c0c0c0c0 00000000 00000000 00000000\r\n0d842f38 00000000 00000000 00000000 c0c0c0c0\r\n0d842f48 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0\r\n0d842f58 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0\r\n0d842f68 c0c0c0c0 c0c0c0c0 c0c0c0c0 00000000\r\n0d842f78 00000000 00000000 00000000 00000000\r\n0d842f88 00000000 c0c0c0c0 c0c0c0c0 c0c0c0c0\r\n0d842f98 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0\r\n\r\n```\r\n\r\nIn the above debugging output, we hit a breakpoint on a call to `Windows_Data_Pdf!COD_MARKER::operator=` and can see that `ecx` points to the beginning of the resized vector from the previous disassembly. It continues to loop 3 times as specified by csiz value.\r\n\r\nAs mentioned before, the supplied testcase has a tile part that contains an extra SIZ marker along with COD marker, so resuming the execution breaks again in `CCodeStreamDecoder::s_SIZMarkerDecoder` during COD_MARKER vector resize:\r\n\r\n```\r\nBreakpoint 2 hit\r\neax=00000003 ebx=0d3cee0c ecx=0d3cee90 edx=00000000 esi=00000004 edi=0d3cf03c\r\neip=6e2ce772 esp=0d3cec8c ebp=0d3ced54 iopl=0 nv up ei pl nz na pe nc\r\ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206\r\nWindows_Data_Pdf!CCodeStreamDecoder::s_SIZMarkerDecoder+0x172:\r\n6e2ce772 e8e4ebffff call Windows_Data_Pdf!std::vector<COD_MARKER,std::allocator<COD_MARKER> >::resize (6e2cd35b)\r\n0:013> bu\r\nbreakpoint 2 redefined\r\n0:013> ub\r\nWindows_Data_Pdf!CCodeStreamDecoder::s_SIZMarkerDecoder+0x158:\r\n6e2ce758 0fb7f0 movzx esi,ax\r\n6e2ce75b 8d4b78 lea ecx,[ebx+78h]\r\n6e2ce75e 56 push esi\r\n6e2ce75f 89742438 mov dword ptr [esp+38h],esi\r\n6e2ce763 89733c mov dword ptr [ebx+3Ch],esi\r\n6e2ce766 e884ecffff call Windows_Data_Pdf!std::vector<QCD_MARKER,std::allocator<QCD_MARKER> >::resize (6e2cd3ef)\r\n6e2ce76b 56 push esi\r\n6e2ce76c 8d8b84000000 lea ecx,[ebx+84h]\r\n0:013> dd ecx\r\n0d3cee90 0d842f28 0d843000 0d843000 00000000\r\n0d3ceea0 00000000 00000000 00000000 00000000\r\n0d3ceeb0 00000000 00000008 00000008 00000000\r\n0d3ceec0 0d7e0f1c 6e087f01 00000004 00000000\r\n0d3ceed0 01001002 e16b3348 0d00eea0 00000000\r\n0d3ceee0 000001af 00000146 00000000 00000000\r\n0d3ceef0 00000100 00000100 00000000 00000000\r\n0d3cef00 00000003 0d85cff0 0d85cffc 0d85cffc\r\n0:013> p\r\neax=00000048 ebx=0d3cee0c ecx=6e2cd399 edx=00000000 esi=00000004 edi=0d3cf03c\r\neip=6e2ce777 esp=0d3cec90 ebp=0d3ced54 iopl=0 nv up ei pl nz ac pe nc\r\ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216\r\nWindows_Data_Pdf!CCodeStreamDecoder::s_SIZMarkerDecoder+0x177:\r\n6e2ce777 8d4340 lea eax,[ebx+40h]\r\n0:013> dd 0d3cee90\r\n0d3cee90 0dab8ee0 0dab9000 0dab9000 00000000\r\n0d3ceea0 00000000 00000000 00000000 00000000\r\n0d3ceeb0 00000000 00000008 00000008 00000000\r\n0d3ceec0 0d7e0f1c 6e087f01 00000004 00000000\r\n0d3ceed0 01001002 e16b3348 0d00eea0 00000000\r\n0d3ceee0 000001af 00000146 00000000 00000000\r\n0d3ceef0 00000100 00000100 00000000 00000000\r\n0d3cef00 00000003 0d85cff0 0d85cffc 0d85cffc\r\n\r\n```\r\nIn the above debugging output, a call to resize is made with the same `this` as previously. Before the call, the same vector pointers are at `0d3cee90`, but after the call, the vector has been reallocated because of resize. In the above code, the value of the `esi`, or the argument to resize, is 4 which is the csize value specified in the second SIZ element in the file. In short, the COD_MARKER vector had to be resized to 4 which ended up reallocating it, meaning that previous saved pointers are invalidated. Continuing execution leads us again to COD element decoder, but this time a different path is taken. Instead of new reference to a resized vector, an old one is used but with a new counter:\r\n\r\n```\r\neax=0d3cecc8 ebx=00000000 ecx=0d872f28 edx=00001ec6 esi=00000000 edi=0d3cee0c\r\neip=6e2cd9f5 esp=0d3ceca8 ebp=0d3ced54 iopl=0 nv up ei pl nz na pe nc\r\ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206\r\nWindows_Data_Pdf!CCodeStreamDecoder::s_CODMarkerDecoder+0x1e5:\r\n6e2cd9f5 e8c3e6ffff call Windows_Data_Pdf!COD_MARKER::operator= (6e2cc0bd)\r\n0:013> ub\r\nWindows_Data_Pdf!CCodeStreamDecoder::s_CODMarkerDecoder+0x1d2:\r\n6e2cd9e2 5f pop edi\r\n6e2cd9e3 3c76 cmp al,76h\r\n6e2cd9e5 1d8bf38b8f sbb eax,8F8BF38Bh\r\n6e2cd9ea 3c01 cmp al,1\r\n6e2cd9ec 0000 add byte ptr [eax],al\r\n6e2cd9ee 8d44241c lea eax,[esp+1Ch]\r\n6e2cd9f2 50 push eax\r\n6e2cd9f3 03ce add ecx,esi\r\n0:013> dd ecx\r\n0d872f28 c0c0c001 00000000 00000000 00000000\r\n0d872f38 00000000 00000000 00000000 00000000\r\n0d872f48 00000000 00000005 00000001 00000001\r\n0d872f58 00000020 00000020 00000000 c0c00000\r\n0d872f68 00000001 00000001 c0c0c001 00000000\r\n0d872f78 00000000 00000000 00000000 00000000\r\n0d872f88 00000000 00000000 00000000 00000005\r\n0d872f98 00000001 00000001 00000020 00000020\r\n0:013> u\r\nWindows_Data_Pdf!CCodeStreamDecoder::s_CODMarkerDecoder+0x1e5:\r\n6e2cd9f5 e8c3e6ffff call Windows_Data_Pdf!COD_MARKER::operator= (6e2cc0bd)\r\n6e2cd9fa 43 inc ebx\r\n6e2cd9fb 83c648 add esi,48h\r\n6e2cd9fe 3b5f3c cmp ebx,dword ptr [edi+3Ch]\r\n6e2cda01 72e5 jb Windows_Data_Pdf!CCodeStreamDecoder::s_CODMarkerDecoder+0x1d8 (6e2cd9e8)\r\n6e2cda03 6afe push 0FFFFFFFEh\r\n6e2cda05 58 pop eax\r\n6e2cda06 2b442414 sub eax,dword ptr [esp+14h]\r\n0:013> dd edi+3c L1\r\n0d3cee48 00000004\r\n\r\n```\r\nIn the above debugging output, we can see that the max counter value is 4 (as specified by new csiz value) but the vector being used is still the same as before, `0d872f28`. In the fourth iteration of this loop, the index into the vector elements will be increased past the allocated heap chunk resulting in an out of bound memory access:\r\n```\r\nBreakpoint 4 hit\r\neax=0d3cecc8 ebx=00000003 ecx=0d873000 edx=00000000 esi=000000d8 edi=0d3cee0c\r\neip=6e2cd9f5 esp=0d3ceca8 ebp=0d3ced54 iopl=0 nv up ei pl nz ac pe nc\r\ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216\r\nWindows_Data_Pdf!CCodeStreamDecoder::s_CODMarkerDecoder+0x1e5:\r\n6e2cd9f5 e8c3e6ffff call Windows_Data_Pdf!COD_MARKER::operator= (6e2cc0bd)\r\n0:013> dd ecx\r\n0d873000 ???????? ???????? ???????? ????????\r\n0d873010 ???????? ???????? ???????? ????????\r\n0d873020 ???????? ???????? ???????? ????????\r\n0d873030 ???????? ???????? ???????? ????????\r\n0d873040 ???????? ???????? ???????? ????????\r\n0d873050 ???????? ???????? ???????? ????????\r\n0d873060 ???????? ???????? ???????? ????????\r\n0d873070 ???????? ???????? ???????? ????????\r\n\r\n```\r\nThis ultimately leads to a crash due to invalid memory write.\r\n\r\nWith page heap turned off, memory past the end of the heap chunk above will be readable and writable so the process wouldn\u2019t crash there. By carefully controlling the contents of the memory past the adjacent chunk further memory corruption can be achieved possibly leading to arbitrary code execution. Similarly to COD marker, CQD marker parsing is affected with the same out of bounds access/write issue. A stale reference is being reused there too leading to other interesting memory overwrite primitives:\r\n```\r\n.text:6E2CE03F mov ecx, [ebx+130h]\r\n.text:6E2CE045 lea eax, [esp+0ACh+var_8C]\r\n.text:6E2CE049 push eax\r\n.text:6E2CE04A add ecx, edi\r\n.text:6E2CE04C call QCD_MARKER::operator=(QCD_MARKER const &)\r\n.text:6E2CE051 inc esi\r\n.text:6E2CE052 add edi, 20h\r\n.text:6E2CE055 cmp esi, [ebx+3Ch]\r\n.text:6E2CE058 jb short loc_6E2CE0\r\n```\r\n\r\nAbove disassembly is from `CCodeStreamDecoder::s_QCDMarkerDecoder` method call and in it, the stale CQD vector pointer is used to iterate through its elements with an assignment operator. The same out of bounds issue occurs and leads to a different crash inside `QCD_MARKER::operator=` where a call to `memmove` is passed an pointer from invalid memory.\r\n\r\nFinally, without page heap, the following crash occurs:\r\n```\r\n(218.fa0): Windows Runtime Originate Error - code 40080201 (first chance)\r\n(218.fa0): C++ EH exception - code e06d7363 (first chance)\r\n(218.fa0): Windows Runtime Originate Error - code 40080201 (first chance)\r\n(218.fa0): C++ EH exception - code e06d7363 (first chance)\r\n(218.13cc): C++ EH exception - code e06d7363 (first chance)\r\nHEAP[mspdf.exe]: Invalid address specified to RtlFreeHeap( 00A90000, 033B4D40 )\r\n(218.13cc): Break instruction exception - code 80000003 (first chance)\r\neax=00258000 ebx=033b4d38 ecx=033b4d38 edx=0000003f esi=00a90000 edi=00000000\r\neip=7778ee8a esp=0426da84 ebp=0426da9c iopl=0 nv up ei pl nz na po nc\r\ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202\r\nntdll!RtlpBreakPointHeap+0x19:\r\n7778ee8a cc int 3\r\n0:014> k 10\r\n # ChildEBP RetAddr\r\n00 0426da80 7773cce7 ntdll!RtlpBreakPointHeap+0x19\r\n01 0426da9c 7778e0a8 ntdll!RtlpValidateHeapEntry+0x6c924\r\n02 0426daf4 776ecc3e ntdll!RtlDebugFreeHeap+0xbf\r\n03 0426dbf8 776eb4c8 ntdll!RtlpFreeHeap+0xc3e\r\n04 0426dc24 770577a5 ntdll!RtlFreeHeap+0x268\r\n05 0426dc70 6e029505 msvcrt!free+0x65\r\n06 0426dc80 6e1f9481 Windows_Data_Pdf!std::vector<double,std::allocator<double> >::~vector<double,std::allocator<double> >+0x1a\r\n07 0426dc98 6e1f8e56 Windows_Data_Pdf!std::vector<std::unique_ptr<CTile,std::default_delete<CTile> >,std::allocator<std::unique_ptr<CTile,std::default_delete<CTile> > > >::_Tidy+0x2f\r\n08 0426dca0 77050ea7 Windows_Data_Pdf!CCodeStreamDecoder::~CCodeStreamDecoder+0x1b\r\n09 0426ed2c 6e1f8b47 msvcrt!_NLG_Return\r\n0a 0426ed90 6e1f8740 Windows_Data_Pdf!PDF::CJPXDecoderByteStream::_Decode+0xdf\r\n0b 0426ed98 6e05660f Windows_Data_Pdf!PDF::CJPXDecoderByteStream::DecodeData+0x10\r\n0c 0426eddc 6e28c7e0 Windows_Data_Pdf!Infra::CByteStreamDecorator::Initialize+0x5f\r\n0d 0426ee08 6e0e6a3f Windows_Data_Pdf!PDF::CPDFFactory::CreateByteStreamJPXDecoder+0x50\r\n0e 0426ef8c 6e0550b9 Windows_Data_Pdf!PDF::CStreamObject::_Decompress+0x9196b\r\n0f 0426efb4 6e1b91ed Windows_Data_Pdf!PDF::CStreamObject::DecodeByteStream+0x49\r\n\r\n```\r\nThe above crash occurs after the out of bound memory write in COD marker decoder corrupts heap metadata and an invalid pointer gets used during the CQD decoder.\r\n\r\nIn order to successfully exploit this vulnerability, a high control over the heap contents is needed which can possibly be achieved with calculated placement of tile information and other boxes in the jp2 file. It is also possible that the vulnerability can be triggered multiple times while parsing the same file, giving the attacker even greater control over the overwrites.\r\n\r\nIn summary, the vulnerability is due to the fact that SIZ element present inside tile data element (which seems to violate the standard) resizes the COD and CQD vectors, but a stale pointer gets reused leading to out of bounds write. A detection of malicious files of this nature can be based on a fact that a one or more tile parts have a SIZ element that specifies csiz greater than the initial, global SIZ element.\r\n\r\nVulnerability analysis is done on a custom simple sample application that utilizes PDF API, but the supplied testcase also crashes in Microsoft Edge browser.\r\n\r\n### Crash Information\r\nWith application verifier and page heap enabled, output of \"analyze -v\":\r\n```\r\n (20.90): Windows Runtime Originate Error - code 40080201 (first chance)\r\n (20.90): C++ EH exception - code e06d7363 (first chance)\r\n (20.90): Windows Runtime Originate Error - code 40080201 (first chance)\r\n (20.90): C++ EH exception - code e06d7363 (first chance)\r\n (20.f3c): C++ EH exception - code e06d7363 (first chance)\r\n\r\n\r\n ===========================================================\r\n VERIFIER STOP 0000000F: pid 0x20: corrupted suffix pattern\r\n\r\n 063C1000 : Heap handle\r\n 094EFCF0 : Heap block\r\n 000000D8 : Block size\r\n 094EFDC8 : corruption address\r\n ===========================================================\r\n This verifier stop is not continuable. Process will be terminated\r\n when you use the `go' debugger command.\r\n ===========================================================\r\n\r\n (20.f3c): Break instruction exception - code 80000003 (first chance)\r\n eax=060af260 ebx=00000000 ecx=060af260 edx=0000000f esi=094efcf0 edi=72f411a0\r\n eip=72f3cbfe esp=0a4ad8dc ebp=0a4ad900 iopl=0 nv up ei pl nz na po nc\r\n cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202\r\n verifier!VerifierStopMessage+0x27e:\r\n 72f3cbfe cc int 3\r\n 0:014> !analyze -v\r\n *******************************************************************************\r\n * *\r\n * Exception Analysis *\r\n * *\r\n *******************************************************************************\r\n\r\n APPLICATION_VERIFIER_HEAPS_CORRUPTED_HEAP_BLOCK_SUFFIX (f)\r\n Corrupted suffix pattern for heap block.\r\n Most typically this happens for buffer overrun errors. Sometimes the application\r\n verifier places non-accessible pages at the end of the allocation and buffer\r\n overruns will cause an access violation and sometimes the heap block is\r\n followed by a magic pattern. If this pattern is changed when the block gets\r\n freed you will get this break. These breaks can be quite difficult to debug\r\n because you do not have the actual moment when corruption happened.