Nov 15, 2016

11/07週のCVE


High Vulnerabilities

Primary
Vendor -- Product
Description
Published
CVSS Score
Source & Patch Info
adobe -- flash_player
Adobe Flash Player versions 23.0.0.205 and earlier, 11.2.202.643 and earlier have an exploitable use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution.
2016-11-08
  その他 多数




microsoft -- windows_10
The Common Log File System (CLFS) driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, and 1607, and Windows Server 2016 allows local users to gain privileges via a crafted application, aka "Windows Common Log File System Driver Elevation of Privilege Vulnerability," a different vulnerability than CVE-2016-3332, CVE-2016-3333, CVE-2016-3334, CVE-2016-3335, CVE-2016-3338, CVE-2016-3340, CVE-2016-3342, CVE-2016-3343, and CVE-2016-7184.

リンク先MSサイトによると、、、
Mitigating Factors
Microsoft has not identified any mitigating factors for these vulnerabilities.

Workarounds
The Microsoft has not identified any workarounds for this vulnerability.

Security Update Deployment
For Security Update Deployment information see the Microsoft Knowledge Base article referenced here in the Executive Summary.

Revisions
    V1.0 (November 8, 2016): Bulletin published.
とあるが、表の右の「置き換えられる更新プログラム」が記載されていれば、パッチ適用すれば良い、ということか
2016-11-10
 その他 多数




microsoft -- edge
Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Microsoft Browser Memory Corruption Vulnerability," a different vulnerability than CVE-2016-7198.

リンク先MSサイトによると、、、
Mitigating Factors
Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds
Microsoft has not identified any workarounds for this vulnerability.

Revisions
    V1.0 (November 8, 2016) Bulletin published.
とあるが、表の右の「置き換えられる更新プログラム」が記載されていれば、パッチ適用すれば良い、ということか
2016-11-10
 その他 多数




microsoft -- excel
Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 RT SP1, Excel 2016, Excel for Mac 2011, Excel 2016 for Mac, and Office Compatibility Pack SP3 allow remote attackers to execute arbitrary code via a crafted Office document, aka "Microsoft Office Memory Corruption Vulnerability."

リンク先MSサイトによると、、、
Mitigating Factors
Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds
Microsoft has not identified any workarounds for this vulnerability.

Revisions
    V1.0 (November 8, 2016) Bulletin published.
とあるが、表の右の「置き換えられる更新プログラム」が記載されていれば、パッチ適用すれば良い、ということか

この更新プログラムが無い(MSが放置している)のは MS Office 2016 32/64 bit。脆弱性は「リモートでコードが実行される」
2016-11-10
 その他 多数




nvidia -- geforce_experience
For the NVIDIA Quadro, NVS, and GeForce products, GFE GameStream and NVTray Plugin unquoted service path vulnerabilities are examples of the unquoted service path vulnerability in Windows. A successful exploit of a vulnerable service installation can enable malicious code to execute on the system at the system/user privilege level. The CVE-2016-3161 ID is for the GameStream unquoted service path.
2016-11-08
 その他 多数




Medium Vulnerabilities

Primary
Vendor -- Product
Description
Published
CVSS Score
Source & Patch Info
citrix -- receiver_desktop
Incorrect access control mechanisms in Citrix Receiver Desktop Lock 4.5 allow an attacker to bypass the authentication requirement by leveraging physical access to a VDI for temporary disconnection of a LAN cable.
2016-11-07
 




nvidia -- geforce_experience
For the NVIDIA Quadro, NVS, and GeForce products, the NVIDIA NVStreamKMS.sys service component is improperly validating user-supplied data through its API entry points causing an elevation of privilege.
2016-11-08
 : その他、多数




No comments: