#Security Vulnerability

**According to the CVSS score, the attack vector is Local. Why does the CVE title indicate that this is a Remote Code Execution?** The word **Remote** in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. For example, when the score indicates that the **Attack Vector** is **Local** and **User Interaction** is **Required**, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.

**According to the score, privileges required is equal to low. In this situation, what does that mean?** An attacker with non-admin credentials can potentially carry out an exploit using this vulnerability. **How can an attacker exploit this vulnerability?** The authenticated attacker could potentially take advantage of this vulnerability to execute malicious code through the Event Log's Remote Procedure Call (RPC) endpoint on the server-side. **What is a Remote Procedure Call (RPC)?** RPC is a communication mechanism that allows computers to communicate with one another over a network. An RPC consists of a procedure identifier, parameters passed to the procedure, and a value returned to the caller (client computer) after the procedure has executed on the remote system (server computer). **Are there mitigating factors related to this vulnerability?** Yes. Access to the Event Log service endpoint is blocked by default and a firewall rule change is required to make the endpoint ac...

**The Security Updates table indicates that this vulnerability affects all supported versions of Microsoft Windows. Why are IE Cumulative updates listed for Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2?** While Microsoft has announced retirement of the Internet Explorer 11 application on certain platforms and the Microsoft Edge Legacy application is deprecated, the underlying MSHTML, EdgeHTML, and scripting platforms are still supported. The MSHTML platform is used by Internet Explorer mode in Microsoft Edge as well as other applications through WebBrowser control. The EdgeHTML platform is used by WebView and some UWP applications. The scripting platforms are used by MSHTML and EdgeHTML but can also be used by other legacy applications. Updates to address vulnerabilities in the MSHTML platform and scripting engine are included in the IE Cumulative Updates; EdgeHTML and Chakra changes are not applicable to those pl...

**According to the CVSS score, the attack vector is Local. Why does the CVE title indicate that this is a Remote Code Execution?** The word **Remote** in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. For example, when the score indicates that the **Attack Vector** is **Local** and **User Interaction** is **Required**, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.

**What type of information could be disclosed by this vulnerability?** The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process.

**Why is Attack Complexity marked as High for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to gather information specific to the environment of the targeted component.

**Does the attacker need to be in an authenticated role in the Exchange Server?** Yes, the attacker must be authenticated.

The following workaround may be helpful in your situation. In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as they become available even if you plan to leave this workaround in place: **Disable SMBv3 compression** You can disable compression to block authenticated attackers from exploiting the vulnerability against an **SMBv3 Server** with the PowerShell command below. Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force **Notes:** 1. No reboot is needed after making the change. 2. **This workaround does not prevent exploitation of SMB clients; please see item 2 under FAQ to protect clients.** You can disable the workaround with the PowerShell command below. Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 0 -Force **Note:** No reboot is needed ...

**Why is Attack Complexity marked as High for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition.

**Why is Attack Complexity marked as High for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition.