===================================================================== CERT-Renater Note d'Information No. 2014/VULN066 _____________________________________________________________________ DATE : 12/03/2014 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems runnning Microsoft Silverlight versions 5. ====================================================================== KB2932677 http://technet.microsoft.com/en-us/security/bulletin/ms14-014 ______________________________________________________________________ Microsoft Security Bulletin MS14-014 - Important Vulnerability in Silverlight Could Allow Security Feature Bypass (2932677) Published Date: March 11, 2014 Version: 1.0 General Information Executive Summary This security update resolves a privately reported vulnerability in Microsoft Silverlight. The vulnerability could allow security feature bypass if an attacker hosts a website that contains specially crafted Silverlight content that is designed to exploit the vulnerability, and then convinces a user to view the website. In all cases, however, an attacker would have no way to force users to visit a website. Instead, an attacker would have to convince users to visit a website, typically by getting them to click a link in an email message or in an Instant Messenger message that takes them to the attacker's website. It could also be possible to display specially crafted web content by using banner advertisements or by using other methods to deliver web content to affected systems. This security update is rated Important for Microsoft Silverlight 5 and Microsoft Silverlight 5 Developer Runtime when installed on Mac and all supported releases of Microsoft Windows. Affected Software Microsoft Silverlight 5 Vulnerability Information Silverlight DEP/ASLR Bypass Vulnerability - CVE-2014-0319 A security feature bypass vulnerability exists in Silverlight due to improper implementation of Data Execution Protection (DEP) and Address Space Layout Randomization (ASLR). The vulnerability could allow an attacker to bypass the DEP/ASLR security feature, most likely during or in the course of exploiting a remote code execution vulnerability. ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================