ID

VAR-201202-0054


CVE

CVE-2012-0014


TITLE

Microsoft .NET Framework and Silverlight Vulnerable to arbitrary code execution

Trust: 0.8

sources: JVNDB: JVNDB-2012-001443

DESCRIPTION

Microsoft .NET Framework 2.0 SP2, 3.5.1, and 4, and Silverlight 4 before 4.1.10111, does not properly restrict access to memory associated with unmanaged objects, which allows remote attackers to execute arbitrary code via (1) a crafted XAML browser application (aka XBAP), (2) a crafted ASP.NET application, (3) a crafted .NET Framework application, or (4) a crafted Silverlight application, aka ".NET Framework Unmanaged Objects Vulnerability.". Microsoft Silverlight and Microsoft .NET Framework are prone to a remote code-execution vulnerability. Successful exploits will allow an attacker to execute arbitrary code within the context of the affected application. Failed exploit attempts will likely result in a denial-of-service condition. The platform includes the C# and Visual Basic programming languages, the common language runtime, and an extensive class library. Microsoft has released updates to address these vulnerabilities. I. Description The Microsoft Security Bulletin Summary for February 2012 describes multiple vulnerabilities in Microsoft Windows. Microsoft has released updates to address the vulnerabilities. II. III. Solution Apply updates Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for February 2012, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates. IV. References * Microsoft Security Bulletin Summary for February 2012 - <https://technet.microsoft.com/en-us/security/bulletin/ms12-feb> * Microsoft Windows Server Update Services - <http://technet.microsoft.com/en-us/wsus/default.aspx> * Microsoft Update - <https://www.update.microsoft.com/> * Microsoft Update Overview - <http://www.microsoft.com/security/updates/mu.aspx> * Turn Automatic Updating On or Off - <http://windows.microsoft.com/en-us/windows-vista/Turn-automatic-updating-on-or-off> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA12-045A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA12-045A Feedback VU#752838" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2012 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History February 14, 2012: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBTzqp2T/GkGVXE7GMAQKh6wgAg9gjZ3sCu3eepRZEyFy4PkGhC4A1jzgw 2soH7tPOimgpzlLVbkJ7/RQYylCYixzEa9PbL9v/RzXh/TVVeXrPU97SqmLOAXr7 gtgcapZBGSHBmqYF5BWRnXVRVOQv+JpmdA5AJHO89qQl4okr9VVTCTnQkrAFyzfP 40uf/Nr0DrTRI9dmEjsLTzvOhh0G2HKnBmbpybGaOqoQao67ih/HEOkp6bsCUBwK joX4C3nK9EdMPNK8YAzrHNbM0ANR5DfieGXBsCwNi6/3zZvGB+PKhAu6bikbQrXW iRpyS3IirvDB59KNlmQp3jdaodNHSLOg5JuF7kOdQ1m8qa+DjwSvJQ== =E3Fg -----END PGP SIGNATURE-----

