[Japanese]

JVNDB-2016-005802

Microsoft IME may insecurely load Dynamic Link Libraries

Overview

Microsoft IME, bundled with Microsoft Windows, contains an issue in loading DLLs.
When some application programs are invoked, they may initiate Microsoft IME. This IME, when initiated, checks a certain registry key for a file path to a DLL file and loads it.
This registry key does not exist by default, and can be created by a normal user.
If an application program is invoked with some high privilege, this mechanism can be leveraged for privilege escalation attacks.

Takashi Yoshikawa of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.8 (High) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 5.1 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products


Microsoft Corporation
  • Microsoft IME
  • Microsoft Windows 10 Version 1511 for 32-bit Systems
  • Microsoft Windows 10 Version 1511 for x64-based Systems
  • Microsoft Windows 10 Version 1607 for 32-bit Systems
  • Microsoft Windows 10 Version 1607 for x64-based Systems
  • Microsoft Windows 10 for 32-bit Systems
  • Microsoft Windows 10 for x64-based Systems
  • Microsoft Windows 7 for 32-bit Systems SP1
  • Microsoft Windows 7 for x64-based Systems SP1
  • Microsoft Windows 8.1 for 32-bit Systems
  • Microsoft Windows 8.1 for x64-based Systems
  • Microsoft Windows RT 8.1
  • Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1
  • Microsoft Windows Server 2008 R2 for x64-based Systems SP1
  • Microsoft Windows Server 2008 R2 for x64-based Systems SP1 (Server Core installation)
  • Microsoft Windows Server 2008 for 32-bit Systems SP2
  • Microsoft Windows Server 2008 for 32-bit Systems SP2 (Server Core installation)
  • Microsoft Windows Server 2008 for Itanium-based Systems SP2
  • Microsoft Windows Server 2008 for x64-based Systems SP2
  • Microsoft Windows Server 2008 for x64-based Systems SP2 (Server Core installation)
  • Microsoft Windows Server 2012
  • Microsoft Windows Server 2012 (Server Core installation)
  • Microsoft Windows Server 2012 R2
  • Microsoft Windows Server 2012 R2 (Server Core installation)
  • Microsoft Windows Server 2016 for x64-based Systems
  • Microsoft Windows Server 2016 for x64-based Systems (Server Core installation)
  • Microsoft Windows Vista SP2
  • Microsoft Windows Vista x64 Edition SP2

Impact

Arbitrary code may be executed with the execution privilege of the application program which initiated Microsoft IME.
This can occur when a user is tricked into placing a malicious DLL file prepared by an attacker in a specific folder and enter in the registry key the specific folder location.
Solution

[Update the Software]
Apply the Windows Updates according to the information provided by Microsoft.
This issue is addressed in MS16-130 released on November 8th, 2016.
Vendor Information

Microsoft Corporation
  • Microsoft Security Bulletin : MS16-130
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2016-7221
References

  1. JVN : JVN#21627267
  2. JVN : JVNTA#91240916
  3. National Vulnerability Database (NVD) : CVE-2016-7221
  4. IPA SECURITY ALERTS : Security Alert for Vulnerability in Microsoft IME (November 2016)(JVN#21627267) (in Japanese)
  5. JPCERT REPORT : JPCERT-AT-2016-0046
Revision History

  • [2017/07/07]
      Web page was published