\r\n You just have access to the free moment (stop happened here) and the\r\n allocation stack trace (!heap -p -a HEAP_BLOCK_ADDRESS)\r\n Arguments:\r\n Arg1: 063c1000, Heap handle used in the call.\r\n Arg2: 094efcf0, Heap block involved in the operation.\r\n Arg3: 000000d8, Size of the heap block.\r\n Arg4: 094efdc8, Corruption address.\r\n\r\n DUMP_CLASS: 2\r\n\r\n DUMP_QUALIFIER: 0\r\n\r\n FAULTING_IP:\r\n verifier!VerifierStopMessage+27e\r\n 72f3cbfe cc int 3\r\n\r\n EXCEPTION_RECORD: (.exr -1)\r\n ExceptionAddress: 72f3cbfe (verifier!VerifierStopMessage+0x0000027e)\r\n ExceptionCode: 80000003 (Break instruction exception)\r\n ExceptionFlags: 00000000\r\n NumberParameters: 1\r\n Parameter[0]: 00000000\r\n\r\n FAULTING_THREAD: 00000f3c\r\n\r\n DEFAULT_BUCKET_ID: STATUS_BREAKPOINT_AVRF\r\n\r\n PROCESS_NAME: mspdf.exe\r\n\r\n ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint has been reached.\r\n\r\n EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid\r\n\r\n EXCEPTION_CODE_STR: 80000003\r\n\r\n EXCEPTION_PARAMETER1: 00000000\r\n\r\n WATSON_BKT_PROCSTAMP: 5706a632\r\n\r\n WATSON_BKT_MODULE: verifier.dll\r\n\r\n WATSON_BKT_MODSTAMP: 5632d7df\r\n\r\n WATSON_BKT_MODOFFSET: cbfe\r\n\r\n WATSON_BKT_MODVER: 10.0.10586.0\r\n\r\n MODULE_VER_PRODUCT: Microsoft\u00ae Windows\u00ae Operating System\r\n\r\n BUILD_VERSION_STRING: 10.0.10586.162 (th2_release_sec.160223-1728)\r\n\r\n MODLIST_WITH_TSCHKSUM_HASH: 6648028320ab5cbba7b6c72455d4e5c1de630a24\r\n\r\n MODLIST_SHA1_HASH: 5c045408b1c06db5d658dde68dc1f6871a92acac\r\n\r\n NTGLOBALFLAG: 2000100\r\n\r\n APPLICATION_VERIFIER_FLAGS: 48004\r\n\r\n PRODUCT_TYPE: 1\r\n\r\n SUITE_MASK: 272\r\n\r\n APPLICATION_VERIFIER_LOADED: 1\r\n\r\n APP: mspdf.exe\r\n\r\n ANALYSIS_SESSION_HOST: DESKTOP-G0NTBS7\r\n\r\n ANALYSIS_SESSION_TIME: 04-24-2016 20:00:13.0430\r\n\r\n ANALYSIS_VERSION: 10.0.10586.567 x86fre\r\n\r\n THREAD_ATTRIBUTES:\r\n OS_LOCALE: ENU\r\n\r\n PROBLEM_CLASSES:\r\n\r\n\r\n\r\n\r\n Tid [0x0]\r\n Frame [0x00]\r\n String [STATUS_BREAKPOINT]\r\n Data Bucketing\r\n\r\n\r\n\r\n AVRF\r\n Tid [0xf3c]\r\n Frame [0x00]: verifier!VerifierStopMessage\r\n Failure Bucketing\r\n\r\n\r\n BUGCHECK_STR: STATUS_BREAKPOINT_AVRF\r\n\r\n STACK_TEXT:\r\n 0a4ad900 72f3aa52 0000000f 72f31b80 063c1000 verifier!VerifierStopMessage+0x27e\r\n 0a4ad964 72f3ae8a 063c1000 00000000 094efcf0 verifier!AVrfpDphReportCorruptedBlock+0x1c2\r\n 0a4ad9c0 72f3bc3b 063c1000 094efcf0 00000000 verifier!AVrfpDphCheckNormalHeapBlock+0x11a\r\n 0a4ad9e0 72f411b2 063c0000 094efcf0 0a4ada50 verifier!AvrfpDphCheckPageHeapAllocation+0x6b\r\n 0a4ad9f0 72f51def 063c0000 094efcf0 638dce2d verifier!VerifierCheckPageHeapAllocation+0x12\r\n 0a4ada50 770577a5 063c0000 00000000 094efcf0 verifier!AVrfpRtlFreeHeap+0x5f\r\n 0a4ada9c 72f52dd5 094efcf0 638dcea9 094efdc8 msvcrt!free+0x65\r\n 0a4adad4 6e2c934e 094efcf0 e06d7363 19930522 verifier!AVrfp_delete+0x45\r\n 0a4adae8 6e2c8f8b 0a4ae96c 6e2c8e61 00000000 Windows_Data_Pdf!std::vector<COD_MARKER,std::allocator<COD_MARKER> >::_Tidy+0x38\r\n 0a4adaf0 6e2c8e61 00000000 77050ea7 e06d7363 Windows_Data_Pdf!JPXMetadata::~JPXMetadata+0x26\r\n 0a4adaf8 77050ea7 e06d7363 00000000 0a4adb18 Windows_Data_Pdf!CCodeStreamDecoder::~CCodeStreamDecoder+0x26\r\n 0a4aeb64 6e2c8b47 094e9de4 00000800 aaa50673 msvcrt!_NLG_Return\r\n 0a4aebc8 6e2c8740 094e9dcc 6e12660f 094e9dcc Windows_Data_Pdf!PDF::CJPXDecoderByteStream::_Decode+0xdf\r\n 0a4aebd0 6e12660f 094e9dcc 6e1265b0 0a4aec34 Windows_Data_Pdf!PDF::CJPXDecoderByteStream::DecodeData+0x10\r\n 0a4aec14 6e35c7e0 aaa5014b 09456e34 6e35c790 Windows_Data_Pdf!Infra::CByteStreamDecorator::Initialize+0x5f\r\n 0a4aec40 6e1b6a3f 0a4aec6c 0a4aee4c 094e9d40 Windows_Data_Pdf!PDF::CPDFFactory::CreateByteStreamJPXDecoder+0x50\r\n 0a4aedc4 6e1250b9 0a4aee4c 094e9d40 6e125070 Windows_Data_Pdf!PDF::CStreamObject::_Decompress+0x9196b\r\n 0a4aedec 6e2891ed 0a4aee4c 094e9d40 aaa51d87 Windows_Data_Pdf!PDF::CStreamObject::DecodeByteStream+0x49\r\n 0a4af08c 6e2874e6 0a4af2d8 094e88f8 094e8900 Windows_Data_Pdf!Builder::CImageHandler::_LoadImageObject+0x198\r\n 0a4af0d4 6e25a50c 0a4af2d8 094e88f8 094e8900 Windows_Data_Pdf!Builder::CImageHandler::LoadImageObject+0x41\r\n 0a4af158 6e353406 0a4af2d8 0a4af3b8 094cb464 Windows_Data_Pdf!Builder::CResourceFactory::LoadImageSource+0xbc\r\n 0a4af5f4 6e3101ba 094e943c 6e310190 094e9430 Windows_Data_Pdf!PageElements::GraphicsCommandUpdater::UpdateGraphicsCommand+0xee6\r\n 0a4af60c 6e1282da 6e12b880 094e93d0 aaa51b2b Windows_Data_Pdf!std::_Func_impl<std::_Callable_obj<<lambda_267d1e4465265120ffca50182e13906e>,0>,std::allocator<std::_Func_class<void,std::_Nil,std::_Nil,std::_Nil,std::_Nil,std::_Nil,std::_Nil,std::_Nil> >,void,std::_Nil,std::_Nil,std::_Nil,std::_Nil,std::_Nil,std::_Nil,std::_Nil>::_Do_call+0x2a\r\n 0a4af620 6e12b888 6e127fbf 094e91f8 094e9208 Windows_Data_Pdf!std::_Func_class<void,std::_Nil,std::_Nil,std::_Nil,std::_Nil,std::_Nil,std::_Nil,std::_Nil>::operator()+0x5a\r\n 0a4af624 6e127fbf 094e91f8 094e9208 aaa51b33 Windows_Data_Pdf!std::_Func_impl<std::_Callable_obj<Infra::GlobalTask,0>,std::allocator<std::_Func_class<bool,std::_Nil,std::_Nil,std::_Nil,std::_Nil,std::_Nil,std::_Nil,std::_Nil> >,bool,std::_Nil,std::_Nil,std::_Nil,std::_Nil,std::_Nil,std::_Nil,std::_Nil>::_Do_call+0x8\r\n 0a4af638 6e127d2b 6e1dc410 094e9740 00000001 Windows_Data_Pdf!std::_Func_class<bool,std::_Nil,std::_Nil,std::_Nil,std::_Nil,std::_Nil,std::_Nil,std::_Nil>::operator()+0x49\r\n 0a4af648 6e1dc42f aaa51b73 6e1dc410 094e9850 Windows_Data_Pdf!Infra::CTask::Execute+0x33\r\n 0a4af678 6d8353df 094e9740 094e9850 0a4af894 Windows_Data_Pdf!Infra::CAsyncTpWorker::CTpWorkItem::Invoke+0x1f\r\n 0a4af6a4 6d834d20 5ab46f05 0a4af894 08b03ff0 threadpoolwinrt!Windows::System::Threading::CThreadPoolWorkItem::CommonWorkCallback+0xaf\r\n 0a4af6d4 776dde13 0a4af894 094e9850 08b03ff0 threadpoolwinrt!Windows::System::Threading::CThreadPoolWorkItem::BatchedCallback+0x60\r\n 0a4af7c4 776dcc25 0a4af894 08b04060 738bf041 ntdll!TppWorkpExecuteCallback+0x153\r\n 0a4af974 750238f4 08abe0a8 750238d0 f814e18b ntdll!TppWorkerThread+0x555\r\n 0a4af988 77715de3 08abe0a8 738bf0e5 00000000 KERNEL32!BaseThreadInitThunk+0x24\r\n 0a4af9d0 77715dae ffffffff 7773b7db 00000000 ntdll!__RtlUserThreadStart+0x2f\r\n 0a4af9e0 00000000 776dc6d0 08abe0a8 00000000 ntdll!_RtlUserThreadStart+0x1b\r\n\r\n\r\n THREAD_SHA1_HASH_MOD_FUNC: 6315750fc53d807b4155ffc0842ee6a03c9f40f3\r\n\r\n THREAD_SHA1_HASH_MOD_FUNC_OFFSET: f4a0d5cef213b9229c67ca969977acae24171ac9\r\n\r\n THREAD_SHA1_HASH_MOD: 7f0f6cd60042c923021fe565fe770b7a413be340\r\n\r\n FOLLOWUP_IP:\r\n verifier!VerifierStopMessage+27e\r\n 72f3cbfe cc int 3\r\n\r\n FAULT_INSTR_CODE: f87d83cc\r\n\r\n SYMBOL_STACK_INDEX: 0\r\n\r\n SYMBOL_NAME: verifier!VerifierStopMessage+27e\r\n\r\n FOLLOWUP_NAME: MachineOwner\r\n\r\n MODULE_NAME: verifier\r\n\r\n IMAGE_NAME: verifier.dll\r\n\r\n DEBUG_FLR_IMAGE_TIMESTAMP: 5632d7df\r\n\r\n STACK_COMMAND: ~14s ; kb\r\n\r\n BUCKET_ID: STATUS_BREAKPOINT_AVRF_verifier!VerifierStopMessage+27e\r\n\r\n PRIMARY_PROBLEM_CLASS: STATUS_BREAKPOINT_AVRF_verifier!VerifierStopMessage+27e\r\n\r\n BUCKET_ID_OFFSET: 27e\r\n\r\n BUCKET_ID_MODULE_STR: verifier\r\n\r\n BUCKET_ID_MODTIMEDATESTAMP: 5632d7df\r\n\r\n BUCKET_ID_MODCHECKSUM: 5c097\r\n\r\n BUCKET_ID_MODVER_STR: 10.0.10586.0\r\n\r\n BUCKET_ID_PREFIX_STR: STATUS_BREAKPOINT_AVRF_\r\n\r\n FAILURE_PROBLEM_CLASS: STATUS_BREAKPOINT_AVRF\r\n\r\n FAILURE_EXCEPTION_CODE: 80000003\r\n\r\n FAILURE_IMAGE_NAME: verifier.dll\r\n\r\n FAILURE_FUNCTION_NAME: VerifierStopMessage\r\n\r\n BUCKET_ID_FUNCTION_STR: VerifierStopMessage\r\n\r\n FAILURE_SYMBOL_NAME: verifier.dll!VerifierStopMessage\r\n\r\n FAILURE_BUCKET_ID: STATUS_BREAKPOINT_AVRF_80000003_verifier.dll!VerifierStopMessage\r\n\r\n TARGET_TIME: 2016-04-24T18:00:19.000Z\r\n\r\n OSBUILD: 10586\r\n\r\n OSSERVICEPACK: 0\r\n\r\n SERVICEPACK_NUMBER: 0\r\n\r\n OS_REVISION: 0\r\n\r\n OSPLATFORM_TYPE: x86\r\n\r\n OSNAME: Windows 10\r\n\r\n OSEDITION: Windows 10 WinNt SingleUserTS\r\n\r\n USER_LCID: 0\r\n\r\n OSBUILD_TIMESTAMP: 2015-10-30 03:46:21\r\n\r\n BUILDDATESTAMP_STR: 160223-1728\r\n\r\n BUILDLAB_STR: th2_release_sec\r\n\r\n BUILDOSVER_STR: 10.0.10586.162\r\n\r\n ANALYSIS_SESSION_ELAPSED_TIME: 176f\r\n\r\n ANALYSIS_SOURCE: UM\r\n\r\n FAILURE_ID_HASH_STRING: um:status_breakpoint_avrf_80000003_verifier.dll!verifierstopmessage\r\n\r\n FAILURE_ID_HASH: {bedb7089-3b9b-ca23-9c37-a0231a6648d3}\r\n\r\n Followup: MachineOwner\r\n ---------\r\n```\r\n\r\n### Timeline\r\n* 2016-04-28 - Vendor Disclosure\r\n* 2016-08-09 - Public Release", "published": "2017-10-13T00:00:00", "type": "seebug", "title": "Microsoft Windows PDF API Jpeg2000 csiz Remote Code Execution Vulnerability(CVE-2016-3319)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-3319"], "modified": "2017-10-13T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96679", "id": "SSV:96679", "sourceData": "", "sourceHref": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2020-06-10T19:48:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3319"], "description": "This host is missing an important security\n update according to Microsoft Bulletin MS16-102", "modified": "2020-06-08T00:00:00", "published": "2016-08-10T00:00:00", "id": "OPENVAS:1361412562310808647", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808647", "type": "openvas", "title": "Microsoft Windows PDF Library Remote Code Execution Vulnerability (3182248)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows PDF Library Remote Code Execution Vulnerability (3182248)\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808647\");\n script_version(\"2020-06-08T14:40:48+0000\");\n script_cve_id(\"CVE-2016-3319\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-08 14:40:48 +0000 (Mon, 08 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-08-10 09:19:34 +0530 (Wed, 10 Aug 2016)\");\n script_name(\"Microsoft Windows PDF Library Remote Code Execution Vulnerability (3182248)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft Bulletin MS16-102\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to Windows PDF Library\n improperly handles objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow a\n remote attacker to execute arbitrary code in the context of the current user.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 8.1 x32/x64\n\n - Microsoft Windows Server 2012/2012R2\n\n - Microsoft Windows 10 x32/x64\n\n - Microsoft Windows 10 Version 1511 x32/x64\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3182248\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/library/security/ms16-102\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS16-102\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2012:1, win2012R2:1, win8_1:1, win8_1x64:1,\n win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_systemroot();\nif(!sysPath ){\n exit(0);\n}\n\ndllVer1 = fetch_file_version(sysPath:sysPath, file_name:\"System32\\Glcndfilter.dll\");\ndllVer2 = fetch_file_version(sysPath:sysPath, file_name:\"System32\\Windows.data.pdf.dll\");\nif(!dllVer1 && !dllVer2){\n exit(0);\n}\n\nif(hotfix_check_sp(win2012:1) > 0)\n{\n if(version_is_less(version:dllVer1, test_version:\"6.2.9200.21924\"))\n {\n Vulnerable_range = \"Less than 6.2.9200.21924\";\n VULN1 = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) > 0)\n{\n if(version_is_less(version:dllVer1, test_version:\"6.3.9600.18403\"))\n {\n Vulnerable_range = \"Less than 6.3.9600.18403\";\n VULN1 = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(win10:1, win10x64:1) > 0 && dllVer2)\n{\n if(version_is_less(version:dllVer2, test_version:\"10.0.10240.17071\"))\n {\n Vulnerable_range = \"Less than 10.0.10240.17071\";\n VULN2 = TRUE ;\n }\n else if(version_in_range(version:dllVer2, test_version:\"10.0.10586.0\", test_version2:\"10.0.10586.544\"))\n {\n Vulnerable_range = \"10.0.10586.0 - 10.0.10586.544\";\n VULN2 = TRUE ;\n }\n}\n\nif(VULN2)\n{\n report = 'File checked: ' + sysPath + \"\\system32\\windows.data.pdf.dll\"+ '\\n' +\n 'File version: ' + dllVer2 + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n}\n\nif(VULN1)\n{\n report = 'File checked: ' + sysPath + \"\\system32\\Glcndfilter.dll\" + '\\n' +\n 'File version: ' + dllVer1 + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-08T13:57:09", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3329", "CVE-2016-3319", "CVE-2016-3322", "CVE-2016-3296", "CVE-2016-3326", "CVE-2016-3289", "CVE-2016-3327", "CVE-2016-3293"], "description": "This host is missing a critical security\n update according to Microsoft Bulletin MS16-096.", "modified": "2019-12-20T00:00:00", "published": "2016-08-10T00:00:00", "id": "OPENVAS:1361412562310808785", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808785", "type": "openvas", "title": "Microsoft Edge Multiple Vulnerabilities (3177358)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Edge Multiple Vulnerabilities (3177358)\n#\n# Authors:\n# Tushar Khelge <ktushar@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808785\");\n script_version(\"2019-12-20T10:24:46+0000\");\n script_cve_id(\"CVE-2016-3289\", \"CVE-2016-3293\", \"CVE-2016-3296\", \"CVE-2016-3319\",\n \"CVE-2016-3322\", \"CVE-2016-3326\", \"CVE-2016-3327\", \"CVE-2016-3329\");\n script_bugtraq_id(92285, 92305, 92283, 92293, 92282, 92287, 92284, 92286);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 10:24:46 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2016-08-10 09:07:18 +0530 (Wed, 10 Aug 2016)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Edge Multiple Vulnerabilities (3177358)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Bulletin MS16-096.