AusCERT - ESB-2013.0027 - [Win] Microsoft .NET Framework: Multiple vulnerabilities

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
ESB-2013.0027 - [Win] Microsoft .NET Framework: Multiple vulnerabilities
Date: 09 January 2013

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.0027
        Vulnerabilities in .NET Framework Could Allow Elevation of
                            Privilege (2769324)
                              9 January 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Microsoft .NET Framework
Publisher:         Microsoft
Operating System:  Windows XP
                   Windows Server 2003
                   Windows Vista
                   Windows Server 2008
                   Windows 7
                   Windows Server 2008 R2
                   Windows 8
                   Windows Server 2012
                   Windows RT
Impact/Access:     Increased Privileges     -- Remote with User Interaction
                   Access Confidential Data -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-0004 CVE-2013-0003 CVE-2013-0002
                   CVE-2013-0001  

Original Bulletin: 
   http://technet.microsoft.com/en-us/security/bulletin/ms13-004

- --------------------------BEGIN INCLUDED TEXT--------------------

Microsoft Security Bulletin MS13-004 - Important

Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2769324)

Published Date: January 8, 2013

Version: 1.0

General Information

Executive Summary

This security update resolves four privately reported vulnerabilities in the 
.NET Framework. The most severe of these vulnerabilities could allow elevation 
of privilege if a user views a specially crafted webpage using a web browser 
that can run XAML Browser Applications (XBAPs). The vulnerabilities could also 
be used by Windows .NET applications to bypass Code Access Security (CAS) 
restrictions. An attacker who successfully exploited these vulnerabilities 
could gain the same user rights as the logged-on user. Users whose accounts 
are configured to have fewer user rights on the system could be less impacted 
than users who operate with administrative user rights.

This security update is rated Important for Microsoft .NET Framework 1.0 
Service Pack 3, Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET 
Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET 
Framework 3.5.1, Microsoft .NET Framework 4, and Microsoft .NET Framework 4.5 
on all supported editions of Microsoft Windows. This update has no severity 
rating for Microsoft .NET Framework 3.0 Service Pack 2.

The security update addresses the vulnerabilities by correcting how the .NET 
Framework initializes memory arrays, copies objects in memory, validates the 
size of an array prior to copying objects in memory, and validates the 
permissions of objects. 

Affected Software

Microsoft .NET Framework 1.0 Service Pack 3
Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3[2]
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 4[1]
Microsoft .NET Framework 4.5

[1] .NET Framework 4 and .NET Framework 4 Client Profile affected. The .NET 
Framework version 4 redistributable packages are available in two profiles: 
.NET Framework 4 and .NET Framework 4 Client Profile. .NET Framework 4 Client 
Profile is a subset of .NET Framework 4. The vulnerability addressed in this 
update affects both .NET Framework 4 and .NET Framework 4 Client Profile. For 
more information, see the MSDN article, Installing the .NET Framework.

[2] Severity ratings do not apply to this update for the specified software 
because the known attack vectors for the vulnerability discussed in this 
bulletin are blocked in a default configuration. However, as a defense-in-
depth measure, Microsoft recommends that customers of this software apply this 
security update.

Vulnerability Information

System Drawing Information Disclosure Vulnerability - CVE-2013-0001

An information disclosure vulnerability exists in the way the Windows Forms in 
.NET Framework handles pointers to unmanaged memory locations.

WinForms Buffer Overflow Vulnerability - CVE-2013-0002

An elevation of privilege vulnerability exists in the way that a Windows Forms 
method included in the .NET Framework validates the number of objects in 
memory before copying those objects into an array. An attacker who 
successfully exploited this vulnerability could take complete control of an 
affected system. An attacker could then install programs; view, change, or 
delete data; or create new accounts with full user rights. Users whose 
accounts are configured to have fewer user rights on the system could be less 
impacted than users who operate with administrative user rights.

S.DS.P Buffer Overflow Vulnerability - CVE-2013-0003

An elevation of privilege vulnerability exists in the way that a System.
DirectoryServices.Protocols (S.DS.P) namespace method in the .NET Framework 
validates the size of objects in memory prior to copying those objects into an 
array. An attacker who successfully exploited this vulnerability could take 
complete control of an affected system. An attacker could then install 
programs; view, change, or delete data; or create new accounts with full user 
rights. Users whose accounts are configured to have fewer user rights on the 
system could be less impacted than users who operate with administrative user 
rights.

Double Construction Vulnerability - CVE-2013-0004

An elevation of privilege vulnerability exists in the way that .NET Framework 
validates the permissions of certain objects in memory. An attacker who 
successfully exploited this vulnerability could take complete control of an 
affected system. An attacker could then install programs; view, change, or 
delete data; or create new accounts with full user rights. Users whose 
accounts are configured to have fewer user rights on the system could be less 
impacted than users who operate with administrative user rights.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUOyreu4yVqjM2NGpAQKKzQ/+JXgjTdJCkrShNPEcPkjHsbwzktwvkDJo
24S0oPb87CdP0fW/Bl3rk7bhd3ODLp5Q7XDoXnPknVVU5dIy49GvLER0voGUUpMi
6Cl3vrZdzq3Uu7xH7Mpu3n5F56e4+qmMt2iWcD0NHwwH8R0rL4mkqvlNTRyn/Xju
4B7Jiu9f0a3eNsOSyA5N1xs7B67oE0RqZlQpMStPd+rR83x2DNgqIq0vYb2rTgqK
f0Nkq1n2faFJNgIPIFOSQYaw6aE5OkvBYt/EyVeeNTXgcT2fYCgrQrX1pplWG2N6
ffCsMUHhu2f4ao5RUkGK6Icw+YV+Dl8rPNnGmrPJH/chv5mMvvnMGwbFmSy4R7Zq
xhxHz9rPVkJnPeuF5yml0Q781bNPeDweruELlMs9FHFf2S2rTRfOJgN6s6+UTPli
VyvgtOo2F+/juN7mxl0Ox7Hie3vMHUCZD0Ny6K9wH7Cifa66KCfUDJmDe99/sjam
l6L9fv5nAQGZyUz8uYCPgJDikFo6vFKCF5e3Xiw057wBq8htIs1Nfz7/8hLBkWQw
kex+7QCi9WiXxDFmreo3RWtlx++oFKLB3wwu6KABlDuBB+/UxXYywdF8qrW4CwCH
a4zEDHVjEDqmG28d0WuvnKacubHzBQAT7O7zmLMRcVD4hbTV8FwCbggQsJp4gIV/
5sWuxlpvXcM=
=5tJ4
-----END PGP SIGNATURE-----