CIS CYBER SECURITY ADVISORIES

MS-ISAC CYBER SECURITY ADVISORY NUMBER:
2010-084

DATE(S) ISSUED:
10/12/2010

SUBJECT:
Vulnerability in .NET Framework Could Allow Remote Code Execution (MS10-077)

OVERVIEW:

A vulnerability has been discovered in the Microsoft .NET Framework which could allow an attacker to take complete control of an affected system. Microsoft .NET is a software framework for applications designed to run under Microsoft Windows. This vulnerability may be exploited if a user visits or is redirected to a malicious web server running a specially crafted ASP.NET page. Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
 
SYSTEMS AFFECTED:


  • Windows XP x64
  • Windows Vista x64
  • Windows Server 2003 x64
  • Windows Server 2008 x64
  • Windows 7 x64
  • Microsoft .NET Framework 4.0
 
RISK:
Government:
  • Large and medium government entities: High
  • Small government entities: High
Businesses:
  • Large and medium business entities: High
  • Small business entities: High
  Home users: High
 
DESCRIPTION:
Microsoft .NET is Microsoft's managed code programming model for applications. Microsoft .NET consists of a common language runtime (CLR) and framework code library. A remote code execution vulnerability has been discovered in Microsoft .NET Framework that may allow malicious Microsoft .NET applications to execute arbitrary unmanaged code. This vulnerability can be exploited through two possible attack scenarios. In the first scenario, users can be exploited if they visit a specially crafted web site that hosts malicious XAML (Extensible Application Markup Language) content. In the second scenario, an attacker uploads malicious ASP.NET code to a web server that hosts user-created content.
 
In a web server attack scenario, the attacker would gain the same privileges as the service account associated with the application pool identity. Depending on the privileges granted to the service account and on application pool configuration, an attacker might be able to take control of other application pools on the affected system. In the case of web-browsing attack scenarios, successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the service account, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
 
Microsoft has listed several workarounds that would prevent the vulnerabilities from being exploited on affected systems prior to the patch being applied. These workarounds include disabling partially trusted .NET applications and disabling XAML browser applications in Internet Explorer. Please note that these workarounds could negatively affect business operations.
 
RECOMMENDATIONS:
We recommend the following actions be taken:
  • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Apply the principle of Least Privilege to all services.
  • Unless there is a business need to do otherwise, consider disabling Microsoft .NET applications.
  • Unless there is a business need to do otherwise, consider disabling XAML browser applications in Internet Explorer.
 
REFERENCES:
Microsoft:
http://www.microsoft.com/technet/security/bulletin/ms10-077.mspx
 
CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3228
 
Securityfocus:
http://www.securityfocus.com/bid/43781