Trust: 2.07

sources: NVD: CVE-2012-0014 // JVNDB: JVNDB-2012-001443 // BID: 51938 // VULHUB: VHN-53295 // PACKETSTORM: 109763

AFFECTED PRODUCTS

vendor:microsoftmodel:.net frameworkscope:eqversion:3.5.1

Trust: 2.1

vendor:microsoftmodel:silverlightscope:eqversion:4.0.50524.00

Trust: 1.6

vendor:microsoftmodel:silverlightscope:eqversion:4.0.51204.0

Trust: 1.6

vendor:microsoftmodel:silverlightscope:eqversion:4.1.10111

Trust: 1.6

vendor:microsoftmodel:silverlightscope:eqversion:4.0.603310.0

Trust: 1.6

vendor:microsoftmodel:silverlightscope:eqversion:4.0.50917.0

Trust: 1.6

vendor:microsoftmodel:silverlightscope:eqversion:4.0.60129.0

Trust: 1.6

vendor:microsoftmodel:silverlightscope:eqversion:4.0.50826.0

Trust: 1.6

vendor:microsoftmodel:silverlightscope:eqversion:4.0.60531.0

Trust: 1.6

vendor:microsoftmodel:silverlightscope:eqversion:4.0.60310.0

Trust: 1.6

vendor:microsoftmodel:silverlightscope:eqversion:4.0.60831.0

Trust: 1.6

vendor:microsoftmodel:.net frameworkscope:eqversion:4.0

Trust: 1.3

vendor:microsoftmodel:.net frameworkscope:eqversion:2.0

Trust: 1.3

vendor:microsoftmodel:.net frameworkscope:eqversion:2.0 sp2

Trust: 0.8

vendor:microsoftmodel:.net frameworkscope:eqversion:4

Trust: 0.8

vendor:microsoftmodel:silverlightscope:ltversion:4.1.10111 4

Trust: 0.8

vendor:microsoftmodel:windows 7scope:eqversion:(x32) sp1 before

Trust: 0.8

vendor:microsoftmodel:windows 7scope:eqversion:(x64) sp1 before

Trust: 0.8

vendor:microsoftmodel:windows server 2003scope:eqversion:(itanium) sp2

Trust: 0.8

vendor:microsoftmodel:windows server 2003scope:eqversion:(x64) sp2

Trust: 0.8

vendor:microsoftmodel:windows server 2003scope:eqversion:sp2

Trust: 0.8

vendor:microsoftmodel:windows server 2008scope:eqversion:(itanium) sp2

Trust: 0.8

vendor:microsoftmodel:windows server 2008scope:eqversion:(x64) sp2

Trust: 0.8

vendor:microsoftmodel:windows server 2008scope:eqversion:(x86) sp2

Trust: 0.8

vendor:microsoftmodel:windows server 2008scope:eqversion:r2(itanium) sp1 before

Trust: 0.8

vendor:microsoftmodel:windows server 2008scope:eqversion:r2(x64) sp1 before

Trust: 0.8

vendor:microsoftmodel:windows vistascope:eqversion:(x64) sp2

Trust: 0.8

vendor:microsoftmodel:windows vistascope:eqversion:sp2

Trust: 0.8

vendor:microsoftmodel:windows xpscope:eqversion:(x64) sp2

Trust: 0.8

vendor:microsoftmodel:windows xpscope:eqversion:sp3 sp3

Trust: 0.8

vendor:microsoftmodel:silverlightscope:eqversion:4.0

Trust: 0.3

vendor:microsoftmodel:.net framework sp2scope:eqversion:2.0

Trust: 0.3

vendor:microsoftmodel:.net framework sp1scope:eqversion:2.0

Trust: 0.3

vendor:avayamodel:messaging application serverscope:eqversion:5.2

Trust: 0.3

vendor:avayamodel:messaging application serverscope:eqversion:5

Trust: 0.3

vendor:avayamodel:messaging application serverscope:eqversion:4

Trust: 0.3

vendor:avayamodel:meeting exchange webportalscope:eqversion:-0

Trust: 0.3

vendor:avayamodel:meeting exchange web conferencing serverscope:eqversion:-0

Trust: 0.3

vendor:avayamodel:meeting exchange streaming serverscope:eqversion:-0

Trust: 0.3

vendor:avayamodel:meeting exchange recording serverscope:eqversion:-0

Trust: 0.3

vendor:avayamodel:meeting exchange client registration serverscope:eqversion:-0

Trust: 0.3

vendor:avayamodel:meeting exchangescope:eqversion:5.0.0.52

Trust: 0.3

vendor:avayamodel:meeting exchange sp2scope:eqversion:5.2

Trust: 0.3

vendor:avayamodel:meeting exchange sp1scope:eqversion:5.2

Trust: 0.3

vendor:avayamodel:meeting exchangescope:eqversion:5.2

Trust: 0.3

vendor:avayamodel:meeting exchange sp1scope:eqversion:5.1

Trust: 0.3

vendor:avayamodel:meeting exchangescope:eqversion:5.1

Trust: 0.3

vendor:avayamodel:meeting exchange sp2scope:eqversion:5.0

Trust: 0.3

vendor:avayamodel:meeting exchange sp1scope:eqversion:5.0

Trust: 0.3

vendor:avayamodel:meeting exchangescope:eqversion:5.0

Trust: 0.3

vendor:avayamodel:communication server telephony managerscope:eqversion:10004.0

Trust: 0.3

vendor:avayamodel:communication server telephony managerscope:eqversion:10003.0

Trust: 0.3

vendor:avayamodel:callpilotscope:eqversion:5.0

Trust: 0.3

vendor:avayamodel:callpilotscope:eqversion:4.0

Trust: 0.3

vendor:avayamodel:aura conferencing standardscope:eqversion:6.0

Trust: 0.3

sources: BID: 51938 // JVNDB: JVNDB-2012-001443 // CNNVD: CNNVD-201202-274 // NVD: CVE-2012-0014

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2012-0014
value: HIGH

Trust: 1.0

NVD: CVE-2012-0014
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201202-274
value: CRITICAL

Trust: 0.6

VULHUB: VHN-53295
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2012-0014
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-53295
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-53295 // JVNDB: JVNDB-2012-001443 // CNNVD: CNNVD-201202-274 // NVD: CVE-2012-0014

PROBLEMTYPE DATA

problemtype:CWE-94

Trust: 1.9

sources: VULHUB: VHN-53295 // JVNDB: JVNDB-2012-001443 // NVD: CVE-2012-0014

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201202-274

TYPE

code injection

Trust: 0.6

sources: CNNVD: CNNVD-201202-274

CONFIGURATIONS

sources: JVNDB: JVNDB-2012-001443

PATCH

title:MS12-016url:http://technet.microsoft.com/en-us/security/bulletin/ms12-016

Trust: 0.8

title:MS12-016url:http://technet.microsoft.com/ja-jp/security/bulletin/ms12-016

Trust: 0.8

title:TA12-045Aurl:http://software.fujitsu.com/jp/security/vulnerabilities/ta12-045a.html

Trust: 0.8

title:Windows6.0-KB2633874-ia64url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=42658

