CVE-2017-8584 | HoloLens Remote Code Execution Vulnerability

A remote code execution vulnerability exists when HoloLens improperly handles objects in memory. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would need to send a specially crafted WiFi packet.

The update addresses the vulnerability by correcting how Hololens handles objects in memory.



Exploitability Assessment

The following table provides an exploitability assessment for this vulnerability at the time of original publication.

Publicly Disclosed Exploited Latest Software Release Older Software Release Denial of Service
Yes No 2 - Exploitation Less Likely 2 - Exploitation Less Likely Not Applicable

Affected Products

The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.

Product Platform Article Download Impact Severity Supersedence
Windows 10 Version 1607 for 32-bit Systems 4025339 Security Update Remote Code Execution Critical 4022715
Windows 10 Version 1607 for x64-based Systems 4025339 Security Update Remote Code Execution Critical 4022715
Windows Server 2016 4025339 Security Update Remote Code Execution Critical 4022715
Windows Server 2016 (Server Core installation) 4025339 Security Update Remote Code Execution Critical 4022715

Mitigations

Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

Acknowledgments

Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure.
See acknowledgments for more information.

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

Version Date Description
1.0 07/11/2017 Information published.

Source: CVE-2017-8584 | HoloLens Remote Code Execution Vulnerability - Microsoft Security TechCenter