Microsoft GDI+ CVE-2016-3263 Information Disclosure Vulnerability
Description
An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system. An attacker who successfully exploited this vulnerability could use the retrieved information to circumvent Address Space Layout Randomization (ASLR) in Windows, which helps guard against a broad class of vulnerabilities. By itself, the information disclosure does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability, such as a remote code execution vulnerability, that is capable of leveraging the ASLR circumvention. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability, and helps protect the integrity of the ASLR security feature, by correcting how GDI handles memory addresses.
Affected Applications
Microsoft Lync 2010 Attendee (admin level install)
Microsoft Lync 2013 Service Pack 1 (32-bit)
Microsoft Office 2010 Service Pack 2 (64-bit editions)
Skype for Business 2016 Basic (32-bit)
Microsoft Lync 2013 Service Pack 1 (64-bit)
Skype for Business 2016 Basic (64-bit)
Windows Server 2016
Microsoft Lync 2010 Attendee (user level install)
Windows Server 2012
Windows 10
Microsoft Lync 2010 (64-bit)
Microsoft Office 2007 Service Pack 3
Windows Vista x64 Edition Service Pack 2
Microsoft Office 2010 Service Pack 2 (32-bit editions)
Windows 8
Skype for Business 2016 (64-bit)
Windows 7
Microsoft Live Meeting 2007 Console
Microsoft Lync 2010 (32-bit)
Skype for Business 2016 (32-bit)
Windows RT 8.1
Microsoft Lync Basic 2013 Service Pack 1 (32-bit)
Microsoft Office Word Viewer
Windows Server 2008
Windows Vista Service Pack 2
Microsoft Lync Basic 2013 Service Pack 1 (64-bit)