-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.3064
         Microsoft Security Bulletin MS15-129: Security Update for
          Silverlight to Address Remote Code Execution (3106614)
                              9 December 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Microsoft Silverlight
Publisher:         Microsoft
Operating System:  Windows
                   Mac OS
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Access Confidential Data        -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-6166 CVE-2015-6165 CVE-2015-6114

Original Bulletin: 
   https://technet.microsoft.com/en-us/library/security/MS15-129

- --------------------------BEGIN INCLUDED TEXT--------------------

Microsoft Security Bulletin MS15-129: Security Update for Silverlight to 
Address Remote Code Execution (3106614)

Document Metadata

Bulletin Number: MS15-129

Bulletin Title: Security Update for Silverlight to Address Remote Code 
Execution

Severity: Critical

KB Article: 3106614

Version: 1.0

Published Date: December 8, 2015

Executive Summary

This security update resolves vulnerabilities in Microsoft Silverlight. The 
most severe of the vulnerabilities could allow remote code execution if 
Microsoft Silverlight incorrectly handles certain open and close requests that
could result in read- and write-access violations. To exploit the 
vulnerability, an attacker could host a website that contains a specially 
crafted Silverlight application and then convince a user to visit a 
compromised website. The attacker could also take advantage of websites 
containing specially crafted content, including those that accept or host 
user-provided content or advertisements.

An attacker would have no way to force users to visit a compromised website. 
Instead, an attacker would have to convince a user to take action, such as 
clicking a link that takes the user to the attacker's website.

This security update is rated Critical for Microsoft Silverlight 5 and 
Microsoft Silverlight 5 Developer Runtime when installed on Mac or all 
supported releases of Microsoft Windows. For more information, see the 
Affected Software section.

Affected Software

Microsoft Silverlight 5

Microsoft Silverlight 5 Developer Runtime

Vulnerability Information

Microsoft Silverlight RCE Vulnerability - CVE-2015-6166

A remote code execution vulnerability exists when Microsoft Silverlight 
incorrectly handles certain open and close requests that can result in read- 
and write-access violations.

To exploit the vulnerability, an attacker could host a website that contains a
specially crafted Silverlight application and then convince a user to visit 
the compromised website. The attacker could also take advantage of websites 
containing specially crafted content, including those that accept or host 
user-provided content or advertisements. For example, an attacker could 
display specially crafted web content by using banner advertisements or by 
using other methods to deliver web content to affected systems. In all cases,
however, an attacker would have no way to force users to visit a compromised 
website. Instead, an attacker would have to convince a user to visit the 
website, typically by enticing the user to click a link in an email or in an 
Instant Messenger message.

In the web-browsing scenario, an attacker who successfully exploited this 
vulnerability could obtain the same permissions as the currently logged-on 
user. If a user is logged on with administrative user rights, an attacker 
could take complete control of the affected system. An attacker could then 
install programs; view, change, or delete data; or create new accounts with 
full user rights. Users whose accounts are configured to have fewer user 
rights on the system could be less impacted than users who operate with 
administrative user rights. The update addresses the vulnerability by 
correcting how Microsoft Silverlight handles certain open and close web 
requests.

Microsoft received information about this vulnerability through coordinated 
vulnerability disclosure. At the time this security bulletin was originally 
issued, Microsoft was unaware of any attack attempting to exploit this 
vulnerability.

Multiple Microsoft Silverlight Information Disclosure Vulnerabilities

Multiple information disclosure vulnerabilities exist when Silverlight fails 
to properly handle objects in memory, which could allow an attacker to more 
reliably predict pointer values and degrade the efficacy of the Address Space
Layout Randomization (ASLR) security feature.

To exploit the vulnerabilities, in a web-browsing attack scenario, an attacker
could potentially bypass the ASLR security feature, which protects users from
a broad class of vulnerabilities. The ASLR bypass by itself does not allow 
arbitrary code execution. However, an attacker could use the vulnerabilities 
in conjunction with an ASLR bypass to compromise a targeted system.

In a web-based attack scenario, an attacker could host a website with 
specially crafted Silverlight content in an attempt to exploit the 
vulnerabilities. In addition, compromised websites and websites that accept or
host user-provided content containing specially crafted content could also 
exploit the vulnerabilities. An attacker would have no way to force a user to
visit a specially crafted website. Instead, an attacker would have to convince
a user to take action. For example, an attacker could trick a user into 
clicking a link that takes the user to the attacker's website. The update 
addresses the vulnerabilities by correcting how memory is handled to maintain
the integrity of ASLR in Silverlight.

Microsoft received information about the vulnerabilities through coordinated 
vulnerability disclosure. At the time this security bulletin was originally 
issued, Microsoft was unaware of any attack attempting to exploit the 
vulnerabilities.

The following table contains links to the standard entry for each 
vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title 						CVE number	Publicly disclosed	Exploited

Microsoft Silverlight Information Disclosure Vulnerability 	CVE-2015-6114 	No			No

Microsoft Silverlight Information Disclosure Vulnerability 	CVE-2015-6165	No 			No

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVmd8KX6ZAP0PgtI9AQKeYg/+IYYzh0NH0kfDpAHiVASSRjqzmhHesnTq
/2LSrKPWvpPVcFXUd44XYZj3boIlWyO509EWip0faMIO/JO/V3xrID/4ebCBQIEx
mMlEexqKqaUDJh61TuN43gcHa+B8JVoNk+PYEf8iAs1vrC/VpfLGZXppxKeF+JA4
G40VcnDY9vCYIxXHTUM7PYbxJCmeLy7OLSLBLjpYYVR+9EK7P8YgedzuBVrJTZ1i
W7cZIb5KpQp6baYB84fM+wTKP07RRtVq4Cv+Rr3Mr9QJz6sb3YUA8r/hNUyOOUa0
/HtBz4IIt9y93iro6or07SE8/ycYXYf51ycDx+/Xdw1nxSZ2BSWTFkMXE9UvIG3I
WHxWAOzIe9xqkeZKLICLtYHRIrywnbxeK3Ph3Tdt4Ba+fmLMnZvX8MKBFz7vOQGl
ejkE+zStrj4xNcUNHTriEWPqPl92d5f3zkMNJSjAAHyHMHBIgAIMCOorRVKi56TO
0kaYeY+VdccOtluJyspq2xD8Qhc12NqnTILq7YwZ9E7jzMHHuqmhV7DiyLg+ICmi
cfDaoZBsmRoiGM3iSl1sUpO0GMw2KFxLrh14JvQKkfxzkfnub2F8rHIa5Sxl47CG
Jwn/3Xg0SuB8KHxjGeNDifpJ1TuSk8ufI6EX85k9y2vlqHMcOGdH9fNyVHrVF9i1
NgPQ2hXvRxA=
=M3LI
-----END PGP SIGNATURE-----