Critical Buffer Overflows Plague .NET Framework
Severity: High
10 July, 2007
Summary:
Today, Microsoft released a security bulletin describing three vulnerabilities affecting Microsoft .NET Framework 1.0, 1.1, and 2.0. By tricking one of your users into visiting a maliciously-crafted web page, an attacker could exploit the worst of these vulnerabilities to execute code on that user’s computer, with that user’s privileges. In the worst case, the attacker could gain complete control of a victim’s system. If you’ve installed .NET Framework on computers in your network, you should download, test, and deploy the appropriate patches as soon as possible.
Exposure:
According to Microsoft, the .NET Framework is a managed code programming model for building applications that have visually appealing user experiences, seamless and secure communication, and the ability to model a range of business processes. Windows does not always include the .NET Framework. However, many administrators install it on their machines to support internal web applications and custom programs.
In a bulletin released today as part of their monthly patch update, Microsoft described three vulnerabilities in .NET Framework 1.0, 1.1, and 2.0. The flaws include two buffer overflow vulnerabilities that could allow remote code execution on client systems running .NET Framework, and an information disclosure flaw that affects web servers running ASP.NET.
Critical Buffer Overflows Plague .NET Framework
Severity: High
10 July, 2007
Summary:
Today, Microsoft released a security bulletin describing three vulnerabilities affecting Microsoft .NET Framework 1.0, 1.1, and 2.0. By tricking one of your users into visiting a maliciously-crafted web page, an attacker could exploit the worst of these vulnerabilities to execute code on that user’s computer, with that user’s privileges. In the worst case, the attacker could gain complete control of a victim’s system. If you’ve installed .NET Framework on computers in your network, you should download, test, and deploy the appropriate patches as soon as possible.
Exposure:
According to Microsoft, the .NET Framework is a managed code programming model for building applications that have visually appealing user experiences, seamless and secure communication, and the ability to model a range of business processes. Windows does not always include the .NET Framework. However, many administrators install it on their machines to support internal web applications and custom programs.
In a bulletin released today as part of their monthly patch update, Microsoft described three vulnerabilities in .NET Framework 1.0, 1.1, and 2.0. The flaws include two buffer overflow vulnerabilities that could allow remote code execution on client systems running .NET Framework, and an information disclosure flaw that affects web servers running ASP.NET.
The two buffer overflow flaws pose the most serious risk to small to medium businesses. By enticing one of your users into visiting a malicious web site, an attacker could exploit either of these flaws to execute code on that users computer, with that user’s privileges. If that user had local administrative privileges, the attacker would gain complete control of the victim machine.
Solution Path
Microsoft has released .NET Framework updates that fix these vulnerabilities. If you’ve installed .NET Framework in your network, you should download, test and install the appropriate updates as soon as possible.
- .NET Framework 1.0
- .NET Framework 1.1
- .NET framework 2.0
For All WatchGuard Users:
These attacks travel as normal-looking HTTP traffic, which you need to allow so your network users can access the World Wide Web. Therefore, the patches above are your best solution.
Status:
Microsoft has released patches correcting these issues.
References:
- Microsoft Security Bulletin MS07-040
This alert was researched and written by Corey Nachreiner, CISSP