SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Microsoft .NET Vendors:   Microsoft
Microsoft .NET Bugs Lets Remote Users Execute Arbitrary Code and Deny Service
SecurityTracker Alert ID:  1029745
SecurityTracker URL:  http://securitytracker.com/id/1029745
CVE Reference:   CVE-2014-0253, CVE-2014-0257, CVE-2014-0295   (Links to External Site)
Date:  Feb 11 2014
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.0 SP3, 2.0 SP2, 3.5, 3.5.1, 4.0, 4.5, 4.5.1
Description:   Three vulnerabilities were reported in Microsoft .NET. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can cause denial of service conditions. A remote user can bypass security features.

A remote user can send specially crafted HTTP POST requests to cause the target ASP.NET server to stop responding to client requests [CVE-2014-0253].

A remote user can create specially crafted HTML or a Windows .NET application that, when loaded by the target user, will execute arbitrary code on the target system [CVE-2014-0257]. The code will run with the privileges of the target user.

James Forshaw of Context Information Security reported this vulnerability.

Some .NET Framework components do not implement Address Space Layout Randomization (ASLR). A remote user can bypass ASLR security controls [CVE-2014-0295].

Impact:   A remote user can create HTML or an application that, when loaded by the target user, will execute arbitrary code on the target user's system.

A remote user can cause denial of service conditions.

A remote user can bypass address space layout randomization.

Solution:   The vendor has issued a fix.

A patch matrix is available in the vendor's advisory.

A restart is required.

The Microsoft advisory is available at:

http://technet.microsoft.com/en-us/security/bulletin/ms14-009

Vendor URL:  technet.microsoft.com/en-us/security/bulletin/ms14-009 (Links to External Site)
Cause:   Access control error, Randomization error, State error
Underlying OS:  Windows (2003), Windows (2008), Windows (2012), Windows (7), Windows (8), Windows (Vista), Windows (XP)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC