The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

security note CVE-2014-0253 CVE-2014-0257 CVE-2014-0295

Microsoft .NET: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Microsoft .NET.
Severity of this threat: 3/4.
Number of vulnerabilities in this bulletin: 3.
Creation date: 11/02/2014.
Revisions dates: 12/02/2014, 25/09/2014.
Références of this weakness: 2916607, BID-65415, BID-65417, BID-65418, CERTFR-2014-AVI-064, CVE-2014-0253, CVE-2014-0257, CVE-2014-0295, MS14-009, VIGILANCE-VUL-14222.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in Microsoft .NET.

An attacker can use a POST query to generate an error in the processing of stale or closed HTTP client connections, in order to trigger a denial of service. This vulnerability has the same origin than VIGILANCE-VUL-8809. [severity:2/4; BID-65415, CVE-2014-0253]

An attacker can execute a special method, in order to escape the sandbox, to escalate his privileges. [severity:3/4; BID-65417, CVE-2014-0257]

An attacker can use vsab7rt.dll, in order to obtain sensitive information about the memory layout, to bypass ASLR. [severity:1/4; BID-65418, CVE-2014-0295]
Full Vigil@nce bulletin... (Free trial)

This threat announce impacts software or systems such as .NET Framework, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 2012, Windows 7, Windows 8, Windows RT, Windows Vista, Windows XP.

Our Vigil@nce team determined that the severity of this cybersecurity alert is important.

The trust level is of type confirmed by the editor, with an origin of document.

This bulletin is about 3 vulnerabilities.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this security alert.

Solutions for this threat

Microsoft .NET: patch.
A patch is available in information sources.
The Microsoft announce indicates workarounds.
The article 2916607 indicates known problems:
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides an applications vulnerabilities note. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system. The Vigil@nce vulnerability database contains several thousand vulnerabilities. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.