CVE-2016-3393
published 2016-10-14CVE-2016-3393: Graphics Device Interface (aka GDI or GDI+) in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012…
PriorityP184high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-06-15
Exploited in the wild
EPSS
68.68%
99.3th percentile
Graphics Device Interface (aka GDI or GDI+) in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allows remote attackers to execute arbitrary code via a crafted web site, aka "Windows Graphics Component RCE Vulnerability."
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1511 | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_7 | — | — |
| msrc | windows_8.1 | — | — |
| msrc | windows_rt_8.1 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_r2 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_vista_service_pack_2 | — | — |
| msrc | windows_vista_x64_edition_service_pack_2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The exploit is delivered as a specially crafted TTF font file loaded directly into memory via AddFontMemResourceEx — monitor for unusual in-memory font loading via this API, especially from non-standard processes. ↗
- →The vulnerability is triggered in win32k!cjComputeGLYPHSET_MSFT_GENERAL — monitor for crashes or anomalous behavior in Win32k.sys related to cmap table parsing. ↗
- →Post-exploitation involves spawning PowerShell with a meterpreter-style C2 script — hunt for PowerShell processes spawned with elevated privileges following browser or font-related activity. ↗
- →The EoP module runs entirely in memory without touching disk — standard file-based detection will miss it; focus on behavioral/memory scanning. ↗
- ·Full technical details of the vulnerability were intentionally withheld by Kaspersky Lab to prevent additional threat actors from weaponizing the exploit. ↗
- ·On Windows 10, font processing occurs in a sandboxed user-mode process (fontdrvhost.exe) with restricted privileges, which limits but does not eliminate the impact of this vulnerability. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Windows Graphics Device Interface (GDI) Remote Code Execution Vulnerability
cisa·2022-05-25·CVSS 7.8
CVE-2016-3393 [HIGH] CWE-284 Microsoft Windows Graphics Device Interface (GDI) Remote Code Execution Vulnerability
Vulnerability: Microsoft Windows Graphics Device Interface (GDI) Remote Code Execution Vulnerability
Affected: Microsoft Windows
A remote code execution vulnerability exists due to the way the Windows GDI component handles objects in the memory. An attacker who successfully exploits this vulnerability could take control of the affected system.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2016-3393
Remediation Due Date: 2022-06-15
Microsoft
GDI+ Remote Code Execution Vulnerability
vendor_msrc·2016-10-11·CVSS 8.8
CVE-2016-3393 [HIGH] GDI+ Remote Code Execution Vulnerability
GDI+ Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
There are multiple ways an attacker could exploit the vulnerability:
In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability and then convince users to view the w
GHSA
GHSA-9xwj-cq6w-69v3: Graphics Device Interface (aka GDI or GDI+) in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
ghsa_unreviewed·2022-05-14
CVE-2016-3393 [HIGH] CWE-284 GHSA-9xwj-cq6w-69v3: Graphics Device Interface (aka GDI or GDI+) in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
Graphics Device Interface (aka GDI or GDI+) in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allows remote attackers to execute arbitrary code via a crafted web site, aka "Windows Graphics Component RCE Vulnerability."
VulnCheck
Microsoft Windows Graphics Device Interface (GDI) Remote Code Execution Vulnerability
vulncheck·2016·CVSS 7.8
CVE-2016-3393 [HIGH] CWE-284 Microsoft Windows Graphics Device Interface (GDI) Remote Code Execution Vulnerability
Microsoft Windows Graphics Device Interface (GDI) Remote Code Execution Vulnerability
A remote code execution vulnerability exists due to the way the Windows GDI component handles objects in the memory. An attacker who successfully exploits this vulnerability could take control of the affected system.
Affected: Microsoft Windows
Required Action: Apply updates per vendor instructions.
Exploitation References: https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2016-Oct; https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://securelist.com/windows-zero-day-exploit-used-in-targeted-attacks-by-fruityarmor-apt/76396/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-06-15
No detection rules found.
No public exploits indexed.
