SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (Microsoft)  >   Windows DLL (Any) Vendors:   Microsoft
(Microsoft Issues Fix for Windows) Microsoft Internet Explorer Multiple Flaws Let Remote Users Obtain Potentially Sensitive Information, Bypass Security, Execute Arbitrary Code, and Gain Elevated Privileges
SecurityTracker Alert ID:  1036790
SecurityTracker URL:  http://securitytracker.com/id/1036790
CVE Reference:   CVE-2016-3375   (Links to External Site)
Date:  Sep 13 2016
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Vista SP2, 2008 SP2, 7 SP1, 2008 R2 SP1, 8.1, 2012, 2012 R2, RT 8.1, 10, 10 Version 1511, 10 Version 1607; and prior service packs
Description:   Multiple vulnerabilities were reported in Microsoft Internet Explorer. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can gain elevated privileges. A remote user can bypass security controls on the target system. A remote user can obtain potentially sensitive information on the target system. Windows is affected.

A remote user can create a specially crafted file that, when loaded by the target user, will execute arbitrary code on the target system [CVE-2016-3247, CVE-2016-3295, CVE-2016-3297, CVE-2016-3324, CVE-2016-3375].

An application running in the browser user can bypass the sandbox protection to gain elevated privileges on the target system [CVE-2016-3292].

A remote user can exploit a flaw in the handling of '.URL' files to bypass an unspecified security feature [CVE-2016-3353].

A remote user can create specially crafted content, that when loaded by the target user, will access potentially sensitive information on the target user's system [CVE-2016-3325, CVE-2016-3351].

A remote user can exploit a flaw in the handling of cross-origin requests to determine the origin of all web pages in the browser [CVE-2016-3291].

Eduardo Braun Prado (via Trend Micro's Zero Day Initiative), Garage4Hackers (via Trend Micro's Zero Day Initiative), Kafeine, Brooks Li of Trend Micro, Liu Long of Qihoo 360, Nathaniel Theis (XMPPwocky), SkyLined (via Trend Micro's Zero Day Initiative), Thomas Vanhoutte (via Trend Micro's Zero Day Initiative), and Yuki Chen of Qihoo 360 Vulcan Team reported these vulnerabilities.

Impact:   A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.

A remote user can gain elevated privileges on the target system.

A remote user can bypass security controls on the target system.

A remote user can obtain potentially sensitive information on the target system.

Solution:   Microsoft has issued a fix for CVE-2016-3375 for Windows.

[Editor's note: The vendor indicates that you must install both this update (MS16-116) and the update in MS16-104 to be protected from this vulnerability.]

The Microsoft advisory is available at:

https://technet.microsoft.com/library/security/ms16-116

Vendor URL:  technet.microsoft.com/library/security/ms16-116 (Links to External Site)
Cause:   Access control error

Message History:   This archive entry is a follow-up to the message listed below.
Sep 13 2016 Microsoft Internet Explorer Multiple Flaws Let Remote Users Obtain Potentially Sensitive Information, Bypass Security, Execute Arbitrary Code, and Gain Elevated Privileges



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC