Описание
MFC Insecure Library Loading Vulnerability
A remote code execution vulnerability exists in the way that certain applications built using Microsoft Foundation Classes (MFC) handle the loading of DLL files.
An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
The update addresses this vulnerability by correcting how applications built using MFC load DLL files.
FAQ
Why is Microsoft documenting a 2010 CVE in this release?
Exchange Server was not identified as an in-scope product when CVE-2010-3190 was originally published. This vulnerability affects all installations of Exchange Server. If you are running any version of Exchange server released prior to Exchange Server 2016 Cumulative Update 11 (as of this publishing, Cumulative Update 10 is the most recent cumulative update for Exchange 2016), the Visual Studio 2010 updates in MS11-025 should be applied to your Exchange Server.
Is there anything else that I need to do to ensure that my Exchange server remains protected from this vulnerability?
Yes, you must install the next cumulative update for your Exchange server when it becomes available. This document will be revised at such time to include information on where to obtain the update.
Обновления
| Продукт | Статья | Обновление |
|---|---|---|
| Microsoft Exchange Server 2013 | ||
| Microsoft Exchange Server 2010 Service Pack 3 | ||
| Microsoft Exchange Server 2016 |
Показывать по
Возможность эксплуатации
Publicly Disclosed
Exploited
Latest Software Release
Older Software Release
EPSS
Связанные уязвимости
Untrusted search path vulnerability in the Microsoft Foundation Class (MFC) Library in Microsoft Visual Studio .NET 2003 SP1; Visual Studio 2005 SP1, 2008 SP1, and 2010; Visual C++ 2005 SP1, 2008 SP1, and 2010; and Exchange Server 2010 Service Pack 3, 2013, and 2013 allows local users to gain privileges via a Trojan horse dwmapi.dll file in the current working directory during execution of an MFC application such as AtlTraceTool8.exe (aka ATL MFC Trace Tool), as demonstrated by a directory that contains a TRC, cur, rs, rct, or res file, aka "MFC Insecure Library Loading Vulnerability."
Untrusted search path vulnerability in the Microsoft Foundation Class (MFC) Library in Microsoft Visual Studio .NET 2003 SP1; Visual Studio 2005 SP1, 2008 SP1, and 2010; Visual C++ 2005 SP1, 2008 SP1, and 2010; and Exchange Server 2010 Service Pack 3, 2013, and 2013 allows local users to gain privileges via a Trojan horse dwmapi.dll file in the current working directory during execution of an MFC application such as AtlTraceTool8.exe (aka ATL MFC Trace Tool), as demonstrated by a directory that contains a TRC, cur, rs, rct, or res file, aka "MFC Insecure Library Loading Vulnerability."
Уязвимость библиотеки Microsoft Foundation Classes (MFC) почтового сервера Microsoft Exchange Server, позволяющая нарушителю выполнить произвольный код
EPSS