Microsoft Security Bulletin MS16-017 - Important

Security Update for Remote Desktop Display Driver to Address Elevation of Privilege (3134700)

Published: February 9, 2016

Version: 1.0

This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an authenticated attacker logs on to the target system using RDP and sends specially crafted data over the connection. By default, RDP is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.

This security update is rated Important for all supported editions of Windows 7, Windows Server 2012, Window 8.1, Windows Server 2012 R2, and Windows 10. For more information, see the Affected Software section.

The security update addresses the vulnerability by correcting how RDP handles objects in memory. For more information about the vulnerability, see the Vulnerability Information section.

For more information about this update, see Microsoft Knowledge Base Article 3134700.

 

The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.

The severity ratings indicated for each affected software assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin’s release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the February bulletin summary.

 

Operating System

Remote Desktop Protocol (RDP) Elevation of Privilege Vulnerability - CVE-2016-0036

Updates Replaced*

Windows 7

Windows 7 for 32-bit Systems Service Pack 1
(3126446)[1]

Important
Elevation of Privilege

3069762 in MS15-067

Windows 7 for x64-based Systems Service Pack 1
(3126446)[1]

Important
Elevation of Privilege

3069762 in MS15-067

Windows 8.1

Windows 8.1 for 32-bit Systems
(3126446)

Important
Elevation of Privilege

3035017 in MS15-030

Windows 8.1 for x64-based Systems
(3126446)

Important
Elevation of Privilege

3035017 in MS15-030

Windows Server 2012 and Windows Server 2012 R2

Windows Server 2012
(3126446)

Important
Elevation of Privilege

3067904 in MS15-067

Windows Server 2012 R2
(3126446)

Important
Elevation of Privilege

3035017 in MS15-030

Windows 10

Windows 10 for 32-bit Systems [2]
(3135174)

Important
Elevation of Privilege

3124266

Windows 10 for x64-based Systems [2]
(3135174)

Important
Elevation of Privilege

3124266

Server Core installation option

Windows Server 2012 (Server Core installation)
(3126446)

Important
Elevation of Privilege

3067904 in MS15-067

Windows Server 2012 R2 (Server Core installation)
(3126446)

Important
Elevation of Privilege

3035017 in MS15-030

[1]Enterprise and Ultimate editions of Windows 7 are affected. All supported editions of Windows 7 are affected if RDP 8.0 is installed on the system. See the Update FAQ for more information.

[2]Windows 10 updates are cumulative. In addition to containing non-security updates, they also contain all of the security fixes for all of the Windows 10-affected vulnerabilities shipping with the monthly security release. The update is available via the Windows Update Catalog.

*The Updates Replaced column shows only the latest update in any chain of superseded updates. For a comprehensive list of updates replaced, go to the Microsoft Update Catalog, search for the update KB number, and then view update details (updates replaced information is provided on the Package Details tab).

Which editions of Windows 7 are affected? 
Enterprise and Ultimate editions of Windows 7 are affected. All supported editions of Windows 7 are affected if RDP 8.0 is installed on the system. For customers running RDP 8.0 on local systems who do not need the new server-side features provided in RDP 8.0, Microsoft recommends upgrading to RDP 8.1 and not applying (or removing) the 3126446 update.

Remote Desktop Protocol (RDP) Elevation of Privilege Vulnerability - CVE-2016-0036

An elevation of privilege vulnerability exists in Remote Desktop Protocol (RDP) when an attacker logs on to the target system using RDP and sends specially crafted data over the authenticated connection. An attacker who successfully exploited this vulnerability could execute code with elevated privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would first have to log on to the target system by using the Remote Desktop Protocol (RDP). An attacker could then run a specially crafted application that is designed to create the crash condition that leads to elevated privileges. The update addresses the vulnerability by correcting how RDP handles objects in memory.

The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title

CVE number

Publicly disclosed

Exploited

Remote Desktop Protocol (RDP) Elevation of Privilege Vulnerability

CVE-2016-0036

No

No


Mitigating Factors

Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds

The following workarounds may be helpful in your situation:

  • Disable RDP

     

    To disable RDP using Group Policy

    1. Open Group Policy
    2. In Computer Configuration, Administrative Templates, Windows Components, Terminal Services, double-click the Allows users to connect remotely using Terminal Services setting.
    3. Do one of the following:
      • To enable Remote Desktop, click Enabled.
      • To disable Remote Desktop, click Disabled.

       

      If you disable Remote Desktop while users are connected to the target computers, the computers maintain their current connections, but will not accept any new incoming connections.

    Important When you enable Remote Desktop on a computer, you enable the capability for other users and groups to log on remotely to the computer. However, you must also decide which users and groups should be able to log on remotely, and then manually add them to the Remote Desktop Users group. For more information, see Enabling users to connect remotely to the server and Add users to the Remote Desktop Users group.

    You should thoroughly test any changes you make to Group Policy settings before applying them to users or computers. For more information about testing policy settings, see Resultant Set of Policy.

    Note:

    • To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.
    • Use the above procedure to configure the local Group Policy object. To change a policy for a domain or an organizational unit, you must log on to the primary domain controller as an administrator. Then, you must start Group Policy by using the Active Directory Users and Computers snap-in.
    • If the Allows users to connect remotely using Terminal Services Group Policy setting is set to Not Configured, the Enable Remote Desktop on this computer setting (on the Remote tab of the System Properties dialog box) on the target computers takes precedence. Otherwise, the Allows users to connect remotely using Terminal Services Group Policy setting takes precedence.
    • Be aware of the security implications of remote logons. Users who log on remotely can perform tasks as though they were sitting at the console. For this reason, you should ensure that the server is behind a firewall. For more information, see VPN servers and firewall configuration and Security information for IPSec.
    • You should require all users who make remote connections to use a strong password. For more information, see Strong passwords.
    • Remote Desktop is disabled by default in Windows Server 2003 operating systems.

     

    To disable RDP using System Properties

    1. Open System in Control Panel.
    2. On the Remote tab, select or clear the Enable Remote Desktop on this computer check box, and then click OK.

     

    Important When you enable Remote Desktop on a computer, you enable the capability for other users and groups to log on remotely to the computer. However, you must also decide which users and groups should be able to log on remotely, and then manually add them to the Remote Desktop Users group. For more information, see Enabling users to connect remotely to the server and Add users to the Remote Desktop Users group.

    Note:

    • You must be logged on as a member of the Administrators group to enable or disable Remote Desktop.
    • To open a Control Panel item, click Start, click Control Panel, and then double-click the appropriate icon.
    • Any configuration set with Group Policy overrides the configuration set by using System properties, as described in this procedure.
    • Be aware of the security implications of remote logons. Users who log on remotely can perform tasks as though they were sitting at the console. For this reason, you should ensure that the server is behind a firewall. For more information, see VPN servers and firewall configuration and Security information for IPSec.
    • You should require all users who make remote connections to use a strong password. For more information, see Strong passwords.
    • Remote Desktop is disabled by default in Windows Server 2003 operating systems.

FAQ

Is remote desktop enabled by default? 
No, RDP for administration is not enabled by default. However, customers who have not enabled RDP will still be offered this update in order to help ensure the protection of their systems. For more information regarding this configuration setting, see the TechNet article, How to enable and to configure Remote Desktop for Administration in Windows Server 2003. Note that this article also applies to later releases of Microsoft Windows.

For Security Update Deployment information, see the Microsoft Knowledge Base article referenced here in the Executive Summary.

Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgments for more information.

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

  • V1.0 (February 9, 2016): Bulletin published.

Page generated 2016-02-03 13:33-08:00.
Show: