Microsoft Security Response Center

**In what scenarios is my computer vulnerable?** For Windows 11 and Windows 10 the FAX service is not installed by default. For the vulnerability to be exploitable, the Windows Fax and Scan feature needs to be enabled, and the Fax service needs to be running. Systems that do not have the Fax service running are not vulnerable. **How can I verify whether the Fax service is running?** 1. Hold the **Windows key** and press **R** on your keyboard. This will open the Run dialog. 2. Type _services.msc_ and press **Enter** to open the Services window. 3. Scroll through the list and locate the **Fax** service. * If the Fax service is not listed, Windows Fax and Scan is not enabled and the system is not vulnerable. * If the Fax service is listed but the status is not _Running_, then the system is not vulnerable at the time, but could be targeted if the service was started. The update should be installed as soon as possible or the Fax service should be removed if not needed.

**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?** Exploitation of the vulnerability requires that a user open a specially crafted file. * In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. * In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.

**What type of information could be disclosed by this vulnerability?** An attacker who successfully exploited the vulnerability could potentially read small portions of heap memory.

**How could an attacker exploit this vulnerability?** An attacker could exploit the vulnerability by tricking an authenticated user into opening a malicious MDB file in Access via ODBC, which could result in the attacker being able to execute arbitrary code on the victim's machine with the permission level at which Access is running.

**How could an attacker exploit this vulnerability?** An attacker could exploit the vulnerability by tricking an authenticated user into opening a malicious MDB file in Access via ODBC, which could result in the attacker being able to execute arbitrary code on the victim's machine with the permission level at which Access is running.

**How could an attacker exploit this vulnerability?** An unauthenticated attacker could send a specially crafted IP packet to a target machine that is running Windows and has IPSec enabled, which could enable a remote code execution exploitation.

**How could an attacker exploit this vulnerability?** An unauthenticated attacker could send a specially crafted IP packet to a target machine that is running Windows and has IPSec enabled, which could enable a remote code execution exploitation.

**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?** The user would have be enticed to open a malicious file in a directory. Users should never open anything that they do not know or trust to be safe.

**What type of information could be disclosed by this vulnerability?** An attacker who successfully exploited this vulnerability could view the data protection API (DPAPI) master key.

**What security feature could be bypassed by this vulnerability?** An attacker who successfully exploited this could bypass the Network Device Enrollment (NDES) Services' cryptographic service provider.