===================================================================== CERT-Renater Note d'Information No. 2013/VULN053 _____________________________________________________________________ DATE : 13/02/2013 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S) : Systems running Microsoft .NET Framework versions 2.0, 3.5.1, 4, 4.5. ====================================================================== KB2800277 http://technet.microsoft.com/en-us/security/bulletin/MS13-015 ______________________________________________________________________ Microsoft Security Bulletin MS13-015 - Important Vulnerability in .NET Framework Could Allow Elevation of Privilege (2800277) Published Date: February 12, 2013 Version: 1.0 General Information Executive Summary This security update resolves one privately reported vulnerability in the .NET Framework. The vulnerability could allow elevation of privilege if a user views a specially crafted webpage using a web browser that can run XAML Browser Applications (XBAPs). The vulnerability could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This security update is rated Important for Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4, and Microsoft .NET Framework 4.5 on affected editions of Microsoft Windows. Affected Software Microsoft .NET Framework 2.0 Service Pack 2 (KB2789643) Microsoft .NET Framework 3.5.1 (KB2789644) Microsoft .NET Framework 4 (KB2789642) Microsoft .NET Framework 4.5 (KB2789648) Vulnerability Information WinForms Callback Elevation Vulnerability - CVE-2013-0073 An elevation of privilege vulnerability exists in the way that the .NET Framework elevates the permissions of a callback function when a particular Windows Forms object is created. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerability is the result of the .NET Framework improperly elevating the permissions of a callback function when a particular WinForms object is created. ====================================================================== ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================