Microsoft GDI+ CVE-2016-3262 Information Disclosure Vulnerability

description-logoDescription

An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system. An attacker who successfully exploited this vulnerability could use the retrieved information to circumvent Address Space Layout Randomization (ASLR) in Windows, which helps guard against a broad class of vulnerabilities. By itself, the information disclosure does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability, such as a remote code execution vulnerability, that is capable of leveraging the ASLR circumvention. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability, and helps protect the integrity of the ASLR security feature, by correcting how GDI handles memory addresses.

affected-products-logoAffected Applications

Microsoft Office 2010 Service Pack 2 (32-bit editions)
Microsoft Lync 2013 Service Pack 1 (32-bit)
Microsoft Office 2010 Service Pack 2 (64-bit editions)
Skype for Business 2016 Basic (32-bit)
Microsoft Lync 2013 Service Pack 1 (64-bit)
Skype for Business 2016 Basic (64-bit)
Microsoft Lync 2010 Attendee (user level install)
Windows Server 2012
Windows 10
Microsoft Lync 2010 (64-bit)
Microsoft Office 2007 Service Pack 3
Windows Vista x64 Edition Service Pack 2
Microsoft Lync 2010 Attendee (admin level install)
Windows 8
Skype for Business 2016 (64-bit)
Windows 7
Microsoft Live Meeting 2007 Console
Microsoft Lync 2010 (32-bit)
Skype for Business 2016 (32-bit)
Windows RT 8.1
Microsoft Lync Basic 2013 Service Pack 1 (32-bit)
Microsoft Office Word Viewer
Windows Server 2008
Windows Vista Service Pack 2
Microsoft Lync Basic 2013 Service Pack 1 (64-bit)

CVE References

CVE-2016-3262