==================================================================== CERT-Renater Note d'Information No. 2016/VULN326 _____________________________________________________________________ DATE : 14/09/2016 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Microsoft Silverlight versions 5. ===================================================================== KB3182373 https://technet.microsoft.com/en-us/library/security/MS16-109 ____________________________________________________________________ Microsoft Security Bulletin MS16-109: Security Update for Silverlight (3182373) Executive Summary This security update resolves a vulnerability in Microsoft Silverlight. The vulnerability could allow remote code execution if a user visits a compromised website that contains a specially crafted Silverlight application. An attacker would have no way to force a user to visit a compromised website. Instead, an attacker would have to convince the user to visit the website, typically by enticing the user to click a link in either an email or instant message that takes the user to the attacker's website. This security update is rated Important for Microsoft Silverlight 5 and Microsoft Silverlight 5 Developer Runtime when installed on Mac or all supported releases of Microsoft Windows. Affected Software Microsoft Silverlight 5 Microsoft Silverlight 5 Developer Runtime Microsoft Silverlight Memory Corruption Vulnerability - CVE-2016-3367 A remote code execution vulnerability exists when Microsoft Silverlight improperly allows applications to access objects in memory. The vulnerability could corrupt system memory, which could allow an attacker to execute arbitrary code. In a web-browsing scenario, an attacker who successfully exploited this vulnerability could obtain the same permissions as the currently logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. To exploit the vulnerability, an attacker could host a website that contains a specially crafted Silverlight application and then convince a user to visit the compromised website. The attacker could also take advantage of websites containing specially crafted content, including those that accept or host user-provided content or advertisements. For example, an attacker could display specially crafted web content by using banner advertisements or by using other methods to deliver web content to affected systems. However, in all cases an attacker would have no way to force a user to visit a compromised website. Instead, an attacker would have to convince a user to visit the website, typically by enticing the user to click a link in either an email or instant message. The update addresses the vulnerability by correcting how Microsoft Silverlight allocates memory for inserting and appending strings in StringBuilder. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited Microsoft Silverlight Memory Corruption Vulnerability CVE-2016-3367 No No ========================================================== Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================