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist due to,\n\n - A remote code execution vulnerability exist in the way that the\n Chakra JavaScript engine renders when handling objects in memory.\n\n - Multiple information disclosure vulnerabilities exists when the\n Microsoft Edge improperly handles objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary code in the context of the current user, and\n obtain information to further compromise the user's system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 x32/x64\n\n - Microsoft Windows 10 Version 1511 x32/x64\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3177358\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS16-096\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_microsoft_edge_detect.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"MS/Edge/Installed\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgedllVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgedllVer){\n exit(0);\n}\n\nif(hotfix_check_sp(win10:1, win10x64:1) > 0)\n{\n if(version_is_less(version:edgedllVer, test_version:\"11.0.10240.17071\"))\n {\n Vulnerable_range = \"Less than 11.0.10240.17071\";\n VULN = TRUE ;\n }\n\n else if(version_in_range(version:edgedllVer, test_version:\"11.0.10586.0\", test_version2:\"11.0.10586.544\"))\n {\n Vulnerable_range = \"11.0.10586.0 - 11.0.10586.544\";\n VULN = TRUE ;\n }\n}\n\nif(VULN)\n{\n report = 'File checked: ' + sysPath + \"\\edgehtml.dll\" + '\\n' +\n 'File version: ' + edgedllVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "talos": [{"lastseen": "2020-07-01T21:25:31", "bulletinFamily": "info", "cvelist": ["CVE-2016-3319"], "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0170\n\n## Microsoft Windows PDF API Jpeg2000 csiz Remote Code Execution Vulnerability\n\n##### August 9, 2016\n\n##### CVE Number\n\nCVE-2016-3319\n\n### Description\n\nAn exploitable out of bounds write vulnerability exists in the PDF parsing API in the latest versions of Microsoft Windows. A specially crafted PDF file can cause an out of bounds write resulting in arbitrary code execution. Vulnerability can be triggered via malicious web page or a saved PDF file delivered by other means.\n\n### Tested Versions\n\nMicrosoft Windows PDF API Windows.Data.Pdf.dll version 10.0.10.586.162\n\n### Product URLs\n\n[http://www.microsoft.com](<https://www.microsoft.com>)\n\n### CVSSv3 Score\n\n7.5 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\n\n### Details\n\nThe vulnerability is present in the Microsoft native PDF API which is available since Windows 8.1. In Windows 10, Microsoft Edge is the default application for opening PDF files enabling potential vulnerabilities in native PDF API to be exploited over the Web.\n\nThere exists a vulnerability in the way Microsoft PDF API parses jpeg2000 files embedded in the PDF documents. A specially crafted jpeg2000 file can trigger a out of bounds memory overwrite and lead to remote code execution.\n\nJpeg2000 files consist of a number of containers or boxes. Contiguous Codestream box contains the actual image data in the jp2 file and can have a number of child boxes. Contiguous Codestream box starts with a \u201cjp2c\u201d marker. According to the standard, jp2c box can contain SIZ marker segment (image and tile size info), a COD marker segment (coding style default info), a QCD marker segment (quantization default information) and a number of tile part elements which can in turn contain their own COD, CQD and other child elements. Start markers for SIZ is 0xFF51, COD 0xFF52, QCD is 0xFF5C and tile part is 0xFF90. An example of the file layout can be as follows:\n \n \n ```\n +------------------+\n | |\n | Codestream Box |\n | |\n +-------+----------+\n |\n | +---------+\n +------------+ SIZ |\n | +---------+\n | +---------+\n +------------+ COD |\n | +---------+\n | +---------+\n +------------+ CQD |\n | +---------+\n | +---------------+\n +------------+ Tile Parts |\n +------+--------+\n |\n | +-----------+\n +------+ Tile Part |\n | +-----+-----+\n | | +---------+\n | +---+ COD* |\n | | +---------+\n | | +---------+\n | +---+ CQD* |\n | | +---------+\n | | +---------+\n | +---+ COM* |\n | | +---------+\n | | +---------+\n | +---+ SOT |\n | +---------+\n |\n | +-------------+ *Optional\n +-------+ Tile Part |\n +-------------+\n ```\n \n\nAccording to the standard, tile part elements can contain only COD, CQD, COM, and SOT elements where COD, CQD and COM are optional. In the supplied testcase triggering the vulnerability a tile part element has an unexpected SIZ element which gets parsed and leads to a vulnerability.\n\nElements are parsed one by one in a `CCodeStreamDecoder::DecodeMarkers` method where for each marker type, a suitable decoder is called:\n \n \n ```\n .text:6E1EC62D push esi\n .text:6E1EC62E mov esi, [ebp+var_74]\n .text:6E1EC631 mov ecx, edi ; _DWORD\n .text:6E1EC633 push esi\n .text:6E1EC634 call ds:___guard_check_icall_fptr ; CType1NoOpReceiver<IType1EncodingReceiver>::Begin(void)\n .text:6E1EC63A call edi ; calls the decoder for specific marker\n .text:6E1EC63C jmp short loc_6E\n ```\n \n\nWhen parsing a SIZ element, `edi` in the above code calls the `CCodeStreamDecoder::s_SIZMarkerDecoder` method. In it, various values are initialized. Amongst other things, SIZ marker specifies the number of components (csiz) as an 16 bit integer. This value is used to resize a vectors holding COD and CQD information:\n \n \n ```\n .text:6E1EE747 mov eax, [edi]\n .text:6E1EE749 mov esi, [eax+10h]\n .text:6E1EE74C mov ecx, esi ; _DWORD\n .text:6E1EE74E call ds:___guard_check_icall_fptr ; CType1NoOpReceiver<IType1EncodingReceiver>::Begin(void)\n .text:6E1EE754 mov ecx, edi\n .text:6E1EE756 call esi ; [1]\n .text:6E1EE758 movzx esi, ax\n .text:6E1EE75B lea ecx, [ebx+78h]\n .text:6E1EE75E push esi\n .text:6E1EE75F mov [esp+0C4h+var_8C], esi\n .text:6E1EE763 mov [ebx+3Ch], esi\n .text:6E1EE766 call std::vector<QCD_MARKER,std::allocator<QCD_MARKER>>::resize(uint) [2]\n .text:6E1EE76B push esi\n .text:6E1EE76C lea ecx, [ebx+84h]\n .text:6E1EE772 call std::vector<COD_MARKER,std::allocator<COD_MARKER>>::resize(uint) [3]\n \n ```\n \n\nIn the above disassembly, at [1] csiz value is read from the bytestream, at [2], it\u2019s used to resize the QCD_MARKER vector, and at [3] the same for COD_MARKER vector. The pointers to both are stored at `ebx+78h` and `ebx+84h` respectively.\n\nNext, COD marker decoder is called, `CCodeStreamDecoder::s_CODMarkerDecoder`, where the above resized vector is used in it\u2019s elements initialized in a loop:\n \n \n ```\n .text:6E1ED9BD mov ecx, [edi+84h] [1]\n .text:6E1ED9C3 lea eax, [esp+0A4h+var_88]\n .text:6E1ED9C7 push eax\n .text:6E1ED9C8 add ecx, esi [2]\n .text:6E1ED9CA call COD_MARKER::operator=(COD_MARKER const &) [3]\n .text:6E1ED9CF inc ebx\n .text:6E1ED9D0 add esi, 48h [4]\n .text:6E1ED9D3 cmp ebx, [edi+3Ch] [5]\n .text:6E1ED9D6 jb short loc_6E1\n ```\n \n\nAt [1] a pointer to the vector is retrieved, at [2] `esi` is used as an index into the vector values, and is added to `ecx`, at [3] the current vector element is used with its assignment operator, at [4] index is increased, and at [5] the counter is compared to the previously mentioned csiz value.\n\nA similar codepath is executed while parsing the CQD marker.\n\nWith page heap enabled , the supplied testcase crashes with the following:\n \n \n ```\n eax=0d4fe801 ebx=00000003 ecx=0d9a1000 edx=00000000 esi=0d4fe8d0 edi=0d9a1000\n eip=6e2cc0cb esp=0d4fe8a0 ebp=0d4fe8a8 iopl=0 nv up ei pl nz ac pe nc\n cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216\n Windows_Data_Pdf!COD_MARKER::operator=+0xe:\n 6e2cc0cb 8807 mov byte ptr [edi],al ds:002b:0d9a1000=??\n 0:014> k 5\n # ChildEBP RetAddr\n 00 0d4fe8a8 6e2cd9fa Windows_Data_Pdf!COD_MARKER::operator=+0xe\n 01 0d4fe95c 6e2cc63c Windows_Data_Pdf!CCodeStreamDecoder::s_CODMarkerDecoder+0x1ea\n 02 0d4fe9fc 6e2c9127 Windows_Data_Pdf!CCodeStreamDecoder::DecodeMarkers+0x91\n 03 0d4fec0c 6e2c8b47 Windows_Data_Pdf!JPXDecoder::Decode+0x80\n 04 0d4fec70 6e2c8740 Windows_Data_Pdf!PDF::CJPXDecoderByteStream::_Decode+0xdf\n \n ```\n \n\nIt\u2019s crashing in the COD_MARKER assignment operator with a write access violation. A step by step examination leads to the details of the crash. Firstly, COD_MARKER vector is resized to 3 inside `CCodeStreamDecoder::s_SIZMarkerDecoder` method:\n \n \n ```\n Breakpoint 2 hit\n eax=00000000 ebx=0d3cee0c ecx=0d3cee90 edx=00000000 esi=00000003 edi=0d3cf03c\n eip=6e2ce772 esp=0d3cec8c ebp=0d3ced54 iopl=0 nv up ei pl nz na pe nc\n cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206\n Windows_Data_Pdf!CCodeStreamDecoder::s_SIZMarkerDecoder+0x172:\n 6e2ce772 e8e4ebffff call Windows_Data_Pdf!std::vector<COD_MARKER,std::allocator<COD_MARKER> >::resize (6e2cd35b)\n 0:013> ub\n Windows_Data_Pdf!CCodeStreamDecoder::s_SIZMarkerDecoder+0x158:\n 6e2ce758 0fb7f0 movzx esi,ax\n 6e2ce75b 8d4b78 lea ecx,[ebx+78h]\n 6e2ce75e 56 push esi\n 6e2ce75f 89742438 mov dword ptr [esp+38h],esi\n 6e2ce763 89733c mov dword ptr [ebx+3Ch],esi\n 6e2ce766 e884ecffff call Windows_Data_Pdf!std::vector<QCD_MARKER,std::allocator<QCD_MARKER> >::resize (6e2cd3ef)\n 6e2ce76b 56 push esi\n 6e2ce76c 8d8b84000000 lea ecx,[ebx+84h]\n 0:013> dd ecx\n 0d3cee90 00000000 00000000 00000000 00000000\n 0d3ceea0 00000000 00000000 00000000 00000000\n 0d3ceeb0 00000000 0d3ceec8 00000011 00000000\n 0d3ceec0 0d7e0f1c 6e087f00 6e30c61f 00000064\n 0d3ceed0 0000000f e16b33b0 0d00ef58 6e30c298\n 0d3ceee0 6e2c965e 0d7e0f08 6e2c966a e16b3398\n 0d3ceef0 0d3cef30 6e2c96c2 6e2c96f3 00000000\n 0d3cef00 0000001c 00000000 00000000 00000000\n 0:013> p\n Breakpoint 2 hit\n eax=00000000 ebx=0d3cee0c ecx=0d3cee90 edx=00000000 esi=00000003 edi=0d3cf03c\n eip=6e2ce772 esp=0d3cec8c ebp=0d3ced54 iopl=0 nv up ei pl nz na pe nc\n cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206\n Windows_Data_Pdf!CCodeStreamDecoder::s_SIZMarkerDecoder+0x172:\n 6e2ce772 e8e4ebffff call Windows_Data_Pdf!std::vector<COD_MARKER,std::allocator<COD_MARKER> >::resize (6e2cd35b)\n 0:013> p\n eax=000000d8 ebx=0d3cee0c ecx=6e2cd399 edx=00000000 esi=00000003 edi=0d3cf03c\n eip=6e2ce777 esp=0d3cec90 ebp=0d3ced54 iopl=0 nv up ei pl nz ac pe nc\n cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216\n Windows_Data_Pdf!CCodeStreamDecoder::s_SIZMarkerDecoder+0x177:\n 6e2ce777 8d4340 lea eax,[ebx+40h]\n 0:013> dd 0d3cee90\n 0d3cee90 0d842f28 0d843000 0d843000 00000000\n 0d3ceea0 00000000 00000000 00000000 00000000\n 0d3ceeb0 00000000 0d3ceec8 00000011 00000000\n 0d3ceec0 0d7e0f1c 6e087f00 6e30c61f 00000064\n 0d3ceed0 0000000f e16b33b0 0d00ef58 6e30c298\n 0d3ceee0 6e2c965e 0d7e0f08 6e2c966a e16b3398\n 0d3ceef0 0d3cef30 6e2c96c2 6e2c96f3 00000000\n 0d3cef00 0000001c 00000000 00000000 00000000\n ```\n \n\nIn the above debugging output, it can be seen that the resize argument is 3 and that `this` is pointing to `0x0d3cee90`. Also, after the call, the location at `0d3cee90` is initialized with pointers to vector start and end, so initially the COD_MARKER vector starts at `0d842f28`. Placing a breakpoint at above mentioned COD vector assignment code inside `CCodeStreamDecoder::s_CODMarkerDecoder` gives:\n \n \n ```\n Breakpoint 3 hit\n eax=0d3cecc8 ebx=00000000 ecx=0d842f28 edx=000000bb esi=00000000 edi=0d3cee0c\n eip=6e2cd9ca esp=0d3ceca8 ebp=0d3ced54 iopl=0 nv up ei pl nz na pe nc\n cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206\n Windows_Data_Pdf!CCodeStreamDecoder::s_CODMarkerDecoder+0x1ba:\n 6e2cd9ca e8eee6ffff call Windows_Data_Pdf!COD_MARKER::operator= (6e2cc0bd)\n 0:013> ub\n Windows_Data_Pdf!CCodeStreamDecoder::s_CODMarkerDecoder+0x1a3:\n 6e2cd9b3 c60701 mov byte ptr [edi],1\n 6e2cd9b6 395f3c cmp dword ptr [edi+3Ch],ebx\n 6e2cd9b9 7655 jbe Windows_Data_Pdf!CCodeStreamDecoder::s_CODMarkerDecoder+0x200 (6e2cda10)\n 6e2cd9bb 8bf3 mov esi,ebx\n 6e2cd9bd 8b8f84000000 mov ecx,dword ptr [edi+84h]\n 6e2cd9c3 8d44241c lea eax,[esp+1Ch]\n 6e2cd9c7 50 push eax\n 6e2cd9c8 03ce add ecx,esi\n 0:013> dd ecx\n 0d842f28 c0c0c0c0 00000000 00000000 00000000\n 0d842f38 00000000 00000000 00000000 c0c0c0c0\n 0d842f48 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0\n 0d842f58 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0\n 0d842f68 c0c0c0c0 c0c0c0c0 c0c0c0c0 00000000\n 0d842f78 00000000 00000000 00000000 00000000\n 0d842f88 00000000 c0c0c0c0 c0c0c0c0 c0c0c0c0\n 0d842f98 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0\n \n ```\n \n\nIn the above debugging output, we hit a breakpoint on a call to `Windows_Data_Pdf!COD_MARKER::operator=` and can see that `ecx` points to the beginning of the resized vector from the previous disassembly. It continues to loop 3 times as specified by csiz value.