9.3

CVE-2012-0151

Warnung
The Authenticode Signature Verification function in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, Windows 7 Gold and SP1, and Windows 8 Consumer Preview does not properly validate the digest of a signed portable executable (PE) file, which allows user-assisted remote attackers to execute arbitrary code via a modified file with additional content, aka "WinVerifyTrust Signature Validation Vulnerability."
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
MicrosoftWindows 7 Version- Updatesp1 HwPlatformx64
MicrosoftWindows 7 Version- Updatesp1 HwPlatformx86
MicrosoftWindows Server 2003 Version- Updatesp2
MicrosoftWindows Server 2008 Version- Updatesp2 HwPlatformitanium
MicrosoftWindows Server 2008 Version- Updatesp2 HwPlatformx64
MicrosoftWindows Server 2008 Versionr2 HwPlatformitanium
MicrosoftWindows Server 2008 Versionr2 HwPlatformx64
MicrosoftWindows Vista Version- Updatesp2
MicrosoftWindows Xp Version- Updatesp2 HwPlatformx64
MicrosoftWindows Xp Version- Updatesp3
MicrosoftWindows 7 Version- Updatesp1
MicrosoftWindows Server 2003 Version- Updatesp2
MicrosoftWindows Server 2008 Version- Updatesp2
MicrosoftWindows Server 2008 Versionr2 Updatesp1
MicrosoftWindows Vista Version- Updatesp2
MicrosoftWindows Xp Version- Updatesp2 SwEditionprofessional HwPlatformx64
MicrosoftWindows Xp Version- Updatesp3

08.06.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog

Microsoft Windows Authenticode Signature Verification Remote Code Execution Vulnerability

Schwachstelle

The Authenticode Signature Verification function in Microsoft Windows (WinVerifyTrust) does not properly validate the digest of a signed portable executable (PE) file, which allows user-assisted remote attackers to execute code.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 88.78% 0.998
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov 9.3 8.6 10
AV:N/AC:M/Au:N/C:C/I:C/A:C
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://www.us-cert.gov/cas/techalerts/TA12-101A.html
Third Party Advisory
US Government Resource
http://osvdb.org/81135
Broken Link
http://secunia.com/advisories/48581
Broken Link
http://www.securitytracker.com/id?1026906
Third Party Advisory
Broken Link
VDB Entry
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-024
Patch
Vendor Advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15594
Broken Link
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2012-0151
US Government Resource