CVE-2020-0875: Microsoft splwow64 Information Disclosure Vulnerability

Overview

Severity

Medium (CVSS 5.5)

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C

Category

Information Disclosure

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2020-Sep

Released

2020-09-08

EPSS Score

26.26% (percentile: 96.3%)

Description

An information disclosure vulnerability exists in how splwow64.exe handles certain calls. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system (low-integrity to medium-integrity). This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted. The security update addresses the vulnerability by ensuring splwow64.exe properly handles these calls.

FAQ

What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.

Affected Products (36)

Other

• 11497
• 11498
• 11563
• 11568
• 11569
• 11570
• 11571
• 11572
• 11712
• 11713
• 11714
• 11715
• 11453
• 11454
• 11583
• 11644
• 11645
• 11646
• 11647
• 11766
• 11767
• 11768
• 11769
• 10729
• 10735
• 10852
• 10853
• 10816
• 10855
• 10481
• 10482
• 10484
• 10378
• 10379
• 10483
• 10543

Security Updates (11)

• 4577032
• 4570333
• 4574727
• 4577041
• 4571756
• 4577049
• 4577015
• 4577066
• 4577071
• 4577038
• 4577048

Acknowledgments

<a href="http://weibo.com/pgboy1988">pgboy</a>

Revision History

• 2020-09-08: Information published.