Microsoft .NET Framework Multiple Vulnerabilities

1. An elevation of privilege vulnerability exists in the way that the .NET Framework validates the number of objects in memory before copying those objects into an array. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

There are two attack scenarios possible for exploiting this vulnerability: a web browsing scenario and a Windows .NET application bypass of Code Access Security (CAS) restrictions. These scenarios are described as follows:

• Web browsing attack scenario An attacker could host a specially crafted website that contains a specially crafted XBAP (XAML browser application) that could exploit this vulnerability, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an instant messenger or email message that takes users to the attacker's website. It could also be possible to display specially crafted web content by using banner advertisements or by using other methods to deliver web content to affected systems.
• Windows .NET applications attack scenario This vulnerability could also be used by Windows .NET Framework applications to bypass Code Access Security (CAS) restrictions.

There are two types of systems at risk, which are described as follows:

• Web browsing scenario Successful exploitation of this vulnerability requires a user to be logged on and visiting websites using a web browser capable of instantiating XBAPs. Therefore, any systems where a web browser is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability. Servers could be at more risk if administrators allow users to browse and read email on servers. However, best practices strongly discourage allowing this.
• Windows .NET applications Workstations and servers that run untrusted Windows .NET Framework applications are also at risk from this vulnerability.

The update addresses the vulnerability by correcting how the .NET Framework copies objects in memory. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CVE-2015-2504. When this bulletin was originally released, Microsoft was not aware of any attacks that attempt to exploit this vulnerability.

2. A denial of service vulnerability exists that is caused when .NET fails to properly handle certain specially crafted requests. An attacker who successfully exploited this vulnerability could send a small number of specially crafted requests to an ASP.NET server, causing performance to degrade significantly enough to cause a denial of service condition.

An attacker could use this vulnerability to create a denial of service attack and disrupt the availability of sites that use ASP.NET. Internet-facing systems with ASP.NET installed are primarily at risk from this vulnerability. Internal websites that use ASP.NET can also be at risk from this vulnerability. The update addresses the vulnerability by correcting how the .NET Framework handles specially crafted requests.

Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.