Securelist
Kaspersky Security Bulletin 2016. Review of the year. Overall statistics for 2016
blogs_securelist·2016-12-14
Kaspersky Security Bulletin 2016. Review of the year. Overall statistics for 2016
Table of Contents
- Introduction
- Six things we learned this year that we didn’t know before
- Other top threats
- The impact on business
Authors
- Kaspersky
## Executive Summary
Download Review of the year
Download Overall statistics
Download the consolidated Kaspersky Security Bulletin 2016
1. Kaspersky Security Bulletin. Predictions for 2017
2. Kaspersky Security Bulletin 2016. The ransomware revolution
## Introduction
If they were asked to sum up 2016 in a single word, many people around the world – particularly those in Europe and the US – might choose the word ‘unpredictable’. On the face of it, the same could apply to cyberthreats in 2016: the massive botnets of connected devices that paralysed much of the Internet in October; the relentless hacking of high profile websit
Securelist
Kaspersky Security Bulletin 2016. Review of the year. Overall statistics for 2016
blogs_securelist·2016-12-14
Kaspersky Security Bulletin 2016. Review of the year. Overall statistics for 2016
Table of Contents
Introduction
Six things we learned this year that we didn’t know before
1. That the underground economy is more sophisticated and bigger than ever: xDedic – the shady marketplace
2. That the biggest financial heist did not involve a stock exchange: the SWIFT-enabled transfers
3. That critical infrastructure is worryingly vulnerable: the BlackEnergy attacks
4. That a targeted attack can have no pattern: the ProjectSauron APT
5. That the online release of vast volumes of data can be an influential tactic: ShadowBrokers and other data dumps
6. That a camera could be part of a global cyber-army: the insecure Internet of Things
Other top threats
Inventive APTs
New zero-days
The hunt for financial gain
The ultimate vulnerability: people
Mobile advertising
The imp
Securelist
Windows zero-day exploit used in targeted attacks by FruityArmor APT
blogs_securelist·2016-10-20·CVSS 7.8
CVE-2016-3393 [HIGH] Windows zero-day exploit used in targeted attacks by FruityArmor APT
Table of Contents
Attack chain description
EOP zero-day details
Authors
Anton Ivanov
A few days ago, Microsoft published the “critical” MS16-120 security bulletin with fixes for vulnerabilities in Microsoft Windows, Microsoft Office, Skype for Business, Silverlight and Microsoft Lync.
One of the vulnerabilities – CVE-2016-3393 – was reported to Microsoft by Kaspersky Lab in September 2016.
Here’s a bit of background on how this zero-day was discovered. A few of months ago, we deployed a new set of technologies in our products to identify and block zero-day attacks. These technologies proved their effectiveness earlier this year, when we discovered two Adobe Flash zero-day exploits – CVE-2016-1010 and CVE-2016-4171. Two Windows EoP exploits have also been found with the help of this
Securelist
Windows zero-day exploit used in targeted attacks by FruityArmor APT
blogs_securelist·2016-10-20·CVSS 7.8
CVE-2016-3393 [HIGH] Windows zero-day exploit used in targeted attacks by FruityArmor APT
Table of Contents
- Attack chain description
- EOP zero-day details
Authors
- Anton Ivanov
A few days ago, Microsoft published the “critical” MS16-120 security bulletin with fixes for vulnerabilities in Microsoft Windows, Microsoft Office, Skype for Business, Silverlight and Microsoft Lync.
One of the vulnerabilities – CVE-2016-3393 – was reported to Microsoft by Kaspersky Lab in September 2016.
Here’s a bit of background on how this zero-day was discovered. A few of months ago, we deployed a new set of technologies in our products to identify and block zero-day attacks. These technologies proved their effectiveness earlier this year, when we discovered two Adobe Flash zero-day exploits – CVE-2016-1010 and CVE-2016-4171. Two Windows EoP exploits have also been found with the help of
Talos
Microsoft Patch Tuesday - October 2016
blogs_talos·2016-10-11·CVSS 5.5
[MEDIUM] Microsoft Patch Tuesday - October 2016
Patch Tuesday has once again arrived! Microsoft's monthly release of security bulletins to address vulnerabilities provides fixes for 37 newly disclosed security flaws. Today's release sees a total of 10 bulletins with five of the bulletins rated critical and address vulnerabilities in Edge, Graphics Component, Internet Explorer, Video Control, and Adobe Flash Player. Four bulletins are rated important and address flaws in Office, Windows Diagnostic Hub, Windows Kernel-Mode Drivers, and Windows Registry. One bulletin is rated moderate and addresses a flaw in Microsoft Internet Messaging API.
## Bulletins Rated Critical The following bulletins are rated critical: MS16-118, MS16-119, MS16-120, MS16-122, MS16-127
MS16-118 and MS16-119 are this month's bulletins for Internet Explorer and Edg
Talos
Microsoft Patch Tuesday - October 2016
blogs_talos·2016-10-11·CVSS 5.5
[MEDIUM] Microsoft Patch Tuesday - October 2016
## Microsoft Patch Tuesday - October 2016
Patch Tuesday has once again arrived! Microsoft's monthly release of security bulletins to address vulnerabilities provides fixes for 37 newly disclosed security flaws. Today's release sees a total of 10 bulletins with five of the bulletins rated critical and address vulnerabilities in Edge, Graphics Component, Internet Explorer, Video Control, and Adobe Flash Player. Four bulletins are rated important and address flaws in Office, Windows Diagnostic Hub, Windows Kernel-Mode Drivers, and Windows Registry. One bulletin is rated moderate and addresses a flaw in Microsoft Internet Messaging API.
## Bulletins Rated Critical The following bulletins are rated critical: MS16-118, MS16-119, MS16-120, MS16-122, MS16-127
MS16-118 and MS16-119 are this mont
http://www.securityfocus.com/bid/93377http://www.securitytracker.com/id/1036988https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-120http://www.securityfocus.com/bid/93377http://www.securitytracker.com/id/1036988https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-120https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-3393
2016-10-14
Published
2022-05-25
Added to CISA KEV
Exploited in the wild