\n\nAs mentioned before, the supplied testcase has a tile part that contains an extra SIZ marker along with COD marker, so resuming the execution breaks again in `CCodeStreamDecoder::s_SIZMarkerDecoder` during COD_MARKER vector resize:\n \n \n ```\n Breakpoint 2 hit\n eax=00000003 ebx=0d3cee0c ecx=0d3cee90 edx=00000000 esi=00000004 edi=0d3cf03c\n eip=6e2ce772 esp=0d3cec8c ebp=0d3ced54 iopl=0 nv up ei pl nz na pe nc\n cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206\n Windows_Data_Pdf!CCodeStreamDecoder::s_SIZMarkerDecoder+0x172:\n 6e2ce772 e8e4ebffff call Windows_Data_Pdf!std::vector<COD_MARKER,std::allocator<COD_MARKER> >::resize (6e2cd35b)\n 0:013> bu\n breakpoint 2 redefined\n 0:013> ub\n Windows_Data_Pdf!CCodeStreamDecoder::s_SIZMarkerDecoder+0x158:\n 6e2ce758 0fb7f0 movzx esi,ax\n 6e2ce75b 8d4b78 lea ecx,[ebx+78h]\n 6e2ce75e 56 push esi\n 6e2ce75f 89742438 mov dword ptr [esp+38h],esi\n 6e2ce763 89733c mov dword ptr [ebx+3Ch],esi\n 6e2ce766 e884ecffff call Windows_Data_Pdf!std::vector<QCD_MARKER,std::allocator<QCD_MARKER> >::resize (6e2cd3ef)\n 6e2ce76b 56 push esi\n 6e2ce76c 8d8b84000000 lea ecx,[ebx+84h]\n 0:013> dd ecx\n 0d3cee90 0d842f28 0d843000 0d843000 00000000\n 0d3ceea0 00000000 00000000 00000000 00000000\n 0d3ceeb0 00000000 00000008 00000008 00000000\n 0d3ceec0 0d7e0f1c 6e087f01 00000004 00000000\n 0d3ceed0 01001002 e16b3348 0d00eea0 00000000\n 0d3ceee0 000001af 00000146 00000000 00000000\n 0d3ceef0 00000100 00000100 00000000 00000000\n 0d3cef00 00000003 0d85cff0 0d85cffc 0d85cffc\n 0:013> p\n eax=00000048 ebx=0d3cee0c ecx=6e2cd399 edx=00000000 esi=00000004 edi=0d3cf03c\n eip=6e2ce777 esp=0d3cec90 ebp=0d3ced54 iopl=0 nv up ei pl nz ac pe nc\n cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216\n Windows_Data_Pdf!CCodeStreamDecoder::s_SIZMarkerDecoder+0x177:\n 6e2ce777 8d4340 lea eax,[ebx+40h]\n 0:013> dd 0d3cee90\n 0d3cee90 0dab8ee0 0dab9000 0dab9000 00000000\n 0d3ceea0 00000000 00000000 00000000 00000000\n 0d3ceeb0 00000000 00000008 00000008 00000000\n 0d3ceec0 0d7e0f1c 6e087f01 00000004 00000000\n 0d3ceed0 01001002 e16b3348 0d00eea0 00000000\n 0d3ceee0 000001af 00000146 00000000 00000000\n 0d3ceef0 00000100 00000100 00000000 00000000\n 0d3cef00 00000003 0d85cff0 0d85cffc 0d85cffc\n \n ```\n \n\nIn the above debugging output, a call to resize is made with the same `this` as previously. Before the call, the same vector pointers are at `0d3cee90`, but after the call, the vector has been reallocated because of resize. In the above code, the value of the `esi`, or the argument to resize, is 4 which is the csize value specified in the second SIZ element in the file. In short, the COD_MARKER vector had to be resized to 4 which ended up reallocating it, meaning that previous saved pointers are invalidated. Continuing execution leads us again to COD element decoder, but this time a different path is taken. Instead of new reference to a resized vector, an old one is used but with a new counter:\n \n \n ```\n eax=0d3cecc8 ebx=00000000 ecx=0d872f28 edx=00001ec6 esi=00000000 edi=0d3cee0c\n eip=6e2cd9f5 esp=0d3ceca8 ebp=0d3ced54 iopl=0 nv up ei pl nz na pe nc\n cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206\n Windows_Data_Pdf!CCodeStreamDecoder::s_CODMarkerDecoder+0x1e5:\n 6e2cd9f5 e8c3e6ffff call Windows_Data_Pdf!COD_MARKER::operator= (6e2cc0bd)\n 0:013> ub\n Windows_Data_Pdf!CCodeStreamDecoder::s_CODMarkerDecoder+0x1d2:\n 6e2cd9e2 5f pop edi\n 6e2cd9e3 3c76 cmp al,76h\n 6e2cd9e5 1d8bf38b8f sbb eax,8F8BF38Bh\n 6e2cd9ea 3c01 cmp al,1\n 6e2cd9ec 0000 add byte ptr [eax],al\n 6e2cd9ee 8d44241c lea eax,[esp+1Ch]\n 6e2cd9f2 50 push eax\n 6e2cd9f3 03ce add ecx,esi\n 0:013> dd ecx\n 0d872f28 c0c0c001 00000000 00000000 00000000\n 0d872f38 00000000 00000000 00000000 00000000\n 0d872f48 00000000 00000005 00000001 00000001\n 0d872f58 00000020 00000020 00000000 c0c00000\n 0d872f68 00000001 00000001 c0c0c001 00000000\n 0d872f78 00000000 00000000 00000000 00000000\n 0d872f88 00000000 00000000 00000000 00000005\n 0d872f98 00000001 00000001 00000020 00000020\n 0:013> u\n Windows_Data_Pdf!CCodeStreamDecoder::s_CODMarkerDecoder+0x1e5:\n 6e2cd9f5 e8c3e6ffff call Windows_Data_Pdf!COD_MARKER::operator= (6e2cc0bd)\n 6e2cd9fa 43 inc ebx\n 6e2cd9fb 83c648 add esi,48h\n 6e2cd9fe 3b5f3c cmp ebx,dword ptr [edi+3Ch]\n 6e2cda01 72e5 jb Windows_Data_Pdf!CCodeStreamDecoder::s_CODMarkerDecoder+0x1d8 (6e2cd9e8)\n 6e2cda03 6afe push 0FFFFFFFEh\n 6e2cda05 58 pop eax\n 6e2cda06 2b442414 sub eax,dword ptr [esp+14h]\n 0:013> dd edi+3c L1\n 0d3cee48 00000004\n \n ```\n \n\nIn the above debugging output, we can see that the max counter value is 4 (as specified by new csiz value) but the vector being used is still the same as before, `0d872f28`. In the fourth iteration of this loop, the index into the vector elements will be increased past the allocated heap chunk resulting in an out of bound memory access:\n \n \n ```\n Breakpoint 4 hit\n eax=0d3cecc8 ebx=00000003 ecx=0d873000 edx=00000000 esi=000000d8 edi=0d3cee0c\n eip=6e2cd9f5 esp=0d3ceca8 ebp=0d3ced54 iopl=0 nv up ei pl nz ac pe nc\n cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216\n Windows_Data_Pdf!CCodeStreamDecoder::s_CODMarkerDecoder+0x1e5:\n 6e2cd9f5 e8c3e6ffff call Windows_Data_Pdf!COD_MARKER::operator= (6e2cc0bd)\n 0:013> dd ecx\n 0d873000 ???????? ???????? ???????? ????????\n 0d873010 ???????? ???????? ???????? ????????\n 0d873020 ???????? ???????? ???????? ????????\n 0d873030 ???????? ???????? ???????? ????????\n 0d873040 ???????? ???????? ???????? ????????\n 0d873050 ???????? ???????? ???????? ????????\n 0d873060 ???????? ???????? ???????? ????????\n 0d873070 ???????? ???????? ???????? ????????\n \n ```\n \n\nThis ultimately leads to a crash due to invalid memory write.\n\nWith page heap turned off, memory past the end of the heap chunk above will be readable and writable so the process wouldn\u2019t crash there. By carefully controlling the contents of the memory past the adjacent chunk further memory corruption can be achieved possibly leading to arbitrary code execution. Similarly to COD marker, CQD marker parsing is affected with the same out of bounds access/write issue. A stale reference is being reused there too leading to other interesting memory overwrite primitives:\n \n \n ```\n .text:6E2CE03F mov ecx, [ebx+130h]\n .text:6E2CE045 lea eax, [esp+0ACh+var_8C]\n .text:6E2CE049 push eax\n .text:6E2CE04A add ecx, edi\n .text:6E2CE04C call QCD_MARKER::operator=(QCD_MARKER const &)\n .text:6E2CE051 inc esi\n .text:6E2CE052 add edi, 20h\n .text:6E2CE055 cmp esi, [ebx+3Ch]\n .text:6E2CE058 jb short loc_6E2CE0\n ```\n \n\nAbove disassembly is from `CCodeStreamDecoder::s_QCDMarkerDecoder` method call and in it, the stale CQD vector pointer is used to iterate through its elements with an assignment operator. The same out of bounds issue occurs and leads to a different crash inside `QCD_MARKER::operator=` where a call to `memmove` is passed an pointer from invalid memory.\n\nFinally, without page heap, the following crash occurs:\n \n \n ```\n (218.fa0): Windows Runtime Originate Error - code 40080201 (first chance)\n (218.fa0): C++ EH exception - code e06d7363 (first chance)\n (218.fa0): Windows Runtime Originate Error - code 40080201 (first chance)\n (218.fa0): C++ EH exception - code e06d7363 (first chance)\n (218.13cc): C++ EH exception - code e06d7363 (first chance)\n HEAP[mspdf.exe]: Invalid address specified to RtlFreeHeap( 00A90000, 033B4D40 )\n (218.13cc): Break instruction exception - code 80000003 (first chance)\n eax=00258000 ebx=033b4d38 ecx=033b4d38 edx=0000003f esi=00a90000 edi=00000000\n eip=7778ee8a esp=0426da84 ebp=0426da9c iopl=0 nv up ei pl nz na po nc\n cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202\n ntdll!RtlpBreakPointHeap+0x19:\n 7778ee8a cc int 3\n 0:014> k 10\n # ChildEBP RetAddr\n 00 0426da80 7773cce7 ntdll!RtlpBreakPointHeap+0x19\n 01 0426da9c 7778e0a8 ntdll!RtlpValidateHeapEntry+0x6c924\n 02 0426daf4 776ecc3e ntdll!RtlDebugFreeHeap+0xbf\n 03 0426dbf8 776eb4c8 ntdll!RtlpFreeHeap+0xc3e\n 04 0426dc24 770577a5 ntdll!RtlFreeHeap+0x268\n 05 0426dc70 6e029505 msvcrt!free+0x65\n 06 0426dc80 6e1f9481 Windows_Data_Pdf!std::vector<double,std::allocator<double> >::~vector<double,std::allocator<double> >+0x1a\n 07 0426dc98 6e1f8e56 Windows_Data_Pdf!std::vector<std::unique_ptr<CTile,std::default_delete<CTile> >,std::allocator<std::unique_ptr<CTile,std::default_delete<CTile> > > >::_Tidy+0x2f\n 08 0426dca0 77050ea7 Windows_Data_Pdf!CCodeStreamDecoder::~CCodeStreamDecoder+0x1b\n 09 0426ed2c 6e1f8b47 msvcrt!_NLG_Return\n 0a 0426ed90 6e1f8740 Windows_Data_Pdf!PDF::CJPXDecoderByteStream::_Decode+0xdf\n 0b 0426ed98 6e05660f Windows_Data_Pdf!PDF::CJPXDecoderByteStream::DecodeData+0x10\n 0c 0426eddc 6e28c7e0 Windows_Data_Pdf!Infra::CByteStreamDecorator::Initialize+0x5f\n 0d 0426ee08 6e0e6a3f Windows_Data_Pdf!PDF::CPDFFactory::CreateByteStreamJPXDecoder+0x50\n 0e 0426ef8c 6e0550b9 Windows_Data_Pdf!PDF::CStreamObject::_Decompress+0x9196b\n 0f 0426efb4 6e1b91ed Windows_Data_Pdf!PDF::CStreamObject::DecodeByteStream+0x49\n \n ``` The above crash occurs after the out of bound memory write in COD marker decoder corrupts heap metadata and an invalid pointer gets used during the CQD decoder.\n \n\nIn order to successfully exploit this vulnerability, a high control over the heap contents is needed which can possibly be achieved with calculated placement of tile information and other boxes in the jp2 file. It is also possible that the vulnerability can be triggered multiple times while parsing the same file, giving the attacker even greater control over the overwrites.\n\nIn summary, the vulnerability is due to the fact that SIZ element present inside tile data element (which seems to violate the standard) resizes the COD and CQD vectors, but a stale pointer gets reused leading to out of bounds write. A detection of malicious files of this nature can be based on a fact that a one or more tile parts have a SIZ element that specifies csiz greater than the initial, global SIZ element.\n\nVulnerability analysis is done on a custom simple sample application that utilizes PDF API, but the supplied testcase also crashes in Microsoft Edge browser.\n\n### Crash Information\n\nWith application verifier and page heap enabled, output of \u201canalyze -v\u201d:\n \n \n (20.90): Windows Runtime Originate Error - code 40080201 (first chance)\n (20.90): C++ EH exception - code e06d7363 (first chance)\n (20.90): Windows Runtime Originate Error - code 40080201 (first chance)\n (20.90): C++ EH exception - code e06d7363 (first chance)\n (20.f3c): C++ EH exception - code e06d7363 (first chance)\n \n \n ===========================================================\n VERIFIER STOP 0000000F: pid 0x20: corrupted suffix pattern\n \n 063C1000 : Heap handle\n 094EFCF0 : Heap block\n 000000D8 : Block size\n 094EFDC8 : corruption address\n ===========================================================\n This verifier stop is not continuable. Process will be terminated\n when you use the `go' debugger command.\n ===========================================================\n \n (20.f3c): Break instruction exception - code 80000003 (first chance)\n eax=060af260 ebx=00000000 ecx=060af260 edx=0000000f esi=094efcf0 edi=72f411a0\n eip=72f3cbfe esp=0a4ad8dc ebp=0a4ad900 iopl=0 nv up ei pl nz na po nc\n cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202\n verifier!VerifierStopMessage+0x27e:\n 72f3cbfe cc int 3\n 0:014> !analyze -v\n *******************************************************************************\n * *\n * Exception Analysis *\n * *\n *******************************************************************************\n \n APPLICATION_VERIFIER_HEAPS_CORRUPTED_HEAP_BLOCK_SUFFIX (f)\n Corrupted suffix pattern for heap block.\n Most typically this happens for buffer overrun errors. Sometimes the application\n verifier places non-accessible pages at the end of the allocation and buffer\n overruns will cause an access violation and sometimes the heap block is\n followed by a magic pattern. If this pattern is changed when the block gets\n freed you will get this break. These breaks can be quite difficult to debug\n because you do not have the actual moment when corruption happened.\n You just have access to the free moment (stop happened here) and the\n allocation stack trace (!heap -p -a HEAP_BLOCK_ADDRESS)\n Arguments:\n Arg1: 063c1000, Heap handle used in the call.\n Arg2: 094efcf0, Heap block involved in the operation.\n Arg3: 000000d8, Size of the heap block.\n Arg4: 094efdc8, Corruption address.