Microsoft GDI+ CVE-2016-3209 Information Disclosure Vulnerability
Description
An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system. An attacker who successfully exploited this vulnerability could use the retrieved information to circumvent Address Space Layout Randomization (ASLR) in Windows, which helps guard against a broad class of vulnerabilities. By itself, the information disclosure does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability, such as a remote code execution vulnerability, that is capable of leveraging the ASLR circumvention. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The security update addresses the vulnerability, and helps protect the integrity of the ASLR security feature, by correcting how GDI handles memory addresses.
Affected Applications
Microsoft .NET Framework 3.0 Service Pack 2 on Windows Vista x64 Edition Service Pack 2
Microsoft Silverlight 5 Developer Runtime when installed on Apple Mac OS (Intel-based)
Microsoft Silverlight 5 when installed on Microsoft Windows (32-bit)
Microsoft .NET Framework 4.6 on Windows Vista x64 Edition Service Pack 2
Microsoft Lync 2010 Attendee (admin level install)
Microsoft Lync 2013 Service Pack 1 (32-bit)
Microsoft Office 2010 Service Pack 2 (64-bit editions)
Skype for Business 2016 Basic (32-bit)
Microsoft Lync 2013 Service Pack 1 (64-bit)
Skype for Business 2016 Basic (64-bit)
Microsoft Lync 2010 Attendee (user level install)
Windows Server 2012
Windows 10
Microsoft Lync 2010 (64-bit)
Microsoft Office 2007 Service Pack 3
Microsoft .NET Framework 4.5.2 on Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2
Microsoft Office 2010 Service Pack 2 (32-bit editions)
Microsoft Silverlight 5 when installed on Microsoft Windows (x64-based)
Microsoft Silverlight 5 Developer Runtime when installed on Microsoft Windows (x64-based)
Windows 8
Skype for Business 2016 (64-bit)
Windows 7
Microsoft Live Meeting 2007 Console
Microsoft Lync 2010 (32-bit)
Skype for Business 2016 (32-bit)
Windows RT 8.1
Microsoft .NET Framework 4.6 on Windows Vista Service Pack 2
Microsoft .NET Framework 4.5.2 on Windows Vista x64 Edition Service Pack 2
Microsoft Lync Basic 2013 Service Pack 1 (32-bit)
Microsoft Office Word Viewer
Microsoft .NET Framework 3.0 Service Pack 2 on Windows Vista Service Pack 2
Microsoft Silverlight 5 when installed on Apple Mac OS (Intel-based)
Microsoft Silverlight 5 Developer Runtime when installed on Microsoft Windows (32-bit)
Windows Server 2008
Windows Vista Service Pack 2
Microsoft Lync Basic 2013 Service Pack 1 (64-bit)