Sign-up

ID

VAR-201202-0054


CVE

CVE-2012-0014


TITLE

Microsoft .NET Framework and Silverlight Vulnerable to arbitrary code execution

Trust: 0.8

sources: JVNDB: JVNDB-2012-001443

DESCRIPTION

Microsoft .NET Framework 2.0 SP2, 3.5.1, and 4, and Silverlight 4 before 4.1.10111, does not properly restrict access to memory associated with unmanaged objects, which allows remote attackers to execute arbitrary code via (1) a crafted XAML browser application (aka XBAP), (2) a crafted ASP.NET application, (3) a crafted .NET Framework application, or (4) a crafted Silverlight application, aka ".NET Framework Unmanaged Objects Vulnerability.". Microsoft Silverlight and Microsoft .NET Framework are prone to a remote code-execution vulnerability. Successful exploits will allow an attacker to execute arbitrary code within the context of the affected application. Failed exploit attempts will likely result in a denial-of-service condition. The platform includes the C# and Visual Basic programming languages, the common language runtime, and an extensive class library. Microsoft has released updates to address these vulnerabilities. I. Description The Microsoft Security Bulletin Summary for February 2012 describes multiple vulnerabilities in Microsoft Windows. Microsoft has released updates to address the vulnerabilities. II. III. Solution Apply updates Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for February 2012, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates. IV. References * Microsoft Security Bulletin Summary for February 2012 - <https://technet.microsoft.com/en-us/security/bulletin/ms12-feb> * Microsoft Windows Server Update Services - <http://technet.microsoft.com/en-us/wsus/default.aspx> * Microsoft Update - <https://www.update.microsoft.com/> * Microsoft Update Overview - <http://www.microsoft.com/security/updates/mu.aspx> * Turn Automatic Updating On or Off - <http://windows.microsoft.com/en-us/windows-vista/Turn-automatic-updating-on-or-off> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA12-045A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA12-045A Feedback VU#752838" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2012 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History February 14, 2012: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBTzqp2T/GkGVXE7GMAQKh6wgAg9gjZ3sCu3eepRZEyFy4PkGhC4A1jzgw 2soH7tPOimgpzlLVbkJ7/RQYylCYixzEa9PbL9v/RzXh/TVVeXrPU97SqmLOAXr7 gtgcapZBGSHBmqYF5BWRnXVRVOQv+JpmdA5AJHO89qQl4okr9VVTCTnQkrAFyzfP 40uf/Nr0DrTRI9dmEjsLTzvOhh0G2HKnBmbpybGaOqoQao67ih/HEOkp6bsCUBwK joX4C3nK9EdMPNK8YAzrHNbM0ANR5DfieGXBsCwNi6/3zZvGB+PKhAu6bikbQrXW iRpyS3IirvDB59KNlmQp3jdaodNHSLOg5JuF7kOdQ1m8qa+DjwSvJQ== =E3Fg -----END PGP SIGNATURE-----

