#VU125 Memory corruption in Win32k.sys driver in Windows Server and Windows - CVE-2016-3250

Cybersecurity Help s.r.o.

Published: 2016-07-13 | Updated: 2017-02-03

Vulnerability identifier: #VU125

Vulnerability risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2016-3250

CWE-ID: CWE-119

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Windows Server
Operating systems & Components / Operating system
Windows
Operating systems & Components / Operating system

Vendor: Microsoft

Description

The vulnerability allows a local user to obtain elevated privileges.

The vulnerability exists doe to an error in Win32k.sys kernel-mode driver when handling certain objects in memory. A local user can elevate privileges on vulnerable system.

Successful exploitation of this vulnerability will allow a local attacker to executed arbitrary code with SYSTEM privileges.

Mitigation

To resolve this vulnerability vendor recommends installing the following updates:

Windows Server 2012

Windows Server 2012

Windows RT 8.1

Use Windows Update to obtain patch.

Windows 10

Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 Version 1511 for 32-bit Systems
Windows 10 Version 1511 for x64-based Systems

Server Core installation option

Windows Server 2012

Vulnerable software versions

Windows Server: 2012

Windows: 10

External links
https://technet.microsoft.com/en-us/library/security/MS16-090

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Windows Kernel-Mode Drivers

Win32k Elevation of Privilege Vulnerability

Security Update for Windows Kernel-Mode Drivers