\n \n DUMP_CLASS: 2\n \n DUMP_QUALIFIER: 0\n \n FAULTING_IP:\n verifier!VerifierStopMessage+27e\n 72f3cbfe cc int 3\n \n EXCEPTION_RECORD: (.exr -1)\n ExceptionAddress: 72f3cbfe (verifier!VerifierStopMessage+0x0000027e)\n ExceptionCode: 80000003 (Break instruction exception)\n ExceptionFlags: 00000000\n NumberParameters: 1\n Parameter[0]: 00000000\n \n FAULTING_THREAD: 00000f3c\n \n DEFAULT_BUCKET_ID: STATUS_BREAKPOINT_AVRF\n \n PROCESS_NAME: mspdf.exe\n \n ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint has been reached.\n \n EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid\n \n EXCEPTION_CODE_STR: 80000003\n \n EXCEPTION_PARAMETER1: 00000000\n \n WATSON_BKT_PROCSTAMP: 5706a632\n \n WATSON_BKT_MODULE: verifier.dll\n \n WATSON_BKT_MODSTAMP: 5632d7df\n \n WATSON_BKT_MODOFFSET: cbfe\n \n WATSON_BKT_MODVER: 10.0.10586.0\n \n MODULE_VER_PRODUCT: Microsoft\u00ae Windows\u00ae Operating System\n \n BUILD_VERSION_STRING: 10.0.10586.162 (th2_release_sec.160223-1728)\n \n MODLIST_WITH_TSCHKSUM_HASH: 6648028320ab5cbba7b6c72455d4e5c1de630a24\n \n MODLIST_SHA1_HASH: 5c045408b1c06db5d658dde68dc1f6871a92acac\n \n NTGLOBALFLAG: 2000100\n \n APPLICATION_VERIFIER_FLAGS: 48004\n \n PRODUCT_TYPE: 1\n \n SUITE_MASK: 272\n \n APPLICATION_VERIFIER_LOADED: 1\n \n APP: mspdf.exe\n \n ANALYSIS_SESSION_HOST: DESKTOP-G0NTBS7\n \n ANALYSIS_SESSION_TIME: 04-24-2016 20:00:13.0430\n \n ANALYSIS_VERSION: 10.0.10586.567 x86fre\n \n THREAD_ATTRIBUTES:\n OS_LOCALE: ENU\n \n PROBLEM_CLASSES:\n \n \n \n \n Tid [0x0]\n Frame [0x00]\n String [STATUS_BREAKPOINT]\n Data Bucketing\n \n \n \n AVRF\n Tid [0xf3c]\n Frame [0x00]: verifier!VerifierStopMessage\n Failure Bucketing\n \n \n BUGCHECK_STR: STATUS_BREAKPOINT_AVRF\n \n STACK_TEXT:\n 0a4ad900 72f3aa52 0000000f 72f31b80 063c1000 verifier!VerifierStopMessage+0x27e\n 0a4ad964 72f3ae8a 063c1000 00000000 094efcf0 verifier!AVrfpDphReportCorruptedBlock+0x1c2\n 0a4ad9c0 72f3bc3b 063c1000 094efcf0 00000000 verifier!AVrfpDphCheckNormalHeapBlock+0x11a\n 0a4ad9e0 72f411b2 063c0000 094efcf0 0a4ada50 verifier!AvrfpDphCheckPageHeapAllocation+0x6b\n 0a4ad9f0 72f51def 063c0000 094efcf0 638dce2d verifier!VerifierCheckPageHeapAllocation+0x12\n 0a4ada50 770577a5 063c0000 00000000 094efcf0 verifier!AVrfpRtlFreeHeap+0x5f\n 0a4ada9c 72f52dd5 094efcf0 638dcea9 094efdc8 msvcrt!free+0x65\n 0a4adad4 6e2c934e 094efcf0 e06d7363 19930522 verifier!AVrfp_delete+0x45\n 0a4adae8 6e2c8f8b 0a4ae96c 6e2c8e61 00000000 Windows_Data_Pdf!std::vector<COD_MARKER,std::allocator<COD_MARKER> >::_Tidy+0x38\n 0a4adaf0 6e2c8e61 00000000 77050ea7 e06d7363 Windows_Data_Pdf!JPXMetadata::~JPXMetadata+0x26\n 0a4adaf8 77050ea7 e06d7363 00000000 0a4adb18 Windows_Data_Pdf!CCodeStreamDecoder::~CCodeStreamDecoder+0x26\n 0a4aeb64 6e2c8b47 094e9de4 00000800 aaa50673 msvcrt!_NLG_Return\n 0a4aebc8 6e2c8740 094e9dcc 6e12660f 094e9dcc Windows_Data_Pdf!PDF::CJPXDecoderByteStream::_Decode+0xdf\n 0a4aebd0 6e12660f 094e9dcc 6e1265b0 0a4aec34 Windows_Data_Pdf!PDF::CJPXDecoderByteStream::DecodeData+0x10\n 0a4aec14 6e35c7e0 aaa5014b 09456e34 6e35c790 Windows_Data_Pdf!Infra::CByteStreamDecorator::Initialize+0x5f\n 0a4aec40 6e1b6a3f 0a4aec6c 0a4aee4c 094e9d40 Windows_Data_Pdf!PDF::CPDFFactory::CreateByteStreamJPXDecoder+0x50\n 0a4aedc4 6e1250b9 0a4aee4c 094e9d40 6e125070 Windows_Data_Pdf!PDF::CStreamObject::_Decompress+0x9196b\n 0a4aedec 6e2891ed 0a4aee4c 094e9d40 aaa51d87 Windows_Data_Pdf!PDF::CStreamObject::DecodeByteStream+0x49\n 0a4af08c 6e2874e6 0a4af2d8 094e88f8 094e8900 Windows_Data_Pdf!Builder::CImageHandler::_LoadImageObject+0x198\n 0a4af0d4 6e25a50c 0a4af2d8 094e88f8 094e8900 Windows_Data_Pdf!Builder::CImageHandler::LoadImageObject+0x41\n 0a4af158 6e353406 0a4af2d8 0a4af3b8 094cb464 Windows_Data_Pdf!Builder::CResourceFactory::LoadImageSource+0xbc\n 0a4af5f4 6e3101ba 094e943c 6e310190 094e9430 Windows_Data_Pdf!PageElements::GraphicsCommandUpdater::UpdateGraphicsCommand+0xee6\n 0a4af60c 6e1282da 6e12b880 094e93d0 aaa51b2b Windows_Data_Pdf!std::_Func_impl<std::_Callable_obj<<lambda_267d1e4465265120ffca50182e13906e>,0>,std::allocator<std::_Func_class<void,std::_Nil,std::_Nil,std::_Nil,std::_Nil,std::_Nil,std::_Nil,std::_Nil> >,void,std::_Nil,std::_Nil,std::_Nil,std::_Nil,std::_Nil,std::_Nil,std::_Nil>::_Do_call+0x2a\n 0a4af620 6e12b888 6e127fbf 094e91f8 094e9208 Windows_Data_Pdf!std::_Func_class<void,std::_Nil,std::_Nil,std::_Nil,std::_Nil,std::_Nil,std::_Nil,std::_Nil>::operator()+0x5a\n 0a4af624 6e127fbf 094e91f8 094e9208 aaa51b33 Windows_Data_Pdf!std::_Func_impl<std::_Callable_obj<Infra::GlobalTask,0>,std::allocator<std::_Func_class<bool,std::_Nil,std::_Nil,std::_Nil,std::_Nil,std::_Nil,std::_Nil,std::_Nil> >,bool,std::_Nil,std::_Nil,std::_Nil,std::_Nil,std::_Nil,std::_Nil,std::_Nil>::_Do_call+0x8\n 0a4af638 6e127d2b 6e1dc410 094e9740 00000001 Windows_Data_Pdf!std::_Func_class<bool,std::_Nil,std::_Nil,std::_Nil,std::_Nil,std::_Nil,std::_Nil,std::_Nil>::operator()+0x49\n 0a4af648 6e1dc42f aaa51b73 6e1dc410 094e9850 Windows_Data_Pdf!Infra::CTask::Execute+0x33\n 0a4af678 6d8353df 094e9740 094e9850 0a4af894 Windows_Data_Pdf!Infra::CAsyncTpWorker::CTpWorkItem::Invoke+0x1f\n 0a4af6a4 6d834d20 5ab46f05 0a4af894 08b03ff0 threadpoolwinrt!Windows::System::Threading::CThreadPoolWorkItem::CommonWorkCallback+0xaf\n 0a4af6d4 776dde13 0a4af894 094e9850 08b03ff0 threadpoolwinrt!Windows::System::Threading::CThreadPoolWorkItem::BatchedCallback+0x60\n 0a4af7c4 776dcc25 0a4af894 08b04060 738bf041 ntdll!TppWorkpExecuteCallback+0x153\n 0a4af974 750238f4 08abe0a8 750238d0 f814e18b ntdll!TppWorkerThread+0x555\n 0a4af988 77715de3 08abe0a8 738bf0e5 00000000 KERNEL32!BaseThreadInitThunk+0x24\n 0a4af9d0 77715dae ffffffff 7773b7db 00000000 ntdll!__RtlUserThreadStart+0x2f\n 0a4af9e0 00000000 776dc6d0 08abe0a8 00000000 ntdll!_RtlUserThreadStart+0x1b\n \n \n THREAD_SHA1_HASH_MOD_FUNC: 6315750fc53d807b4155ffc0842ee6a03c9f40f3\n \n THREAD_SHA1_HASH_MOD_FUNC_OFFSET: f4a0d5cef213b9229c67ca969977acae24171ac9\n \n THREAD_SHA1_HASH_MOD: 7f0f6cd60042c923021fe565fe770b7a413be340\n \n FOLLOWUP_IP:\n verifier!VerifierStopMessage+27e\n 72f3cbfe cc int 3\n \n FAULT_INSTR_CODE: f87d83cc\n \n SYMBOL_STACK_INDEX: 0\n \n SYMBOL_NAME: verifier!VerifierStopMessage+27e\n \n FOLLOWUP_NAME: MachineOwner\n \n MODULE_NAME: verifier\n \n IMAGE_NAME: verifier.dll\n \n DEBUG_FLR_IMAGE_TIMESTAMP: 5632d7df\n \n STACK_COMMAND: ~14s ; kb\n \n BUCKET_ID: STATUS_BREAKPOINT_AVRF_verifier!VerifierStopMessage+27e\n \n PRIMARY_PROBLEM_CLASS: STATUS_BREAKPOINT_AVRF_verifier!VerifierStopMessage+27e\n \n BUCKET_ID_OFFSET: 27e\n \n BUCKET_ID_MODULE_STR: verifier\n \n BUCKET_ID_MODTIMEDATESTAMP: 5632d7df\n \n BUCKET_ID_MODCHECKSUM: 5c097\n \n BUCKET_ID_MODVER_STR: 10.0.10586.0\n \n BUCKET_ID_PREFIX_STR: STATUS_BREAKPOINT_AVRF_\n \n FAILURE_PROBLEM_CLASS: STATUS_BREAKPOINT_AVRF\n \n FAILURE_EXCEPTION_CODE: 80000003\n \n FAILURE_IMAGE_NAME: verifier.dll\n \n FAILURE_FUNCTION_NAME: VerifierStopMessage\n \n BUCKET_ID_FUNCTION_STR: VerifierStopMessage\n \n FAILURE_SYMBOL_NAME: verifier.dll!VerifierStopMessage\n \n FAILURE_BUCKET_ID: STATUS_BREAKPOINT_AVRF_80000003_verifier.dll!VerifierStopMessage\n \n TARGET_TIME: 2016-04-24T18:00:19.000Z\n \n OSBUILD: 10586\n \n OSSERVICEPACK: 0\n \n SERVICEPACK_NUMBER: 0\n \n OS_REVISION: 0\n \n OSPLATFORM_TYPE: x86\n \n OSNAME: Windows 10\n \n OSEDITION: Windows 10 WinNt SingleUserTS\n \n USER_LCID: 0\n \n OSBUILD_TIMESTAMP: 2015-10-30 03:46:21\n \n BUILDDATESTAMP_STR: 160223-1728\n \n BUILDLAB_STR: th2_release_sec\n \n BUILDOSVER_STR: 10.0.10586.162\n \n ANALYSIS_SESSION_ELAPSED_TIME: 176f\n \n ANALYSIS_SOURCE: UM\n \n FAILURE_ID_HASH_STRING: um:status_breakpoint_avrf_80000003_verifier.dll!verifierstopmessage\n \n FAILURE_ID_HASH: {bedb7089-3b9b-ca23-9c37-a0231a6648d3}\n \n Followup: MachineOwner\n ---------\n \n\n### Timeline\n \n \n 2016-04-28 - Vendor Disclosure\n 2016-08-09 - Public Release\n \n\n##### Credit\n\nDiscovered by Aleksandar Nikolic of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0260\n\nPrevious Report\n\nTALOS-2016-0172\n", "edition": 13, "modified": "2016-08-09T00:00:00", "published": "2016-08-09T00:00:00", "id": "TALOS-2016-0170", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0170", "title": "Microsoft Windows PDF API Jpeg2000 csiz Remote Code Execution Vulnerability", "type": "talos", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2018-01-27T09:18:10", "bulletinFamily": "info", "cvelist": ["CVE-2016-3319"], "description": "[](<https://2.bp.blogspot.com/-G8PQKKhy2P4/V6rdoHFTXkI/AAAAAAAApIE/T5eZ57lz-eMJ1QZACQEIKKUkn_77Uu8kACLcB/s1600/windows-patch-tuesday.png>)\n\n## In Brief\n\nMicrosoft's August Patch Tuesday offers nine security bulletins with five rated critical, resolving 34 security vulnerabilities in Internet Explorer (IE), Edge, and Office, as well as some serious high-profile security issues with Windows.\n\n \nA security bulletin, [MS16-102](<https://technet.microsoft.com/en-us/library/security/ms16-102.aspx>), patches a single vulnerability (CVE-2016-3319) that could allow an attacker to control your computer just by getting you to view specially-crafted PDF content in your web browser. \n \nUsers of Microsoft Edge on Windows 10 systems are at a significant risk for remote code execution (RCE) attacks through a malicious PDF file. \n \n\n\n### Web Page with PDF Can Hack Your Windows Computer\n\n \nSince Edge automatically renders PDF content when the browser is set as a default browser, this vulnerability only affects Windows 10 users with Microsoft Edge set as the default browser, as the exploit would execute by simply by viewing a PDF online. \n \nWeb browsers for all other affected operating systems do not automatically render PDF content, so an attacker would have to convince users into opening a specially crafted PDF file, typically via an email or instant message, Microsoft said in its advisory. \n \nOnce exploited, the flaw corrupts memory, allowing a hacker to run malicious code with the same privileges as the user. All the hacker needs is to either lure victims to a website containing a malicious PDF or add an infected PDF file to a website that accepts user-provided content. \n \nWhile this vulnerability has not been publicly disclosed nor seen in any attacked, it is expected to be an attractive attack vector for hackers. \n \n\n\n### **Other Critical Bugs can Take Complete Control of Your PC**\n\n \nA separate critical update for Edge listed in [MS16-096](<https://technet.microsoft.com/library/security/MS16-096>) patches five remote code execution (RCE) flaws and three information disclosure bugs. \n \nThe company also released its monthly cumulative security update, [MS16-095](<https://technet.microsoft.com/library/security/MS16-095>), for Internet Explorer (IE), patching nine vulnerabilities that can be exploited by a malicious web page to pull off remote code execution through memory corruption bug or disclose information about the system. \n \nAnother critical update includes Microsoft Office Patch [MS16-099](<https://technet.microsoft.com/en-us/library/security/ms16-099.aspx>) that addresses four memory corruption bugs in Office that can be exploited by booby-trapped documents remotely to execute malicious code on a victim's system, taking full control of the victim machines. \n \nThe update also includes a patch for an information disclosure hole in Microsoft OneNote, which discloses memory contents and information that could be used to compromise a machine. \n \nIn addition to Windows versions of Office going back to Office 2007, Microsoft is also releasing a patch for Office for Mac 2011 and 2016. \n \nThe final critical bulletin, [MS16-097](<https://technet.microsoft.com/library/security/MS16-097>), patches three Remote Code Execution flaws in the font handling library of Microsoft Graphics Component found in Windows, Office, Skype for Business and Lync that can be exploited by a malicious web page or an Office document. \n \nFor the second time, the technology giant also released a security update for Secure Boot. Rated important, [MS16-100](<https://technet.microsoft.com/en-us/library/security/ms16-100.aspx>), the update patches a security feature bypass vulnerability that occurs when Secure Boot loads a vulnerable (install a hidden bootkit or rootkit) boot manager. \n \nThis designing flaw has been fixed in all supported versions of Windows and Windows Server. \n \nOther important bulletins address [vulnerabilities](<https://technet.microsoft.com/en-us/library/security/ms16-101.aspx>) that lead to man-in-the-middle attacks on Windows and Windows Server, an [information disclosure](<https://technet.microsoft.com/en-us/library/security/ms16-103.aspx>) vulnerability in the Universal Outlook component for Windows 10, and four [elevation of privilege flaws](<https://technet.microsoft.com/en-us/library/security/ms16-098.aspx>) in kernel-mode drivers for Windows Vista through Windows 10 and Windows Server 2008 and 2012. \n \nThe company has also issued Cumulative Updates (_KB3176493, KB3176495, KB3176492_) for Windows 10 users, so those who have upgraded their systems to the Microsoft's new operating system should install the updates as soon as possible. \n \nUsers are advised to patch their system and software as soon as possible.