Bird_banner_small4
Microsoft .NET Framework Heap Corruption
TSL ID TSL20120214-23
CVE ID(s) CVE-2012-0015
Severity High
Description

A heap corruption vulnerability exists in Microsoft's .NET Framework. The vulnerability is due to an error in calculating a buffer length for percent-encoded URI components of a UTF-8 encoded URI.

Remote attackers could exploit this vulnerability by enticing a target user to either download and execute a malicious XAML browser application, or download and execute a malicious .NET application. Addtionally, this vulnerability could be exploited by a remote attacker by sending crafted input to a server application in certain circumstances. A successful exploitation attempt could result in the execution of arbitrary code in the security context in which the .NET application runs.

Microsoft has released software updates that address this vulnerability. Microsoft has also released a security advisory regarding this vulnerability, which is available from the following URL:

http://technet.microsoft.com/en-us/security/bulletin/ms12-016

Affected Products
  • Microsoft .NET Framework 2.0 Service Pack 2
  • Microsoft .NET Framework 3.5.1
CVSS Score Base 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P):
  • Access vector is NETWORK
  • Access complexity is MEDIUM
  • Level of authentication required is NONE
  • Impact of this vulnerability on data confidentiality is PARTIAL
  • Impact of this vulnerability on data integrity is PARTIAL
  • Impact of this vulnerability on data availability is PARTIAL
Temporal 5.0 (E:U/RL:OF/RC:C):
  • The exploitability level of this vulnerability is UNPROVEN
  • The remediation level of this vulnerability is OFFICIAL FIX
  • The report confidence level of this vulnerability is CONFIRMED
Identifiers
Microsoft Security Bulletin
OSVDB
Related Threats