Microsoft Security Advisory 3179528

Update for Kernel Mode Blacklist

Published: August 9, 2016

Version: 1.0

Executive Summary

Microsoft is blacklisting some publicly released versions of securekernel.exe. Customers do not need to take any special action to ensure that an updated securekernel.exe is installed on their systems. This is because the most recent securekernel.exe is part of a cumulative update that also includes the blacklisted hashes described in this advisory.

Affected Software

This advisory discusses the following software.

Operating system Blacklisted public securekernel.exe hashes
Windows 10 for 32-bit Systems [1]
(3176492)
RTM:
98A1A44DB196F31436F6D6B37FDE5865820D3C1BD9409E79831213870EAD50FE

9/9/2015 Release:
9038CE3C57673A4E1640F00473D809F0E6C5B700A42757A3847B6D01A0B21D6C

Servicing:
KB3156387
0404D00333BCCD611E28944DDBA2DE9363DE65B45A1D11A06F463CE9BFA3B88C
Windows 10 for x64-based Systems [1]
(3176492)
RTM:
98A1A44DB196F31436F6D6B37FDE5865820D3C1BD9409E79831213870EAD50FE

9/9/2015 Release:
9038CE3C57673A4E1640F00473D809F0E6C5B700A42757A3847B6D01A0B21D6C

Servicing:
KB3156387
0404D00333BCCD611E28944DDBA2DE9363DE65B45A1D11A06F463CE9BFA3B88C
Windows 10 Version 1511 for 32-bit Systems [1]
(3176493)
RTM:
44A303E702D873E3F8C8E18098FC24AC6B7B19D080582B69A44E9F0FB08DFE1D

Servicing:
KB3116908
484BBE7C7DB4D3693DED687D2FF3F916FE866AA861B5112A3C9CE83268A3ECC8

KB3124262
A25E4D153CC2E252FA522C759B6816DD51693C9A8DDBF26D5314A64137E38F19

KB3135173
633EB6ECEDB0F84057A986F46B63D4D2CADA80F55A77BC0EC48F33CCD31C4BB0

KB3157621
F21A59660A47F5CAB97871F22C3239B15AA1002CD576579C20E2BD7FC89130B7

KB3156421
7427EF97C81CE0F2BC7520297AA601A02564527E3B0305A3DD06F6BE72407FBE
Windows 10 Version 1511 for x64-based Systems [1]
(3176493)
RTM:
44A303E702D873E3F8C8E18098FC24AC6B7B19D080582B69A44E9F0FB08DFE1D

Servicing:
KB3116908
484BBE7C7DB4D3693DED687D2FF3F916FE866AA861B5112A3C9CE83268A3ECC8

KB3124262
A25E4D153CC2E252FA522C759B6816DD51693C9A8DDBF26D5314A64137E38F19

KB3135173
633EB6ECEDB0F84057A986F46B63D4D2CADA80F55A77BC0EC48F33CCD31C4BB0

KB3157621
F21A59660A47F5CAB97871F22C3239B15AA1002CD576579C20E2BD7FC89130B7

KB3156421
7427EF97C81CE0F2BC7520297AA601A02564527E3B0305A3DD06F6BE72407FBE
Windows Server 2016 Technical Preview 5[2] RTM:
CDC9B696A7CC9197BA7D02E7C59BAB9266D4ACBD7B16C4B4E2920AA14F579BD8

Servicing:
KB3158987
CDAA2C4C76479AF092189732A041D289E75C9D3B5AA10E533188EE722589B56B

[1]Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are available via the Microsoft Update Catalog.

[2]The vulnerability discussed in this bulletin affects Windows Server 2016 Technical Preview 5. To be protected from the vulnerability, Microsoft recommends that customers running this operating system apply the current update, which is available from Windows Update.

Advisory FAQ

What is the scope of the advisory?
The purpose of this advisory is to inform customers of blacklisted publicly released versions of securekernel.exe for all supported editions of Windows 10, Windows 10 Version 1511, and Windows Server 2016 Technical Preview 5.

Is this a security vulnerability that requires Microsoft to issue a security update?
Yes. This update is included in the Latest Cumulative Update (LCU) for each of the affected systems in this advisory. Installing the update ensures for customers that none of the vulnerable securekernel.exe files remain on these systems, and that a good securekernel.exe is installed on them.

What is the cause of the problem with the blacklisted publicly released versions of securekernel.exe?
An information disclosure vulnerability exists when Windows Secure Kernel Mode improperly handles objects in memory. A locally-authenticated attacker who successfully exploited this vulnerability could be able to read sensitive information on the target system.

To exploit this vulnerability, an attacker could run a specially crafted application on the target system. Note that the information disclosure vulnerability by itself would not be sufficient for an attacker to compromise a system. However, an attacker could combine this vulnerability with additional vulnerabilities to further exploit the system.

The securekernel.exe update described in this advisory is part of the update to address the information disclosure vulnerability in MS16-089, “Security Update for Windows Secure Kernel Mode (3170050),” that was released on July 12, 2016. That update addresses the information disclosure vulnerability by correcting how Windows Secure Kernel Mode handles objects in memory. The update also ensures that only a good securekernel.exe is installed on the systems described in this advisory.

Suggested Actions

  • Ensure that computers running these operating systems only have the current version of securekernel.exe installed
    The majority of customers have automatic updating enabled and do not need to take any action because the update is downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.

Additional Suggested Actions

  • Protect your PC
    We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. For more information, see Microsoft Safety & Security Center.

  • Keep Microsoft Software Updated
    Users running Microsoft software should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Microsoft Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have automatic updating enabled and configured to provide updates for Microsoft products, the updates are delivered to you when they are released, but you should verify that they are installed.

Other Information

Microsoft Active Protections Program (MAPP)

To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections websites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.

Feedback

Support

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (August 9, 2016): Advisory published.

Page generated 2016-08-09 08:37-07:00.