Internet threat level: 1
Home→Descriptions→SA26003
Microsoft .NET Framework Multiple Vulnerabilities
| Secunia ID | |
| CVE-ID | |
| Release Date |
10 Jul 2007 |
| Last Change |
26 Mar 2008 |
| Criticality | |
| Solution Status |
Vendor Patch |
| Software |
Microsoft .NET Framework 1.x |
| Where | |
| Impact |
System accessThis covers vulnerabilities where malicious people are able to gain system access and execute arbitrary code with the privileges of a local user. Exposure of sensitive informationVulnerabilities where documents or credentials are leaked or can be revealed either locally or from remote. Exposure of system informationVulnerabilities where excessive information about the system (e.g. version numbers, running services, installation paths, and similar) are exposed and can be revealed from remote and in some cases locally. |
| Description |
Some vulnerabilities have been reported in Microsoft .NET Framework, which can be exploited by malicious people to disclose potentially sensitive information or compromise a user's system. 1) A boundary error in the PE Loader can be exploited to execute arbitrary code with permissions of the logged-on user when the user is tricked into visiting a malicious web page and performs certain actions. This vulnerability does not affect the .NET Framework when installed on Windows Vista. 2) An error exists in ASP.NET when processing URLs containing NULL-bytes, which can be exploited to disclose potentially sensitive information by gaining unauthorised access to certain parts of a web site via specially crafted requests. 3) A boundary error in the Just In Time Compiler (JIT) can be exploited to execute arbitrary code with permissions of the logged-on user when the user is tricked into visiting a malicious web page and performs certain actions. This vulnerability only affects .NET Framework 2.0 and does not affect the .NET Framework when installed on Windows Vista. |
| Solution |
Apply patches. -- Microsoft .NET Framework 1.0 -- Windows 2000 SP4: Windows XP SP2: Windows XP Professional x64 Edition (optionally with SP2): Windows XP Tablet PC Edition 2005 and Windows XP Media Center Edition 2005: Windows Server 2003 SP1/SP2: Windows Server 2003 with SP1/SP2 for Itanium-based systems : Windows Server 2003 x64 Edition (optionally with SP2): Windows Vista (optionally with SP1): Windows Server 2008: Windows Server 2008 for Itanium-based Systems: Windows Server 2008 x64 Edition: -- Microsoft .NET Framework 1.1 -- Windows 2000 SP4: Windows XP SP2: Windows XP Professional x64 Edition (optionally with SP2): Windows Server 2003 SP1/SP2: Windows Server 2003 with SP1/SP2 for Itanium-based systems: Windows Server 2003 x64 Edition (optionally with SP2): Windows Vista (optionally with SP1): Windows Vista x64 Edition (optionally with SP1): Windows Server 2008: Windows Server 2008 for Itanium-based Systems: Windows Server 2008 x64 Edition: -- Microsoft .NET Framework 2.0 -- Windows 2000 SP4: Windows XP SP2: Windows XP Professional x64 Edition (optionally with SP2): Windows Server 2003 SP1/SP2 : Windows Server 2003 with SP1/SP2 for Itanium-based systems: Windows Server 2003 x64 Edition (optionally with SP2): Windows Vista: Windows Vista x64 Edition: |
| Reported by |
1) The vendor credits Dinis Cruz, OWASP. |
| Original Advisory |
MS07-040 (KB931212): Security-Assessment.com: |
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.