\n", "modified": "2016-08-10T09:05:53", "published": "2016-08-09T21:38:00", "id": "THN:2430321DE5D0D58ADEE21A4CEA8BC6A7", "href": "https://thehackernews.com/2016/08/windows-patch-updates.html", "type": "thn", "title": "Microsoft Releases 9 Security Updates to Patch 34 Vulnerabilities", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-01-01T05:43:51", "description": "The remote Windows host is missing a security update. It is,\ntherefore, affected by a remote code execution vulnerability in the\nMicrosoft Windows PDF Library due to improper handling of objects in\nmemory. An unauthenticated, remote attacker can exploit this\nvulnerability by convincing a user to open a specially crafted PDF\nfile or visit a website containing specially crafted PDF content,\nresulting in the execution of arbitrary code in the context of the\ncurrent user.", "edition": 28, "cvss3": {"score": 7.0, "vector": "AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2016-08-09T00:00:00", "title": "MS16-102: Security Update for Microsoft Windows PDF Library (3182248)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3319"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS16-102.NASL", "href": "https://www.tenable.com/plugins/nessus/92824", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(92824);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/11/14\");\n\n script_cve_id(\"CVE-2016-3319\");\n script_bugtraq_id(92293);\n script_xref(name:\"MSFT\", value:\"MS16-102\");\n script_xref(name:\"MSKB\", value:\"3175887\");\n script_xref(name:\"MSKB\", value:\"3176492\");\n script_xref(name:\"MSKB\", value:\"3176493\");\n script_xref(name:\"MSKB\", value:\"3176495\");\n\n script_name(english:\"MS16-102: Security Update for Microsoft Windows PDF Library (3182248)\");\n script_summary(english:\"Checks the version of glcndfilter.dll and windows.data.pdf.dll.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by a remote code execution\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing a security update. It is,\ntherefore, affected by a remote code execution vulnerability in the\nMicrosoft Windows PDF Library due to improper handling of objects in\nmemory. An unauthenticated, remote attacker can exploit this\nvulnerability by convincing a user to open a specially crafted PDF\nfile or visit a website containing specially crafted PDF content,\nresulting in the execution of arbitrary code in the context of the\ncurrent user.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2016/ms16-102\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows 2012, 8.1, RT 8.1,\n2012 R2, and 10.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-3319\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/08/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/08/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS16-102';\nkbs = make_list('3175887', '3176492', '3176493', '3176495');\n\nif (get_kb_item(\"Host/patch_management_checks\"))\n hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0', win81:'0', win10:'0') <= 0)\n audit(AUDIT_OS_SP_NOT_VULN);\n\n# Server Core 2012 R2 is listed as affected, however no update\n# is offered and the files in question do not exist in a close look\n# at a 2012 R2 core host.\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share))\n audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # Windows 8.1 / Server 2012 R2\n hotfix_is_vulnerable(os:\"6.3\", sp:0, file:\"windows.data.pdf.dll\", version:\"6.3.9600.18403\", min_version:\"6.3.9600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"3175887\") ||\n # Server 2012\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"glcndfilter.dll\", version:\"6.2.9200.21924\", min_version:\"6.2.9200.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"3175887\") ||\n # Windows 10 1511\n hotfix_is_vulnerable(os:\"10\", sp:0, file:\"windows.data.pdf.dll\", version:\"10.0.10586.545\", os_build:\"10586\", dir:\"\\system32\", bulletin:bulletin, kb:\"3176493\") ||\n # Windows 10\n hotfix_is_vulnerable(os:\"10\", sp:0, file:\"windows.data.pdf.dll\", version:\"10.0.10240.17071\", os_build:\"10240\", dir:\"\\system32\", bulletin:bulletin, kb:\"3176492\")\n)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T05:43:51", "description": "The version of Microsoft Edge installed on the remote Windows host is\nmissing Cumulative Security Update 3177358. It is, therefore, affected\nby multiple vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist due\n to a failure to properly access objects in memory. A\n remote attacker can exploit these vulnerabilities by\n convincing a user to visit a specially crafted website,\n resulting in the execution of arbitrary code in the\n context of the current user. (CVE-2016-3289,\n CVE-2016-3293, CVE-2016-3319, CVE-2016-3322)\n\n - A remote code execution vulnerability exists in the\n Chakra JavaScript engine due to improper handling of\n objects in memory. A remote attacker can exploit this\n vulnerability by convincing a user to visit a specially\n crafted website or open a specially crafted Office\n document, resulting in the execution of arbitrary code\n in the context of the current user. (CVE-2016-3296)\n\n - Multiple information disclosure vulnerabilities exist\n due to improper handling of objects in memory. A remote\n attacker can exploit these vulnerabilities by convincing\n a user to visit a specially crafted website, resulting\n in the disclosure of sensitive information.\n (CVE-2016-3326, CVE-2016-3327)\n\n - An information disclosure vulnerability exists due to\n improper handling of page content. A remote attacker can\n exploit this vulnerability by convincing a user to visit\n a specially crafted website, resulting in the disclosure\n of specific files on a user's system. (CVE-2016-3329)", "edition": 32, "cvss3": {"score": 7.0, "vector": "AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2016-08-09T00:00:00", "title": "MS16-096: Cumulative Security Update for Microsoft Edge (3177358)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3329", "CVE-2016-3319", "CVE-2016-3322", "CVE-2016-3296", "CVE-2016-3326", "CVE-2016-3289", "CVE-2016-3327", "CVE-2016-3293"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS16-096.NASL", "href": "https://www.tenable.com/plugins/nessus/92820", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(92820);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2019/11/14\");\n\n script_cve_id(\n \"CVE-2016-3289\",\n \"CVE-2016-3293\",\n \"CVE-2016-3296\",\n \"CVE-2016-3319\",\n \"CVE-2016-3322\",\n \"CVE-2016-3326\",\n \"CVE-2016-3327\",\n \"CVE-2016-3329\"\n );\n script_bugtraq_id(\n 92282,\n 92283,\n 92284,\n 92285,\n 92286,\n 92287,\n 92293,\n 92305\n );\n script_xref(name:\"MSFT\", value:\"MS16-096\");\n script_xref(name:\"MSKB\", value:\"3176492\");\n script_xref(name:\"MSKB\", value:\"3176493\");\n script_xref(name:\"MSKB\", value:\"3176495\");\n\n script_name(english:\"MS16-096: Cumulative Security Update for Microsoft Edge (3177358)\");\n script_summary(english:\"Checks the file version of edgehtml.dll.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has a web browser installed that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Microsoft Edge installed on the remote Windows host is\nmissing Cumulative Security Update 3177358. It is, therefore, affected\nby multiple vulnerabilities :\n\n - Multiple remote code execution vulnerabilities exist due\n to a failure to properly access objects in memory. A\n remote attacker can exploit these vulnerabilities by\n convincing a user to visit a specially crafted website,\n resulting in the execution of arbitrary code in the\n context of the current user. (CVE-2016-3289,\n CVE-2016-3293, CVE-2016-3319, CVE-2016-3322)\n\n - A remote code execution vulnerability exists in the\n Chakra JavaScript engine due to improper handling of\n objects in memory. A remote attacker can exploit this\n vulnerability by convincing a user to visit a specially\n crafted website or open a specially crafted Office\n document, resulting in the execution of arbitrary code\n in the context of the current user. (CVE-2016-3296)\n\n - Multiple information disclosure vulnerabilities exist\n due to improper handling of objects in memory. A remote\n attacker can exploit these vulnerabilities by convincing\n a user to visit a specially crafted website, resulting\n in the disclosure of sensitive information.\n (CVE-2016-3326, CVE-2016-3327)\n\n - An information disclosure vulnerability exists due to\n improper handling of page content. A remote attacker can\n exploit this vulnerability by convincing a user to visit\n a specially crafted website, resulting in the disclosure\n of specific files on a user's system. (CVE-2016-3329)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2016/ms16-096\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows 10.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-3319\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/08/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/08/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS16-096';\nkbs = make_list('3176492', '3176493', '3176495');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\n# Server core is not affected\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(exit_on_fail:TRUE, as_share:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n hotfix_is_vulnerable(os:\"10\", sp:0, file:\"edgehtml.dll\", version:\"11.0.14393.51\", os_build:\"14393\", dir:\"\\system32\", bulletin:bulletin, kb:\"3176495\") ||\n hotfix_is_vulnerable(os:\"10\", sp:0, file:\"edgehtml.dll\", version:\"11.0.10586.545\", os_build:\"10586\", dir:\"\\system32\", bulletin:bulletin, kb:\"3176493\") ||\n hotfix_is_vulnerable(os:\"10\", sp:0, file:\"edgehtml.dll\", version:\"11.0.10240.17071\", os_build:\"10240\", dir:\"\\system32\", bulletin:bulletin, kb:\"3176492\")\n)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "mskb": [{"lastseen": "2021-01-01T22:43:04", "bulletinFamily": "microsoft", "cvelist": ["CVE-2016-3319"], "description": "<html><body><p>Resolves a vulnerability in Windows that could allow remote code execution if a user views specially crafted PDF content online or opens a specially crafted PDF document.</p><h2>Summary</h2><div class=\"kb-summary-section section\">This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user views specially crafted PDF content online or opens a specially crafted PDF document. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on and has administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts that have full user rights. <br/><br/>To learn more about the vulnerability, see <a href=\"https://technet.microsoft.com/library/security/ms16-102\" id=\"kb-link-2\" target=\"_self\">Microsoft Security Bulletin MS16-102</a>. </div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><span class=\"text-base\">Important </span><ul class=\"sbody-free_list\"><li>All future security and non-security updates for Windows 8.1, and Windows Server 2012 R2 require update <a href=\"https://support.microsoft.com/en-us/help/2919355\" id=\"kb-link-3\" target=\"_self\">2919355</a> to be installed. We recommend that you install update <a href=\"https://support.microsoft.com/en-us/help/2919355\" id=\"kb-link-4\" target=\"_self\">2919355</a> on your Windows 8.1-based, or Windows Server 2012 R2-based computer so that you receive future updates. </li><li>If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see <a href=\"https://technet.microsoft.com/en-us/library/hh825699\" id=\"kb-link-5\" target=\"_self\">Add language packs to Windows</a>.<br/></li></ul></div><h2>Additional information about this security update</h2><div class=\"kb-moreinformation-section section\"><br/>The following articles contain additional information about this security update as it relates to individual product versions. The articles may contain known issue information.<br/><ul class=\"sbody-free_list\"><li><a href=\"https://support.microsoft.com/help/3175887\" id=\"kb-link-6\" target=\"_self\">3175887</a>\u00a0MS16-102: Description of the security update for Microsoft Windows PDF library: August 9, 2016\u00a0</li><li><a href=\"https://support.microsoft.com/help/3176492\" id=\"kb-link-7\" target=\"_self\">3176492</a> Cumulative update for Windows 10: August 9, 2016</li><li><a href=\"https://support.microsoft.com/help/3176493 \" id=\"kb-link-8\" target=\"_self\">3176493</a> Cumulative update for Windows 10 Version 1511: August 9, 2016</li><li><a href=\"https://support.microsoft.com/help/3176495\" id=\"kb-link-9\" target=\"_self\">3176495</a> Cumulative update for Windows 10 Version 1607: August 9, 2016</li></ul></div><h2>How to obtain and install the update</h2><div class=\"kb-resolution-section section\"><h3 class=\"sbody-h3\">Method 1: Windows Update</h3><div class=\"kb-collapsible kb-collapsible-expanded\">This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see <br/><a href=\"https://www.microsoft.com/en-us/safety/pc-security/updates.aspx\" id=\"kb-link-11\" target=\"_self\">Get security updates automatically</a>.<br/><br/><span class=\"text-base\">Note</span> For Windows RT 8.1, this update is available through Windows Update only.