===================================================================== CERT-Renater Note d'Information No. 2010/VULN400 _____________________________________________________________________ DATE : 13/10/2010 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 running Microsoft .NET Framework version 4.0. ====================================================================== KB2160841 http://www.microsoft.com/technet/security/bulletin/MS10-077.mspx ______________________________________________________________________ Microsoft Security Bulletin MS10-077 - Critical Vulnerability in .NET Framework Could Allow Remote Code Execution (2160841) Version: 1.0 General Information Executive Summary This security update resolves a privately reported vulnerability in Microsoft .NET Framework. The vulnerability could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs). Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerability could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and then executes the page, as could be the case in a Web hosting scenario. This security update is rated Critical for Microsoft .NET Framework 4.0 on supported x64-based and Itanium-based editions of Microsoft Windows. For more information, see the subsection, Affected and Non-Affected Software, in this section. Affected Software Windows XP Professional x64 Edition Service Pack 2 Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2 Windows 7 for x64-based Systems Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows Server 2008 R2 for x64-based Systems Windows Server 2008 R2 for Itanium-based Systems Vulnerability Information .NET Framework x64 JIT Compiler Vulnerability - CVE-2010-3228 A remote code execution vulnerability exists in the Microsoft .NET Framework that can allow a specially crafted Microsoft .NET application to access memory in an unsafe manner, leading to arbitrary unmanaged code execution. This vulnerability only affects the x64 and Itanium architectures. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================