CVE-2016-0175

Vulnerability

CVE-2016-0175 is an information disclosure vulnerability in the Win32k kernel-mode driver on Microsoft Windows. The flaw exists because the kernel-mode driver does not properly handle objects in memory, allowing a local attacker to obtain sensitive kernel-object addresses. This vulnerability affects Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 [1].

Exploitation

To exploit this vulnerability, an attacker must first log on to an affected system. The attacker then runs a specially crafted application that triggers the information disclosure. The exploit requires local access and user interaction (e.g., the target must visit a malicious page or open a malicious file) [1][2]. The bug is related to how the kernel returns memory addresses, which can be extracted by a user-mode application [1].

Impact

Successful exploitation allows an attacker to obtain information about kernel-object addresses. This information can be used to bypass the Kernel Address Space Layout Randomization (KASLR) protection mechanism on the target system. While the direct impact is limited to information disclosure, the leaked addresses can be leveraged in further attacks to achieve privilege escalation [1].

Mitigation

Microsoft addressed this vulnerability in Security Bulletin MS16-062, released on May 10, 2016. The update corrects how the Windows kernel-mode driver handles memory addresses. Affected users should install the update (KB3158222) to remediate the vulnerability [1]. No workaround is documented.