A heap corruption vulnerability exists in Microsoft's .NET Framework. The vulnerability is due to an error in calculating a buffer length for percent-encoded URI components of a UTF-8 encoded URI.

Remote attackers could exploit this vulnerability by enticing a target user to either download and execute a malicious XAML browser application, or download and execute a malicious .NET application. Addtionally, this vulnerability could be exploited by a remote attacker by sending crafted input to a server application in certain circumstances. A successful exploitation attempt could result in the execution of arbitrary code in the security context in which the .NET application runs.

Microsoft has released software updates that address this vulnerability. Microsoft has also released a security advisory regarding this vulnerability, which is available from the following URL:

http://technet.microsoft.com/en-us/security/bulletin/ms12-016

• Microsoft .NET Framework 2.0 Service Pack 2
• Microsoft .NET Framework 3.5.1

• Access vector is NETWORK
• Access complexity is MEDIUM
• Level of authentication required is NONE
• Impact of this vulnerability on data confidentiality is PARTIAL
• Impact of this vulnerability on data integrity is PARTIAL
• Impact of this vulnerability on data availability is PARTIAL

• The exploitability level of this vulnerability is UNPROVEN
• The remediation level of this vulnerability is OFFICIAL FIX
• The report confidence level of this vulnerability is CONFIRMED