Microsoft .NET Framework Elevation of Privilege Vulnerabilities
Last Update Date:
11 Nov 2015 16:49
Release Date:
11 Nov 2015
3926
Views
RISK: Medium Risk
TYPE: Operating Systems - Windows OS
- .NET Information Disclosure Vulnerability
An information disclosure vulnerability exists in the .NET Framework DTD parsing of certain specially crafted XML files. An attacker who successfully exploited this vulnerability could gain read access to local files on the target system. - .NET Elevation of Privilege Vulnerability
An elevation of privilege vulnerability exists when ASP.NET improperly validates values in HTTP requests, exposing users to a potential cross-site scripting (XSS) attack. An attacker who successfully exploited the vulnerability could leverage a vulnerable website to inject client-side script into a user’s browser and ultimately modify or spoof content, conduct phishing activities, disclose information, or perform any action on the vulnerable website that the target user has permission to perform. - .NET ASLR Bypass
A security feature bypass exists in a .NET Framework component that does not properly implement the Address Space Layout Randomization (ASLR) security feature, which protects users from a broad class of vulnerabilities. The ASLR bypass could allow an attacker to bypass the security feature and then load additional malicious code in an attempt to exploit another vulnerability. The security feature bypass by itself does not allow arbitrary code execution. However, an attacker could use this ASLR bypass in conjunction with another vulnerability, such as a remote code execution vulnerability, to run arbitrary code.
Impact
- Elevation of Privilege
- Security Restriction Bypass
- Information Disclosure
System / Technologies affected
- Microsoft Windows Vista
- Microsoft Windows Server 2008
- Microsoft Windows 7
- Microsoft Windows Server 2008 R2
- Microsoft Windows 8 and Windows 8.1
- Microsoft Windows Server 2012 and Windows Server 2012 R2
- Microsoft Windows RT and Windows RT 8.1
- Microsoft Windows 10
Solutions
Before installation of the software, please visit the software manufacturer web-site for more details.
- Download location for patches:
https://technet.microsoft.com/en-us/library/security/MS15-118
Vulnerability Identifier
Source
Related Link
Share with