==================================================================== CERT-Renater Note d'Information No. 2015/VULN075 _____________________________________________________________________ DATE : 13/05/2015 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Microsoft Silverlight version 5. ====================================================================== KB3058985 https://technet.microsoft.com/en-us/library/security/MS15-049 ______________________________________________________________________ MS15-049: Vulnerability in Silverlight Could Allow Elevation of Privilege (3058985) Bulletin Number: MS15-049 Bulletin Title: Vulnerability in Silverlight Could Allow Elevation of Privilege Severity: Important KB Article: 3058985 Version: 1.0 Published Date: May 12, 2015 Executive Summary This security update resolves a vulnerability in Microsoft Silverlight. The vulnerability could allow elevation of privilege if a specially crafted Silverlight application is run on an affected system. To exploit the vulnerability an attacker would first have to log on to the system or convince a logged on user to execute the specially crafted application. This security update is rated Important for Microsoft Silverlight 5 and Microsoft Silverlight 5 Developer Runtime when installed on Mac or all supported releases of Microsoft Windows. For more information, see the Affected Software section. Affected Software Microsoft Silverlight 5 when installed on Mac Microsoft Silverlight 5 Developer Runtime when installed on Mac Microsoft Silverlight 5 when installed on all supported releases of Microsoft Windows clients Microsoft Silverlight 5 Developer Runtime when installed on all supported releases of Microsoft Windows clients Microsoft Silverlight 5 when installed on all supported releases of Microsoft Windows servers Microsoft Silverlight 5 Developer Runtime when installed on all supported releases of Microsoft Windows servers Vulnerability Information Microsoft Silverlight Out of Browser Application Vulnerability - CVE-2015-1715 An elevation of privilege vulnerability exists in Microsoft Silverlight that is caused when Silverlight improperly allows applications that are intended to run at a low integrity level (very limited permissions) to be executed at a medium integrity level (permissions of the current user) or higher. To exploit this vulnerability an attacker would first have to log on to the system or convince a logged on user to execute a specially crafted Silverlight application. An attacker who successfully exploited this vulnerability could execute arbitrary code with the same or higher level of permissions as the currently logged on user. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights. The update addresses the vulnerability by adding additional checks to ensure that non-elevated processes are restricted to run at a low integrity level (very limited permissions). Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was originally issued Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers. ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================