Microsoft Windows up to Server 2019 Text Services Framework information disclosure

Summaryinfo

A vulnerability was found in Microsoft Windows up to Server 2019. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component Text Services Framework. Such manipulation leads to information disclosure. This vulnerability is uniquely identified as CVE-2020-16921. The attack can be launched remotely. No exploit exists. A patch should be applied to remediate this issue.

Detailsinfo

A vulnerability was found in Microsoft Windows up to Server 2019 (Operating System). It has been rated as problematic. Affected by this issue is some unknown processing of the component Text Services Framework. The manipulation with an unknown input leads to a information disclosure vulnerability. Using CWE to declare the problem leads to CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Impacted is confidentiality. CVE summarizes:

<p>An information disclosure vulnerability exists in Text Services Framework when it fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could potentially read data that was not intended to be disclosed. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system.</p> <p>To exploit this vulnerability, an attacker would have to log on to an affected system and open a specially crafted file.</p> <p>The update addresses the vulnerability by correcting how Text Services Framework handles objects in memory.</p>

The weakness was disclosed 10/13/2020 as confirmed security guidance (Website). The advisory is available at portal.msrc.microsoft.com. This vulnerability is handled as CVE-2020-16921. The exploitation is known to be easy. The attack may be launched remotely. The technical details are unknown and an exploit is not available. This vulnerability is assigned to T1592 by the MITRE ATT&CK project. The advisory points out:

An information disclosure vulnerability exists in Text Services Framework when it fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could potentially read data that was not intended to be disclosed. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system. To exploit this vulnerability, an attacker would have to log on to an affected system and open a specially crafted file. The update addresses the vulnerability by correcting how Text Services Framework handles objects in memory.

It is declared as proof-of-concept.

Applying a patch is able to eliminate this problem. A possible mitigation has been published immediately after the disclosure of the vulnerability.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Type

• Operating System

Vendor

• Microsoft

Name

• Windows

Version

• 10 1709
• 10 1803
• 10 1809
• 10 1903
• 10 1909
• 10 2004
• Server 1903
• Server 1909
• Server 2004
• Server 2019

License

• commercial

Website

• Vendor: https://www.microsoft.com/
• Product: https://www.microsoft.com/en-us/windows

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Discussion