Trust: 2.07

sources: NVD: CVE-2012-0014 // JVNDB: JVNDB-2012-001443 // BID: 51938 // VULHUB: VHN-53295 // PACKETSTORM: 109763

AFFECTED PRODUCTS

vendor:microsoftmodel:.net frameworkscope:eqversion:3.5.1

Trust: 2.1

vendor:microsoftmodel:silverlightscope:eqversion:4.0.50524.00

Trust: 1.6

vendor:microsoftmodel:silverlightscope:eqversion:4.0.51204.0

Trust: 1.6

vendor:microsoftmodel:silverlightscope:eqversion:4.1.10111

Trust: 1.6

vendor:microsoftmodel:silverlightscope:eqversion:4.0.603310.0

Trust: 1.6

vendor:microsoftmodel:silverlightscope:eqversion:4.0.50917.0

Trust: 1.6

vendor:microsoftmodel:silverlightscope:eqversion:4.0.60129.0

Trust: 1.6

vendor:microsoftmodel:silverlightscope:eqversion:4.0.50826.0

Trust: 1.6

vendor:microsoftmodel:silverlightscope:eqversion:4.0.60531.0

Trust: 1.6

vendor:microsoftmodel:silverlightscope:eqversion:4.0.60310.0

Trust: 1.6

vendor:microsoftmodel:silverlightscope:eqversion:4.0.60831.0

Trust: 1.6

vendor:microsoftmodel:.net frameworkscope:eqversion:4.0

Trust: 1.3

vendor:microsoftmodel:.net frameworkscope:eqversion:2.0

Trust: 1.3

vendor:microsoftmodel:.net frameworkscope:eqversion:2.0 sp2

Trust: 0.8

vendor:microsoftmodel:.net frameworkscope:eqversion:4

Trust: 0.8

vendor:microsoftmodel:silverlightscope:ltversion:4.1.10111 4

Trust: 0.8

vendor:microsoftmodel:windows 7scope:eqversion:(x32) sp1 before

Trust: 0.8

vendor:microsoftmodel:windows 7scope:eqversion:(x64) sp1 before

Trust: 0.8

vendor:microsoftmodel:windows server 2003scope:eqversion:(itanium) sp2

Trust: 0.8

vendor:microsoftmodel:windows server 2003scope:eqversion:(x64) sp2

Trust: 0.8

vendor:microsoftmodel:windows server 2003scope:eqversion:sp2

Trust: 0.8

vendor:microsoftmodel:windows server 2008scope:eqversion:(itanium) sp2

Trust: 0.8

vendor:microsoftmodel:windows server 2008scope:eqversion:(x64) sp2

Trust: 0.8

vendor:microsoftmodel:windows server 2008scope:eqversion:(x86) sp2

Trust: 0.8

vendor:microsoftmodel:windows server 2008scope:eqversion:r2(itanium) sp1 before

Trust: 0.8

vendor:microsoftmodel:windows server 2008scope:eqversion:r2(x64) sp1 before

Trust: 0.8

vendor:microsoftmodel:windows vistascope:eqversion:(x64) sp2

Trust: 0.8

vendor:microsoftmodel:windows vistascope:eqversion:sp2

Trust: 0.8

vendor:microsoftmodel:windows xpscope:eqversion:(x64) sp2

Trust: 0.8

vendor:microsoftmodel:windows xpscope:eqversion:sp3 sp3

Trust: 0.8

vendor:microsoftmodel:silverlightscope:eqversion:4.0

Trust: 0.3

vendor:microsoftmodel:.net framework sp2scope:eqversion:2.0

Trust: 0.3

vendor:microsoftmodel:.net framework sp1scope:eqversion:2.0

Trust: 0.3

vendor:avayamodel:messaging application serverscope:eqversion:5.2

Trust: 0.3

vendor:avayamodel:messaging application serverscope:eqversion:5

Trust: 0.3

vendor:avayamodel:messaging application serverscope:eqversion:4

Trust: 0.3

vendor:avayamodel:meeting exchange webportalscope:eqversion:-0

Trust: 0.3

vendor:avayamodel:meeting exchange web conferencing serverscope:eqversion:-0

Trust: 0.3

vendor:avayamodel:meeting exchange streaming serverscope:eqversion:-0

Trust: 0.3

vendor:avayamodel:meeting exchange recording serverscope:eqversion:-0

Trust: 0.3

vendor:avayamodel:meeting exchange client registration serverscope:eqversion:-0

Trust: 0.3

vendor:avayamodel:meeting exchangescope:eqversion:5.0.0.52

Trust: 0.3

vendor:avayamodel:meeting exchange sp2scope:eqversion:5.2

Trust: 0.3

vendor:avayamodel:meeting exchange sp1scope:eqversion:5.2

Trust: 0.3

vendor:avayamodel:meeting exchangescope:eqversion:5.2

Trust: 0.3

vendor:avayamodel:meeting exchange sp1scope:eqversion:5.1

Trust: 0.3

vendor:avayamodel:meeting exchangescope:eqversion:5.1

Trust: 0.3

vendor:avayamodel:meeting exchange sp2scope:eqversion:5.0

Trust: 0.3

vendor:avayamodel:meeting exchange sp1scope:eqversion:5.0

Trust: 0.3

vendor:avayamodel:meeting exchangescope:eqversion:5.0

Trust: 0.3

vendor:avayamodel:communication server telephony managerscope:eqversion:10004.0

Trust: 0.3

vendor:avayamodel:communication server telephony managerscope:eqversion:10003.0

Trust: 0.3

vendor:avayamodel:callpilotscope:eqversion:5.0

Trust: 0.3

vendor:avayamodel:callpilotscope:eqversion:4.0

Trust: 0.3

vendor:avayamodel:aura conferencing standardscope:eqversion:6.0

Trust: 0.3

sources: BID: 51938 // JVNDB: JVNDB-2012-001443 // CNNVD: CNNVD-201202-274 // NVD: CVE-2012-0014

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2012-0014
value: HIGH

Trust: 1.0

NVD: CVE-2012-0014
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201202-274
value: CRITICAL

Trust: 0.6

VULHUB: VHN-53295
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2012-0014
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-53295
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-53295 // JVNDB: JVNDB-2012-001443 // CNNVD: CNNVD-201202-274 // NVD: CVE-2012-0014

