Information disclosure in Microsoft products - CVE-2016-3262
Published: October 13, 2016 / Updated: February 21, 2017
Vulnerability identifier: #VU960
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-3262
CWE-ID: CWE-401
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Microsoft
Affected software:
Microsoft .NET Framework
Microsoft Office
Microsoft Silverlight
Windows
Windows Server
Microsoft Lync
Lync Attendee
Microsoft Live Meeting
Microsoft .NET Framework
Microsoft Office
Microsoft Silverlight
Windows
Windows Server
Microsoft Lync
Lync Attendee
Microsoft Live Meeting
Detailed vulnerability description
The vulnerability allows a local attacker to obtain potentially sensitive information on the target system.
The weakness exists due to boundary error in the Graphics Device Interface (GDI) component. A local attacker can execute a specially crafted program on the affected system, get information about system memory state, bypass Address Space Layout Randomization (ASLR) and conduct further attacks.
Successful exploitation of the vulnerability will result in information disclosure on the vulnerable system.
The weakness exists due to boundary error in the Graphics Device Interface (GDI) component. A local attacker can execute a specially crafted program on the affected system, get information about system memory state, bypass Address Space Layout Randomization (ASLR) and conduct further attacks.
Successful exploitation of the vulnerability will result in information disclosure on the vulnerable system.
How to mitigate CVE-2016-3262
Install update from vendor's website.