CVE-2016-0015
published 2016-01-13CVE-2016-0015: DirectShow in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and…
PriorityP267high7.8CVSS 3.0
AVLACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
51.27%
98.8th percentile
DirectShow in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows 10 Gold and 1511 allows remote attackers to execute arbitrary code via a crafted file, aka "DirectShow Heap Corruption Remote Code Execution Vulnerability."
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10 | — | — |
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1511 | — | — |
| msrc | windows_7 | — | — |
| msrc | windows_8.1 | — | — |
| msrc | windows_rt_8.1 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_r2 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_vista_service_pack_2 | — | — |
| msrc | windows_vista_x64_edition_service_pack_2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for OLE/COM object instantiation of CLSID {4315D437-5B8C-11D0-BD3B-00A0C911CE86} (device.1 / DeviceMoniker) triggered from Office applications or other software performing OleLoad/OleLoadFromStream calls, which is the vulnerable code path. ↗
- →Detect crafted OLE compound documents (e.g., Word .doc files) embedding a StdObjLink object ({00000300-0000-0000-c000-000000000046}) whose \x01Ole stream references the device.1 CLSID, as this is the documented exploit delivery mechanism. ↗
- →Look for a user-supplied stream length value of 1 passed to devenum.dll!CDeviceMoniker::Load via IPersistStream::Load, which triggers the heap underwrite (buffer of size 1 allocated, then a 2-byte null written 2 bytes before the allocation). ↗
- →Inspect OLE streams for a user-controlled 4-byte length field at the start of the DeviceMoniker stream (read via IStream::Read); anomalously small values (e.g., 1) or odd/misaligned values are indicators of exploitation attempts. ↗
- ·Exploitation requires user interaction: the victim must single-click the embedded OLE object in the document to trigger the OleLoad call chain. ↗
- ·The vulnerability is in devenum.dll's DeviceMoniker::Load and is reachable from any software performing IPersistStream::Load or OleLoad(IID_IOleObject) with an attacker-controlled CLSID — not limited to Office or DirectShow-specific entry points. ↗
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_msrc7.8HIGH
vendor_redhat4.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f5w3-cqp3-wr54: DirectShow in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8
ghsa_unreviewed·2022-05-14
CVE-2016-0015 [HIGH] CWE-119 GHSA-f5w3-cqp3-wr54: DirectShow in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8
DirectShow in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows 10 Gold and 1511 allows remote attackers to execute arbitrary code via a crafted file, aka "DirectShow Heap Corruption Remote Code Execution Vulnerability."
VMware
VMware Horizon View updates address directory traversal vulnerability
vendor_vmware·2016-10-06·CVSS 5.3
CVE-2016-7087 [MEDIUM] VMware Horizon View updates address directory traversal vulnerability
VMSA-2016-0015: VMware Horizon View updates address directory traversal vulnerability
VMware Horizon View updates address directory traversal vulnerability VMware Horizon View contains a vulnerability that may allow for a directory traversal on the Horizon View Connection Server. Exploitation of this issue may lead to a partial information disclosure. VMware would like to thank Mike Arnold (Bruk0ut) working with Trend Micro's Zero Day Initiative for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-7087 to this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Product Version Running on Severity Replace wi
Red Hat
curl: NTLM credentials not-checked for proxy connection re-use
vendor_redhat·2016-01-27·CVSS 4.0
CVE-2016-0755 [MEDIUM] CWE-287 curl: NTLM credentials not-checked for proxy connection re-use
curl: NTLM credentials not-checked for proxy connection re-use
The ConnectionExists function in lib/url.c in libcurl before 7.47.0 does not properly re-use NTLM-authenticated proxy connections, which might allow remote attackers to authenticate as other users via a request, a similar issue to CVE-2014-0015.
Package: curl (Red Hat Enterprise Linux 5) - Will not fix
Package: curl (Red Hat Enterprise Linux 6) - Will not fix
Package: curl (Red Hat Enterprise Linux 7) - Will not fix
Package: curl (Red Hat JBoss Enterprise Web Server 3) - Will not fix
Package: httpd24-curl (Red Hat Software Collections) - Not affected
Microsoft
CVE-2016-0015: Impact: Remote Code Execution
Exploit Status: Publicly Disclosed:No;Exploited:No
Reference: https://catalog
vendor_msrc·2016-01-12·CVSS 7.8
CVE-2016-0015 [HIGH] CVE-2016-0015: Impact: Remote Code Execution
Exploit Status: Publicly Disclosed:No;Exploited:No
Reference: https://catalog
Impact: Remote Code Execution
Exploit Status: Publicly Disclosed:No;Exploited:No
Reference: https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3109560
No detection rules found.
Talos
Microsoft Patch Tuesday - January 2016
blogs_talos·2016-01-12·CVSS 7.5
[HIGH] Microsoft Patch Tuesday - January 2016
The first Patch Tuesday of 2016 has arrived. Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release is relatively light with nine bulletins addressing 25 vulnerabilities. Six bulletins are rated critical and address vulnerabilities in Edge, Internet Explorer, JScript/VBScript, Office, Silverlight, and Windows. The remaining three bulletins are rated important and address vulnerabilities in Exchange and several parts of Windows.
### Bulletins Rated Critical Microsoft bulletins MS16-001 through MS16-0006 are rated as critical in this month's release.
MS16-001 and MS16-002 are this month's Internet Explorer and Edge security bulletin respectively. In total, four vulnerabilities were addre
Talos
Microsoft Patch Tuesday - January 2016
blogs_talos·2016-01-12·CVSS 7.5
[HIGH] Microsoft Patch Tuesday - January 2016
## Microsoft Patch Tuesday - January 2016
The first Patch Tuesday of 2016 has arrived. Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release is relatively light with nine bulletins addressing 25 vulnerabilities. Six bulletins are rated critical and address vulnerabilities in Edge, Internet Explorer, JScript/VBScript, Office, Silverlight, and Windows. The remaining three bulletins are rated important and address vulnerabilities in Exchange and several parts of Windows.
## Bulletins Rated Critical Microsoft bulletins MS16-001 through MS16-0006 are rated as critical in this month's release.
MS16-001 and MS16-002 are this month's Internet Explorer and Edge security bulletin respectively.
Zscaler
Zscaler found Multiple Security Vulnerabilities | 01-12-2016
blogs_zscaler·CVSS 7.5
[HIGH] Zscaler found Multiple Security Vulnerabilities | 01-12-2016
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
http://packetstormsecurity.com/files/135232/Microsoft-DirectShow-Remote-Code-Execution.htmlhttp://www.securitytracker.com/id/1034660https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-007https://www.exploit-db.com/exploits/39232/http://packetstormsecurity.com/files/135232/Microsoft-DirectShow-Remote-Code-Execution.htmlhttp://www.securitytracker.com/id/1034660https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-007https://www.exploit-db.com/exploits/39232/
2016-01-13
Published