PROBLEMTYPE DATA

problemtype:CWE-94

Trust: 1.9

sources: VULHUB: VHN-53295 // JVNDB: JVNDB-2012-001443 // NVD: CVE-2012-0014

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201202-274

TYPE

code injection

Trust: 0.6

sources: CNNVD: CNNVD-201202-274

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2012-001443

PATCH
title:MS12-016url:http://technet.microsoft.com/en-us/security/bulletin/ms12-016
Trust: 0.8
title:MS12-016url:http://technet.microsoft.com/ja-jp/security/bulletin/ms12-016
Trust: 0.8
title:TA12-045Aurl:http://software.fujitsu.com/jp/security/vulnerabilities/ta12-045a.html
Trust: 0.8
title:Windows6.0-KB2633874-ia64url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=42658
Trust: 0.6
title:Windows6.1-KB2633879-x64url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=42662
Trust: 0.6
title:Windows6.1-KB2633873-x86url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=42666
Trust: 0.6
title:NDP20SP2-KB2633880-x86url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=42654
Trust: 0.6
title:NDP40-KB2633870-x86url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=42657
Trust: 0.6
title:Windows6.1-KB2633879-ia64url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=42661
Trust: 0.6
title:Windows6.1-KB2633873-x64url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=42665
Trust: 0.6
title:NDP20SP2-KB2633880-x64url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=42653
Trust: 0.6
title:Windows6.0-KB2633874-x86url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=42660
Trust: 0.6
title:Windows6.1-KB2633873-ia64url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=42664
Trust: 0.6
title:NDP20SP2-KB2633880-IA64url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=42652
Trust: 0.6
title:NDP40-KB2633870-x64url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=42656
Trust: 0.6
title:Windows6.0-KB2633874-x64url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=42659
Trust: 0.6
title:Windows6.1-KB2633879-x86url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=42663
Trust: 0.6
title:NDP40-KB2633870-IA64url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=42655
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2012-001443 // 
            
            
            
            CNNVD: CNNVD-201202-274

EXTERNAL IDS
db:NVDid:CVE-2012-0014
Trust: 2.8
db:USCERTid:TA12-045A
Trust: 2.6
db:JVNDBid:JVNDB-2012-001443
Trust: 0.8
db:CNNVDid:CNNVD-201202-274
Trust: 0.7
db:BIDid:51938
Trust: 0.4
db:VULHUBid:VHN-53295
Trust: 0.1
db:PACKETSTORMid:109763
Trust: 0.1
sources:
            
            
            VULHUB: VHN-53295 // 
            
            
            
            BID: 51938 // 
            
            
            
            JVNDB: JVNDB-2012-001443 // 
            
            
            
            PACKETSTORM: 109763 // 
            
            
            
            CNNVD: CNNVD-201202-274 // 
            
            
            
            NVD: CVE-2012-0014

REFERENCES
url:http://www.us-cert.gov/cas/techalerts/ta12-045a.html
Trust: 2.5
url:https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-016
Trust: 1.7
url:https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a13972
Trust: 1.7
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-0014
Trust: 0.8
url:http://www.jpcert.or.jp/at/2012/at120005.txt
Trust: 0.8
url:http://jvn.jp/cert/jvnta12-045a
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2012-0014
Trust: 0.8
url:http://www.npa.go.jp/cyberpolice/#topics
Trust: 0.8
url:http://www.microsoft.com
Trust: 0.3
url:http://www.microsoft.com/silverlight/
Trust: 0.3
url:http://support.avaya.com/css/p8/documents/100156771
Trust: 0.3
url:http://technet.microsoft.com/en-us/security/bulletin/ms12-016
Trust: 0.3
url:http://windows.microsoft.com/en-us/windows-vista/turn-automatic-updating-on-or-off>
Trust: 0.1
url:https://www.update.microsoft.com/>
Trust: 0.1
url:https://technet.microsoft.com/en-us/security/bulletin/ms12-feb>
Trust: 0.1
url:http://www.microsoft.com/security/updates/mu.aspx>
Trust: 0.1
url:http://www.us-cert.gov/legal.html>
Trust: 0.1
url:http://www.us-cert.gov/cas/signup.html>.
Trust: 0.1
url:http://www.us-cert.gov/cas/techalerts/ta12-045a.html>
Trust: 0.1
url:http://technet.microsoft.com/en-us/wsus/default.aspx>
Trust: 0.1
sources:
            
            
            VULHUB: VHN-53295 // 
            
            
            
            BID: 51938 // 
            
            
            
            JVNDB: JVNDB-2012-001443 // 
            
            
            
            PACKETSTORM: 109763 // 
            
            
            
            CNNVD: CNNVD-201202-274 // 
            
            
            
            NVD: CVE-2012-0014

CREDITS
Jeroen Frijters of Sumatra
Trust: 0.3
sources:
            
            
            BID: 51938

SOURCES
db:VULHUBid:VHN-53295
db:BIDid:51938
db:JVNDBid:JVNDB-2012-001443
db:PACKETSTORMid:109763
db:CNNVDid:CNNVD-201202-274
db:NVDid:CVE-2012-0014

LAST UPDATE DATE
2024-08-14T12:44:32.424000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-53295date:2020-09-28T00:00:00
db:BIDid:51938date:2012-02-15T17:40:00
db:JVNDBid:JVNDB-2012-001443date:2012-02-20T00:00:00
db:CNNVDid:CNNVD-201202-274date:2020-09-29T00:00:00
db:NVDid:CVE-2012-0014date:2023-12-07T18:38:56.693

SOURCES RELEASE DATE
db:VULHUBid:VHN-53295date:2012-02-14T00:00:00
db:BIDid:51938date:2012-02-14T00:00:00
db:JVNDBid:JVNDB-2012-001443date:2012-02-16T00:00:00
db:PACKETSTORMid:109763date:2012-02-15T00:07:50
db:CNNVDid:CNNVD-201202-274date:2012-02-16T00:00:00
db:NVDid:CVE-2012-0014date:2012-02-14T22:55:01.173