<br/></div><h3 class=\"sbody-h3\">Method 2: Microsoft Update Catalog</h3><div class=\"kb-collapsible kb-collapsible-expanded\">To get the stand-alone package for this update, go to the <a href=\" http://catalog.update.microsoft.com/v7/site/search.aspx?q=3182248\" id=\"kb-link-12\" target=\"_self\">Microsoft Update Catalog</a> website. <br/></div><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Method 3: Microsoft Download Center</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\">You can obtain the stand-alone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.<br/><br/>Click the download link in <a href=\"https://technet.microsoft.com/library/security/ms16-102\" id=\"kb-link-13\" target=\"_self\">Microsoft Security Bulletin MS16-102</a> that corresponds to the version of Windows that you are running. <br/></div><br/></span></div></div></div></div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Security update deployment information<br/></span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\"><h4 class=\"sbody-h4\"> Windows 8.1 (all editions)</h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 8.1:<br/><span class=\"text-base\">Windows8.1-KB3175887-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 8.1:<br/><span class=\"text-base\">Windows8.1-KB3175887-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-14\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">In some cases, this update does not require a system restart. If the required files are being used, this update will require a system restart. If this behavior occurs, you receive a message that advises you to restart your system. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or Click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>, and then click <strong class=\"uiterm\">Windows Update</strong>. Under <span class=\"sbody-userinput\">See also</span>, click <span class=\"sbody-userinput\">Installed updates</span>, and then select from the list of updates. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3175887\" id=\"kb-link-15\" target=\"_self\">Microsoft Knowledge Base Article 3175887</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> There is no registry key to validate the presence of this update. </td></tr></table></div><h4 class=\"sbody-h4\"> Windows Server 2012 and Windows Server 2012 R2 (all editions)</h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported editions of Windows Server 2012:<br/><span class=\"text-base\">Windows8-RT-KB3175887-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported editions of Windows Server 2012 R2:<br/><span class=\"text-base\">Windows8.1-KB3175887-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-16\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">In some cases, this update does not require a system restart. If the required files are being used, this update will require a system restart. If this behavior occurs, you receive a message that advises you to restart your system. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or Click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>, and then click <strong class=\"uiterm\">Windows Update</strong>. Under <span class=\"sbody-userinput\">See also</span>, click <span class=\"sbody-userinput\">Installed updates</span>, and then select from the list of updates. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3175887\" id=\"kb-link-17\" target=\"_self\">Microsoft Knowledge Base Article 3175887</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> There is no registry key to validate the presence of this update. </td></tr></table></div><h4 class=\"sbody-h4\"> Windows 10 (all editions)</h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 10:<br/><span class=\"text-base\">Windows10.0-KB3176492-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 10:<br/><span class=\"text-base\">Windows10.0-KB3176492-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 10 Version 1511:<br/><span class=\"text-base\">Windows10.0-KB3176493-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 10 Version 1511:<br/><span class=\"text-base\">Windows10.0-KB3176493-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 10 Version 1607:<br/><span class=\"text-base\">Windows10.0-KB3176495-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 10 Version 1607:<br/><span class=\"text-base\">Windows10.0-KB3176495-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-18\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or Click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>, and then click <strong class=\"uiterm\">Windows Update</strong>. Under <span class=\"sbody-userinput\">See also</span>, click <span class=\"sbody-userinput\">Installed updates</span>, and then select from the list of updates. </td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3176492\" id=\"kb-link-19\" target=\"_self\">Microsoft Knowledge Base Article 3176492</a><br/>See <a href=\"https://support.microsoft.com/help/3176492\" id=\"kb-link-20\" target=\"_self\">Microsoft Knowledge Base Article 3176493</a><br/>See <a href=\"https://support.microsoft.com/help/3176495\" id=\"kb-link-21\" target=\"_self\">Microsoft Knowledge Base Article 3176495</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> There is no registry key to validate the presence of this update. </td></tr></table></div></div><br/></span></div></div></div><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">How to obtain help and support for this security update</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\">Help for installing updates: <a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-22\" target=\"_self\">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals: <a href=\"https://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-23\" target=\"_self\">TechNet Security Troubleshooting and Support</a><br/><br/>Help for protecting your Windows-based computer from viruses and malware: <a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-24\" target=\"_self\">Virus Solution and Security Center</a><br/><br/>Local support according to your country: <a href=\"https://www.microsoft.com/en-us/locale.aspx\" id=\"kb-link-25\" target=\"_self\">International Support</a></div><br/></span></div></div></div><a class=\"bookmark\" id=\"fileinfo\"></a></div></body></html>", "edition": 3, "modified": "2016-08-09T18:33:05", "id": "KB3182248", "href": "https://support.microsoft.com/en-us/help/3182248/", "published": "2016-08-09T00:00:00", "title": "MS16-102: Security update for Microsoft Windows PDF library: August 9, 2016", "type": "mskb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T22:37:48", "bulletinFamily": "microsoft", "cvelist": ["CVE-2016-3329", "CVE-2016-3319", "CVE-2016-3322", "CVE-2016-3296", "CVE-2016-3326", "CVE-2016-3289", "CVE-2016-3327", "CVE-2016-3293"], "description": "<html><body><p>Resolves a vulnerability in Microsoft Edge that could allow remote code execution if a user views a specially crafted webpage in Microsoft Edge.</p><h2>Summary</h2><div class=\"kb-summary-section section\">This security update resolves multiple vulnerabilities in Microsoft Edge. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage in Microsoft Edge. To learn more about the vulnerability, see <a href=\"https://technet.microsoft.com/library/security/ms16-096\" id=\"kb-link-2\" target=\"_self\">Microsoft Security Bulletin MS16-096</a>. <span></span></div><h2>How to obtain and install the update</h2><div class=\"kb-resolution-section section\"><h3 class=\"sbody-h3\">Windows Update</h3>This update is available through Windows Update and Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see the \"Turn on automatic updating in Control Panel\" section of\u00a0<a href=\"https://technet.microsoft.com/library/security/ms16-096\" id=\"kb-link-3\" target=\"_self\">Microsoft Security Bulletin MS16-096</a>.</div><h2></h2><div class=\"kb-moreinformation-section section\"><h3 class=\"sbody-h3\">More information about this security update</h3>The following articles contain more information about this security update:<ul class=\"sbody-free_list\"><li><a href=\"https://support.microsoft.com/en-us/help/3176492\" id=\"kb-link-4\">3176492 </a> Cumulative update for Windows 10: August 9, 2016</li><li><a href=\"https://support.microsoft.com/en-us/help/3176493\" id=\"kb-link-5\">3176493 </a> Cumulative update for Windows 10 Version 1511: August 9, 2016</li><li><a href=\"https://support.microsoft.com/en-us/help/3176495\" id=\"kb-link-6\">3176495 </a> Cumulative Update for Windows 10 Version 1607: August 9, 2016 </li></ul><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Security update deployment information</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\"><h4 class=\"sbody-h4\">Windows 10 (all editions)</h4><h5 class=\"sbody-h5 text-subtitle\">Reference Table</h5>The following table contains the security update information for this software.<div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 10:<br/><span class=\"text-base\">Windows10.0-KB3176492-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">\u3000</td><td class=\"sbody-td\">For all supported x64-based editions of Windows 10:<br/><span class=\"text-base\">Windows10.0-KB3176492-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">\u3000</td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 10 Version 1511:<br/><span class=\"text-base\">Windows10.0-KB3176493-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">\u3000</td><td class=\"sbody-td\">For all supported x64-based editions of Windows 10 Version 1511:<br/><span class=\"text-base\">Windows10.0-KB3176493-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">\u3000</td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 10 Version 1607:<br/><span class=\"text-base\">Windows10.0-KB3176495-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">\u3000</td><td class=\"sbody-td\">For all supported x64-based editions of Windows 10 Version 1607:<br/><span class=\"text-base\">Windows10.0-KB3176495-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-7\" target=\"_self\">Microsoft Knowledge Base Article 934307</a> and <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-8\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">A system restart is required after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or click <span class=\"text-base\">Control Panel</span>, click <span class=\"text-base\">System and Security</span>, click <span class=\"text-base\">Windows Update</span>, and then under <strong class=\"uiterm\">See also</strong>, click <span class=\"text-base\">Installed updates</span> and select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3176492\" id=\"kb-link-9\" target=\"_self\">Microsoft Knowledge Base Article 3176492</a><br/>See <a href=\"https://support.microsoft.com/help/3176492\" id=\"kb-link-10\" target=\"_self\">Microsoft Knowledge Base Article 3176493</a><br/>See <a href=\"https://support.microsoft.com/help/3176495\" id=\"kb-link-11\" target=\"_self\">Microsoft Knowledge Base Article 3176495</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note </span>A registry key does not exist to validate the presence of this update.</td></tr></table></div></div><br/></span></div></div></div><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">How to get help and support for this security update</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\">Help for installing updates: <a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-12\" target=\"_self\">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals: <a href=\"https://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-13\" target=\"_self\">TechNet Security Troubleshooting and Support</a><br/><br/>Help for protecting your Windows-based computer from viruses and malware: <a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-14\" target=\"_self\">Virus Solution and Security Center</a><br/><br/>Local support according to your country: <a href=\"https://www.microsoft.com/en-us/locale.aspx\" id=\"kb-link-15\" target=\"_self\">International Support</a></div><br/></span></div></div></div></div></body></html>", "edition": 3, "modified": "2016-08-09T17:30:02", "id": "KB3177358", "href": "https://support.microsoft.com/en-us/help/3177358/", "published": "2016-08-09T00:00:00", "title": "MS16-096: Cumulative security update for Microsoft Edge: August 9, 2016", "type": "mskb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2018-10-06T22:54:56", "bulletinFamily": "info", "cvelist": ["CVE-2016-3319", "CVE-2017-11882"], "description": "A tricky vulnerability patched today in the Windows PDF Library could have put Microsoft Edge users on Windows 10 systems at risk for remote code execution attacks.\n\nEdge automatically renders PDF content when it\u2019s set as a computer\u2019s default browser, unlike most other browsers; the feature means that exploits would execute by simply viewing a PDF online. While this bug has not been publicly disclosed nor attacked, it\u2019s expected to be an attractive attack vector for hackers.