Security Update for Windows Kernel-Mode Drivers to Address Remote Code Execution (MS16-005)

ITS Advisory Number: 
2016-008
Date(s) Issued: 
Tuesday, January 12, 2016
Subject: 
Security Update for Windows Kernel-Mode Drivers to Address Remote Code Execution (MS16-005)
Overview: 

Vulnerabilities have been discovered in Microsoft Windows Kernel-Mode Drivers that could allow for remote code execution if a user visits a malicious website.

Successful exploitation of these vulnerabilities could result in either an attacker gaining the same privileges as the logged on user, or gaining elevated user credentials. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user or administrative rights.

Systems Affected: 
  • Windows Vista
  • Windows Server 2008 and Server 2008 R2
  • Windows 7
  • Windows 8 and 8.1
  • Windows Server 2012 and Server 2012 R2
  • Windows RT and RT 8.1
  • Windows 10
  • Windows Server 2008 Core
  • Windows Server 2012 Core
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

Vulnerabilities have been discovered in Microsoft Windows Kernel-Mode Drivers that could allow for remote code execution.  The Windows kernel is the core of the operating system. It provides system-level services such as device management and memory management, allocates processor time to processes, and manages error handling. The details of the vulnerabilities are as follows:

  • Windows GDI32.dll ASLR Bypass exists in the way that the Windows graphics device interface handles objects in memory - CVE-2016-008
  • Win32k Remote Code Execution Vulnerability exists in the way that Windows handles objects in memory - CVE-2016-0009

Successful exploitation of these vulnerabilities could result in either an attacker gaining the same privileges as the logged on user, or gaining elevated user credentials. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user or administrative rights.

Actions: 
  • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.