Summary
This host is missing a critical security update according to Microsoft Bulletin MS12-074.
Impact
Successful exploitation will allow an attacker to execute arbitrary code with the privileges of the currently logged-in user. Failed attacks will cause denial-of-service conditions.
Impact Level: System/Application
Solution
Run Windows Update and update the listed hotfixes or download and update mentioned hotfixes in the advisory from the below link, http://technet.microsoft.com/en-us/security/bulletin/ms12-074
Insight
- An error within permissions checking of objects that perform reflection can be exploited via a specially crafted XAML Browser Application (XBAP) or an untrusted .NET application.
- An sanitisation error when processing partially trusted code can be exploited to disclose certain data via a specially crafted XAML Browser Application (XBAP) or an untrusted .NET application.
- The Entity Framework component loads certain libraries in an insecure manner, which can be exploited to load arbitrary libraries by tricking a user into opening certain files located on a remote WebDAV or SMB share.
- A validation error when acquiring proxy settings via the Web Proxy Auto-Discovery (WPAD) can be exploited to execute JavaScript code with reduced restrictions.
- An error within permissions checking of Windows Presentation Foundation (WPF) objects that perform reflection can be exploited via a specially crafted XAML Browser Application (XBAP) or an untrusted .NET application.
Affected
Microsoft .NET Framework 1.0 SP3, 1.1 SP1, 2.0 SP2, 3.0, 3.5, 3.5.1, and 4
References
- http://secunia.com/advisories/51236/
- http://support.microsoft.com/kb/2698023
- http://support.microsoft.com/kb/2729449
- http://support.microsoft.com/kb/2729450
- http://support.microsoft.com/kb/2729451
- http://support.microsoft.com/kb/2729452
- http://support.microsoft.com/kb/2729453
- http://support.microsoft.com/kb/2729456
- http://support.microsoft.com/kb/2729460
- http://support.microsoft.com/kb/2745030
- http://technet.microsoft.com/en-us/security/bulletin/ms12-074
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2012-1895, CVE-2012-1896, CVE-2012-2519, CVE-2012-4776, CVE-2012-4777 -
CVSS Base Score: 9.3
AV:N/AC:M/Au:N/C:C/I:C/A:C
Related Vulnerabilities
- Microsoft DirectShow Remote Code Execution Vulnerability (2845187)
- Cumulative Security Update for Internet Explorer (928090)
- Microsoft IE Developer Tools WMITools and Windows Messenger ActiveX Control Vulnerability (2508272)
- Microsoft Internet Explorer Memory Corruption Vulnerability (2755801)
- Microsoft Forefront Protection For Exchange RCE Vulnerability (2927022)