Memory corruption in Win32k.sys driver in Windows and Windows Server

#VU126 Memory corruption in Win32k.sys driver in Windows and Windows Server

Published: 2016-07-13 | Updated: 2017-02-03

Vulnerability identifier: #VU126

Vulnerability risk: Low

CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-3252

CWE-ID: CWE-119

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Windows
Operating systems & Components / Operating system
Windows Server
Operating systems & Components / Operating system

Vendor: Microsoft

Description

The vulnerability allows a local user to obtain elevated privileges.

The vulnerability exists doe to an error in Win32k.sys kernel-mode driver when handling certain objects in memory. A local user can elevate privileges on vulnerable system.

Successful exploitation of this vulnerability will allow a local attacker to executed arbitrary code with SYSTEM privileges.

Mitigation

To resolve this vulnerability vendor recommends installing the following updates:

Windows Vista

Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2

Windows Server 2008

Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2

Windows 7

Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1

Windows Server 2008 R2

Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1

Windows 8.1

Windows 8.1 for 32-bit Systems
Windows 8.1 for x64-based Systems

Windows Server 2012 and Windows Server 2012 R2

Windows Server 2012
Windows Server 2012 R2

Windows RT 8.1

Use Windows Update to obtain patch.

Windows 10

Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 Version 1511 for 32-bit Systems
Windows 10 Version 1511 for x64-based Systems

Server Core installation option

Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2012
Windows Server 2012 R2

Vulnerable software versions

Windows: Vista, 7, 8.1 - 8.1 RT

Windows Server: 2008 - 2012 R2

External links
http://technet.microsoft.com/en-us/library/security/MS16-090

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Windows Kernel-Mode Drivers

Win32k Elevation of Privilege Vulnerability

Security Update for Windows Kernel-Mode Drivers