ゼットスケーラーのセキュリティアドバイザリ
Zscaler Protects against Multiple Vulnerabilities in Internet Explorer, Microsoft Edge, Microsoft Graphics Component, XML Core Service, and CSRSS
Zscaler, working with Microsoft through their MAPP program, has proactively deployed protections for the following 13 vulnerabilities included in the April 2016 Microsoft security bulletins. Zscaler will continue to monitor exploits associated with all vulnerabilities in the April release and deploy additional protections as necessary.
MS16-037 – Cumulative Security Update for Internet Explorer
Severity: Critical
Affected Software
- Internet Explorer 9-11
CVE-2016-0154 – Microsoft Browser Memory Corruption Vulnerability
CVE-2016-0159 – Internet Explorer Memory Corruption Vulnerability
CVE-2016-0164 – Internet Explorer Memory Corruption Vulnerability
Description: This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
MS16-038 – Cumulative Security Update for Microsoft Edge
Severity: Critical
Affected Software
- Microsoft Edge
CVE-2016-0155 – Microsoft Edge Memory Corruption Vulnerability
CVE-2016-0156 – Microsoft Edge Memory Corruption Vulnerability
CVE-2016-0157 – Microsoft Edge Memory Corruption Vulnerability
CVE-2016-0158 – Microsoft Edge Elevation of Privilege Vulnerability
CVE-2016-0161 – Microsoft Edge Elevation of Privilege Vulnerability
Description: This security update resolves vulnerabilities in Microsoft Edge. The vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
MS16-039 – Security Update for Microsoft Graphics Component
Severity: Critical
Affected Software
- Windows Vista SP2
- Windows Server 2008 SP2
- Windows 7 SP1
- Windows Server 2008 R2 SP1
- Windows 8.1
- Windows Server 2012
- Windows Server 2012 R2
- Windows RT 8.1
CVE-2016-0143 – Win32k Elevation of Privilege Vulnerability
CVE-2016-0165 – Win32k Elevation of Privilege Vulnerability
CVE-2016-0167 – Win32k Elevation of Privilege Vulnerability
Description: This security update resolves vulnerabilities in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Skype for Business, and Microsoft Lync. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a webpage that contains specially crafted embedded fonts.
MS16-040 – Security Update for Microsoft XML Core Service
Severity: Critical
Affected Software
- Windows Vista SP2
- Windows Server 2008 SP2
- Windows 7 SP1
- Windows Server 2008 R2 SP1
- Windows 8.1
- Windows Server 2012
- Windows Server 2012 R2
- Windows RT 8.1
- Windows 10
CVE-2016-0147 – MSXML Remote Code Execution Vulnerability
Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user clicks a specially crafted link that could allow an attacker to run malicious code remotely to take control of the user’s system. However, in all cases an attacker would have no way to force a user to click a specially crafted link. An attacker would have to convince a user to click the link, typically by way of an enticement in an email or Instant Messenger message.
MS16-048 – Security Update for CSRSS
Severity: Important
Affected Software
- Windows 8.1
- Windows Server 2012
- Windows Server 2012 R2
- Windows 10
CVE-2016-0151 – Windows CSRSS Security Feature Bypass Vulnerability
Description: This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if an attacker logs on to a target system and runs a specially crafted application.