Trust: 0.6

title:Windows6.1-KB2633879-x64url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=42662

Trust: 0.6

title:Windows6.1-KB2633873-x86url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=42666

Trust: 0.6

title:NDP20SP2-KB2633880-x86url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=42654

Trust: 0.6

title:NDP40-KB2633870-x86url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=42657

Trust: 0.6

title:Windows6.1-KB2633879-ia64url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=42661

Trust: 0.6

title:Windows6.1-KB2633873-x64url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=42665

Trust: 0.6

title:NDP20SP2-KB2633880-x64url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=42653

Trust: 0.6

title:Windows6.0-KB2633874-x86url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=42660

Trust: 0.6

title:Windows6.1-KB2633873-ia64url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=42664

Trust: 0.6

title:NDP20SP2-KB2633880-IA64url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=42652

Trust: 0.6

title:NDP40-KB2633870-x64url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=42656

Trust: 0.6

title:Windows6.0-KB2633874-x64url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=42659

Trust: 0.6

title:Windows6.1-KB2633879-x86url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=42663

Trust: 0.6

title:NDP40-KB2633870-IA64url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=42655

Trust: 0.6

sources: JVNDB: JVNDB-2012-001443 // CNNVD: CNNVD-201202-274

EXTERNAL IDS

db:NVDid:CVE-2012-0014

Trust: 2.8

db:USCERTid:TA12-045A

Trust: 2.6

db:JVNDBid:JVNDB-2012-001443

Trust: 0.8

db:CNNVDid:CNNVD-201202-274

Trust: 0.7

db:BIDid:51938

Trust: 0.4

db:VULHUBid:VHN-53295

Trust: 0.1

db:PACKETSTORMid:109763

Trust: 0.1

sources: VULHUB: VHN-53295 // BID: 51938 // JVNDB: JVNDB-2012-001443 // PACKETSTORM: 109763 // CNNVD: CNNVD-201202-274 // NVD: CVE-2012-0014

REFERENCES

url:http://www.us-cert.gov/cas/techalerts/ta12-045a.html

Trust: 2.5

url:https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-016

Trust: 1.7

url:https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a13972

Trust: 1.7

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-0014

Trust: 0.8

url:http://www.jpcert.or.jp/at/2012/at120005.txt

Trust: 0.8

url:http://jvn.jp/cert/jvnta12-045a

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2012-0014

Trust: 0.8

url:http://www.npa.go.jp/cyberpolice/#topics

Trust: 0.8

url:http://www.microsoft.com

Trust: 0.3

url:http://www.microsoft.com/silverlight/

Trust: 0.3

url:http://support.avaya.com/css/p8/documents/100156771

Trust: 0.3

url:http://technet.microsoft.com/en-us/security/bulletin/ms12-016

Trust: 0.3

url:http://windows.microsoft.com/en-us/windows-vista/turn-automatic-updating-on-or-off>

Trust: 0.1

url:https://www.update.microsoft.com/>

Trust: 0.1

url:https://technet.microsoft.com/en-us/security/bulletin/ms12-feb>

Trust: 0.1

url:http://www.microsoft.com/security/updates/mu.aspx>

Trust: 0.1

url:http://www.us-cert.gov/legal.html>

Trust: 0.1

url:http://www.us-cert.gov/cas/signup.html>.

Trust: 0.1

url:http://www.us-cert.gov/cas/techalerts/ta12-045a.html>

Trust: 0.1

url:http://technet.microsoft.com/en-us/wsus/default.aspx>

Trust: 0.1

sources: VULHUB: VHN-53295 // BID: 51938 // JVNDB: JVNDB-2012-001443 // PACKETSTORM: 109763 // CNNVD: CNNVD-201202-274 // NVD: CVE-2012-0014

CREDITS

Jeroen Frijters of Sumatra

Trust: 0.3

sources: BID: 51938

SOURCES

db:VULHUBid:VHN-53295
db:BIDid:51938
db:JVNDBid:JVNDB-2012-001443
db:PACKETSTORMid:109763
db:CNNVDid:CNNVD-201202-274
db:NVDid:CVE-2012-0014

LAST UPDATE DATE

2024-08-14T12:44:32.424000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-53295date:2020-09-28T00:00:00
db:BIDid:51938date:2012-02-15T17:40:00
db:JVNDBid:JVNDB-2012-001443date:2012-02-20T00:00:00
db:CNNVDid:CNNVD-201202-274date:2020-09-29T00:00:00
db:NVDid:CVE-2012-0014date:2023-12-07T18:38:56.693

SOURCES RELEASE DATE

db:VULHUBid:VHN-53295date:2012-02-14T00:00:00
db:BIDid:51938date:2012-02-14T00:00:00
db:JVNDBid:JVNDB-2012-001443date:2012-02-16T00:00:00
db:PACKETSTORMid:109763date:2012-02-15T00:07:50
db:CNNVDid:CNNVD-201202-274date:2012-02-16T00:00:00
db:NVDid:CVE-2012-0014date:2012-02-14T22:55:01.173