Vulnerabilities in Microsoft Windows Could Allow Remote Code Execution (MS16-007)
MS-ISAC ADVISORY NUMBER:2016-010
Multiple vulnerabilities have been discovered in Microsoft Windows that could allow for remote code execution. Exploitation of the most severe vulnerability could result in the execution of remote code with full system privileges resulting in full control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full system rights.
There are no reports of these vulnerabilities being exploited in the wild.
- Windows Vista
- Windows 7
- Windows 8
- Windows 8.1
- Windows RT
- Windows RT 8.1
- Windows 10
- Windows Server 2008
- Windows 2008 R2
- Windows Server Core Installations
- Windows Server 2012
- Windows Server 2012 R2 and Server Core installations
- Large and medium government entities: HIGH
- Small government entities: HIGH
- Large and medium business entities: HIGH
- Small business entities: HIGH
Six vulnerabilities have been reported in Microsoft Windows. The most severe vulnerabilities could allow for remote code execution. Details of these vulnerabilities are as follows:
One Heap Corruption Remote Code Execution vulnerability exists due to how Microsoft DirectShow improperly validates user input. An attacker could exploit the vulnerability by sending a specially crafted link to the user and by convincing the user to open it. Successful exploitation would give the attacker the ability to run remote code with full user rights. (CVE-2016-0015)
Two DLL Loading Remote Code Execution vulnerabilities exist due to how Windows improperly validates input before loading dynamic link library (DLL) files. An attacker would first have to log on to the target system and then run a specially crated application in order to exploit these vulnerabilities. Successful exploitation would give the attacker the ability to run remote code with full user rights. (CVE-2016-0016, CVE-2016-0018)
Two DLL Loading Elevation of Privilege vulnerabilities exist due to how Windows improperly validates input before loading dynamic link library (DLL) files. An attacker would first have to log on to the target system and then run a specially crafted application in order to exploit these vulnerabilities. Successful exploitation could elevate their privileges on a targeted system. (CVE-2016-0014, CVE-2016-0020)
One Security Bypass vulnerability exists due to a failure to prevent remote logon to accounts that have no passwords set on Windows 10 hosts running RDP services. An attacker could exploit this vulnerability by using an older version of the RDP client to connect to the Windows 10 host. The attacker could then log on as a user if the account has no password set despite the default system setting that restricts access to accounts without passwords to local logon only. Successful exploitation could allow an attacker to gain access to the remote host as another user, possibly with elevated privileges. (CVE-2016-0019)
Successful exploitation of the most severe vulnerabilities could allow an attacker to gain the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
We recommend the following actions be taken:
Apply appropriate patches or workaround provided by Microsoft to vulnerable systems immediately after appropriate testing.
Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
Do not visit untrusted websites or follow links provided by unknown or untrusted sources.
Do not open email attachments from unknown or untrusted sources.
Consider implementing file extension whitelists for allowed e-mail attachments.