\n\nMicrosoft patched this flaw in [MS16-102](<https://technet.microsoft.com/library/security/MS16-102>), one of four critical security bulletins it published today. The vulnerability, CVE-2016-3319, when exploited corrupts memory and allows an attacker to run arbitrary code with the same privileges as the user. Microsoft said attackers could either lure victims to a site containing a malicious PDF, or add an infected PDF to a site that accepts user-provided content.\n\n\u201cOnly Windows 10 systems with Microsoft Edge set as the default browser can be compromised simply by viewing a website. The browsers for all other affected operating systems do not automatically render PDF content, so an attacker would have no way to force users to view attacker-controlled content,\u201d Microsoft said in its advisory. \u201cInstead, an attacker would have to convince users to open a specially crafted PDF document, typically by way of an enticement in an email or instant message or by way of an email attachment.\u201d\n\nMicrosoft suggested that organizations could remove Edge from the PDF reader default type association as a temporary workaround.\n\n\u201cIt hasn\u2019t been publicly disclosed, although with the prevalence of PDF format, it\u2019s a safe bet that this going to live in the attacker\u2019s toolkits for years to come,\u201d said Jon Rudolph, principal software engineer at Core Security.\n\nThe flaw, privately disclosed by Aleksandar Nikolic of Cisco Talos, is also listed in [MS16-096](<https://technet.microsoft.com/library/security/MS16-096>), a separate critical update for Edge that addresses five remote code execution vulnerabilities and three information disclosure flaws. In addition to the PDF flaw, the remaining remote code execution bugs are memory corruption issues and a separate bug in the Chakra JavaScript engine.\n\nMicrosoft also published its customary monthly cumulative security update for Internet Explorer. [MS16-095](<https://technet.microsoft.com/library/security/MS16-095>) patches remote code execution and information disclosure flaws in the browser, including most of the same CVEs patched in the Microsoft Edge bulletin.\n\nAnother bulletin rated critical, [MS16-097](<https://technet.microsoft.com/library/security/MS16-097>), addresses three remote code execution vulnerabilities in the Microsoft Graphics Component found in Windows, Office, Skype for Business and Lync. The problem lies in the way the Windows font library handles specially crafted embedded fonts, Microsoft said.\n\nThe final critical bulletin, [MS16-099](<https://technet.microsoft.com/library/security/MS16-099>), includes patches for four memory corruption issues that could lead to remote code execution in Office going back to Office 2007 and including Office 2016 for Windows and Mac. The bulletin also includes a patch for an information disclosure vulnerability in Microsoft OneNote, which Microsoft said, discloses memory contents, information that could be used to compromise a machine.\n\nFor the second month in a row, Microsoft released a security update for Secure Boot. Rated important, [MS16-100](<https://technet.microsoft.com/library/security/MS16-100>) patches a security feature bypass bug that happens when Secure Boot improperly loads a vulnerable boot manager, Microsoft said.\n\n\u201cAn attacker who successfully exploited this vulnerability could disable code integrity checks, allowing test-signed executables and drivers to be loaded onto a target device,\u201d Microsoft said in its advisory. \u201cFurthermore, the attacker could bypass Secure Boot Integrity Validation for BitLocker and Device Encryption security features.\u201d\n\nThe remaining bulletins are rated important by Microsoft:\n\n * [MS16-098](<https://technet.microsoft.com/library/security/MS16-098>): Patches four elevation of privilege vulnerabilities in Windows Kernel-Mode drivers. Attackers would need local access to exploit these vulnerabilities, but successful exploits could result in arbitrary code execution.\n * [MS16-101](<https://technet.microsoft.com/library/security/MS16-101>): Patches two elevation of privileges flaws in Windows authentication methods Kerberos and NetLogon. The Kerberos issue is related to improper handling of password change requests, while the NetLogon flaw is related to an improperly established secure communication channel to a domain controller.\n * [MS16-103](<https://technet.microsoft.com/library/security/MS16-103>): Patches an information disclosure vulnerability in Windows ActiveSyncProvider in Windows 10. The flaw lives in Universal Outlook, which can fail to establish a secure connection allowing attackers to steal usernames and passwords.\n", "modified": "2016-08-09T21:58:32", "published": "2016-08-09T14:59:55", "id": "THREATPOST:30F4296B03191B6F9433E5DFA9CEBFE6", "href": "https://threatpost.com/windows-pdf-library-flaw-puts-edge-users-at-risk-for-rce/119773/", "type": "threatpost", "title": "August 2016 Microsoft Patch Tuesday Security Bulletins", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "kaspersky": [{"lastseen": "2020-09-02T11:52:41", "bulletinFamily": "info", "cvelist": ["CVE-2016-3329", "CVE-2016-3319", "CVE-2016-3322", "CVE-2016-3290", "CVE-2016-3288", "CVE-2016-3296", "CVE-2016-3326", "CVE-2016-3289", "CVE-2016-3327", "CVE-2016-3321", "CVE-2016-3293"], "description": "### *Detect date*:\n08/09/2016\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Microsoft Internet Explorer and Edge. Malicious users can exploit these vulnerabilities to execute arbitrary code or obtain sensitive information.\n\n### *Affected products*:\nMicrosoft Internet Explorer versions 9 through 11 \nMicrosoft Edge\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2016-3322](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3322>) \n[CVE-2016-3321](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3321>) \n[CVE-2016-3319](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3319>) \n[CVE-2016-3296](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3296>) \n[CVE-2016-3293](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3293>) \n[CVE-2016-3290](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3290>) \n[CVE-2016-3289](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3289>) \n[CVE-2016-3288](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3288>) \n[CVE-2016-3329](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3329>) \n[CVE-2016-3327](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3327>) \n[CVE-2016-3326](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3326>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Internet Explorer](<https://threats.kaspersky.com/en/product/Microsoft-Internet-Explorer/>)\n\n### *CVE-IDS*:\n[CVE-2016-3322](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3322>)7.6Critical \n[CVE-2016-3321](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3321>)1.9Warning \n[CVE-2016-3319](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3319>)0.0Unknown \n[CVE-2016-3296](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3296>)7.6Critical \n[CVE-2016-3293](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3293>)7.6Critical \n[CVE-2016-3290](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3290>)7.6Critical \n[CVE-2016-3289](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3289>)7.6Critical \n[CVE-2016-3288](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3288>)7.6Critical \n[CVE-2016-3329](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3329>)2.6Warning \n[CVE-2016-3327](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3327>)2.6Warning \n[CVE-2016-3326](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3326>)2.6Warning\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[4038788](<http://support.microsoft.com/kb/4038788>) \n[3176495](<http://support.microsoft.com/kb/3176495>) \n[3176492](<http://support.microsoft.com/kb/3176492>) \n[3176493](<http://support.microsoft.com/kb/3176493>) \n[3175443](<http://support.microsoft.com/kb/3175443>) \n[4022719](<http://support.microsoft.com/kb/4022719>) \n[4022726](<http://support.microsoft.com/kb/4022726>) \n[4022714](<http://support.microsoft.com/kb/4022714>) \n[4021558](<http://support.microsoft.com/kb/4021558>) \n[4022724](<http://support.microsoft.com/kb/4022724>) \n[4022727](<http://support.microsoft.com/kb/4022727>) \n[4022715](<http://support.microsoft.com/kb/4022715>)\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:", "edition": 43, "modified": "2020-06-18T00:00:00", "published": "2016-08-09T00:00:00", "id": "KLA10858", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10858", "title": "\r KLA10858Multiple vulnerabilities in Microsoft Edge and Internet Explorer ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-02T11:52:45", "bulletinFamily": "info", "cvelist": ["CVE-2016-3308", "CVE-2016-3319", "CVE-2016-3310", "CVE-2016-3309", "CVE-2016-3311", "CVE-2016-3320", "CVE-2016-3300", "CVE-2016-3303", "CVE-2016-3237", "CVE-2016-3304", "CVE-2016-3301", "CVE-2016-3312"], "description": "### *Detect date*:\n08/09/2016\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Microsoft Windows. Malicious users can exploit these vulnerabilities to bypass security restrictions, execute arbitrary code, gain privileges or obtain sensitive information.\n\n### *Affected products*:\nMicrosoft Windows Vista Service Pack 2 \nMicrosoft Windows Server 2008 Service Pack 2 \nMicrosoft Windows 7 Service Pack 1 \nMicrosof windows Server 2008 R2 Service Pack 1 \nMicrosoft Windows 8.1 \nMicrosoft Windows Server 2012 \nMicrosoft Windows Server 2012 R2 \nMicrosoft Windows RT 8.1 \nMicrosoft Windows 10\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2016-3319](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3319>) \n[CVE-2016-3320](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3320>) \n[CVE-2016-3312](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3312>) \n[CVE-2016-3311](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3311>) \n[CVE-2016-3310](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3310>) \n[CVE-2016-3309](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3309>) \n[CVE-2016-3308](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3308>) \n[CVE-2016-3304](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3304>) \n[CVE-2016-3303](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3303>) \n[CVE-2016-3301](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3301>) \n[CVE-2016-3300](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3300>) \n[CVE-2016-3237](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3237>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2016-3319](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3319>)0.0Unknown \n[CVE-2016-3320](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3320>)0.0Unknown \n[CVE-2016-3312](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3312>)0.0Unknown \n[CVE-2016-3311](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3311>)0.0Unknown \n[CVE-2016-3310](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3310>)0.0Unknown \n[CVE-2016-3309](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3309>)0.0Unknown \n[CVE-2016-3308](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3308>)0.0Unknown \n[CVE-2016-3304](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3304>)0.0Unknown \n[CVE-2016-3303](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3303>)0.0Unknown \n[CVE-2016-3301](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3301>)0.0Unknown \n[CVE-2016-3300](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3300>)0.0Unknown \n[CVE-2016-3237](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3237>)0.0Unknown\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[3175887](<http://support.microsoft.com/kb/3175887>) \n[3176495](<http://support.microsoft.com/kb/3176495>) \n[3176492](<http://support.microsoft.com/kb/3176492>) \n[3176493](<http://support.microsoft.com/kb/3176493>) \n[3177725](<http://support.microsoft.com/kb/3177725>) \n[3178034](<http://support.microsoft.com/kb/3178034>) \n[3172729](<http://support.microsoft.com/kb/3172729>) \n[3177108](<http://support.microsoft.com/kb/3177108>) \n[3192441](<http://support.microsoft.com/kb/3192441>) \n[3194798](<http://support.microsoft.com/kb/3194798>) \n[3192440](<http://support.microsoft.com/kb/3192440>) \n[3185331](<http://support.microsoft.com/kb/3185331>) \n[3185332](<http://support.microsoft.com/kb/3185332>) \n[3192393](<http://support.microsoft.com/kb/3192393>) \n[3192392](<http://support.microsoft.com/kb/3192392>) \n[3167679](<http://support.microsoft.com/kb/3167679>)\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:", "edition": 43, "modified": "2020-07-22T00:00:00", "published": "2016-08-09T00:00:00", "id": "KLA10856", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10856", "title": "\r KLA10856Multiple vulnerabilities in Microsoft Windows ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}