Executive Summary
Summary | |
---|---|
Title | Vulnerabilities in .NET Framework and Silverlight Could Allow Remote Code Execution (2861561) |
Informations | |||
---|---|---|---|
Name | MS13-052 | First vendor Publication | 2013-07-09 |
Vendor | Microsoft | Last vendor Modification | 2013-08-13 |
Severity (Vendor) | Critical | Revision | 2.0 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 9.3 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Revision Note: V2.0 (August 13, 2013): Bulletin revised to rerelease the 2840628, 2840632, 2840642, 2844285, 2844286, 2844287, and 2844289 updates. Customers should install the rereleased updates that apply to their systems. See the Update FAQ for more information. |
Original Source
Url : http://technet.microsoft.com/en-us/security/bulletin/ms13-052 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-94 | Failure to Control Generation of Code ('Code Injection') |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:16892 | |||
Oval ID: | oval:org.mitre.oval:def:16892 | ||
Title: | Null pointer vulnerability in Microsoft Silverlight - CVE-2013-3178, MS13-052 (Mac OS) | ||
Description: | Microsoft Silverlight 5 before 5.1.20513.0 does not properly initialize arrays, which allows remote attackers to execute arbitrary code or cause a denial of service (NULL pointer dereference) via a crafted Silverlight application, aka "Null Pointer Vulnerability." | ||
Family: | macos | Class: | vulnerability |
Reference(s): | CVE-2013-3178 | Version: | 3 |
Platform(s): | Apple Mac OS X Apple Mac OS X Server | Product(s): | Microsoft Silverlight 5 for Mac |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:17032 | |||
Oval ID: | oval:org.mitre.oval:def:17032 | ||
Title: | Array access violation vulnerability in Microsoft Silverlight CVE-2013-3131, MS13-052 (Mac OS) | ||
Description: | Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4, and 4.5, and Silverlight 5 before 5.1.20513.0, does not properly prevent changes to data in multidimensional arrays of structures, which allows remote attackers to execute arbitrary code via (1) a crafted .NET Framework application or (2) a crafted Silverlight application, aka "Array Access Violation Vulnerability." | ||
Family: | macos | Class: | vulnerability |
Reference(s): | CVE-2013-3131 | Version: | 3 |
Platform(s): | Apple Mac OS X Apple Mac OS X Server | Product(s): | Microsoft Silverlight 5 for Mac |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:17071 | |||
Oval ID: | oval:org.mitre.oval:def:17071 | ||
Title: | Array allocation vulnerability in the Common Language Runtime (CLR) in Microsoft .NET Framework - MS13-052 | ||
Description: | The Common Language Runtime (CLR) in Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4, and 4.5 on 64-bit platforms does not properly allocate arrays of structures, which allows remote attackers to execute arbitrary code via a crafted .NET Framework application that changes array data, aka "Array Allocation Vulnerability." | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2013-3134 | Version: | 8 |
Platform(s): | Microsoft Windows 7 Microsoft Windows 8 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Server 2012 Microsoft Windows Vista Microsoft Windows XP | Product(s): | Microsoft .NET Framework 2.0 Microsoft .NET Framework 3.5 Microsoft .NET Framework 3.5.1 Microsoft .NET Framework 4.0 Microsoft .NET Framework 4.5 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:17261 | |||
Oval ID: | oval:org.mitre.oval:def:17261 | ||
Title: | Array access violation vulnerability in Microsoft .NET Framework and Silverlight - MS13-052 | ||
Description: | Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4, and 4.5, and Silverlight 5 before 5.1.20513.0, does not properly prevent changes to data in multidimensional arrays of structures, which allows remote attackers to execute arbitrary code via (1) a crafted .NET Framework application or (2) a crafted Silverlight application, aka "Array Access Violation Vulnerability." | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2013-3131 | Version: | 9 |
Platform(s): | Microsoft Windows 7 Microsoft Windows 8 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Server 2012 Microsoft Windows Vista Microsoft Windows XP | Product(s): | Microsoft .NET Framework 2.0 Microsoft .NET Framework 3.5 Microsoft .NET Framework 3.5.1 Microsoft .NET Framework 4.0 Microsoft .NET Framework 4.5 Microsoft Silverlight 5 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:17323 | |||
Oval ID: | oval:org.mitre.oval:def:17323 | ||
Title: | TrueType font parsing vulnerability in Microsoft Silverlight - CVE-2013-3129, MS13-052 (Mac OS) | ||
Description: | Microsoft .NET Framework 3.0 SP2, 3.5, 3.5.1, 4, and 4.5; Silverlight 5 before 5.1.20513.0; win32k.sys in the kernel-mode drivers, and GDI+, DirectWrite, and Journal, in Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows Server 2012, and Windows RT; GDI+ in Office 2003 SP3, 2007 SP3, and 2010 SP1; GDI+ in Visual Studio .NET 2003 SP1; and GDI+ in Lync 2010, 2010 Attendee, 2013, and Basic 2013 allow remote attackers to execute arbitrary code via a crafted TrueType Font (TTF) file, aka "TrueType Font Parsing Vulnerability." | ||
Family: | macos | Class: | vulnerability |
Reference(s): | CVE-2013-3129 | Version: | 3 |
Platform(s): | Apple Mac OS X Apple Mac OS X Server | Product(s): | Microsoft Silverlight 5 for Mac |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:17341 | |||
Oval ID: | oval:org.mitre.oval:def:17341 | ||
Title: | TrueType Font Parsing Vulnerability - CVE-2013-3129 (MS13-052, MS13-053, MS13-054) | ||
Description: | Microsoft .NET Framework 3.0 SP2, 3.5, 3.5.1, 4, and 4.5; Silverlight 5 before 5.1.20513.0; win32k.sys in the kernel-mode drivers, and GDI+, DirectWrite, and Journal, in Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows Server 2012, and Windows RT; GDI+ in Office 2003 SP3, 2007 SP3, and 2010 SP1; GDI+ in Visual Studio .NET 2003 SP1; and GDI+ in Lync 2010, 2010 Attendee, 2013, and Basic 2013 allow remote attackers to execute arbitrary code via a crafted TrueType Font (TTF) file, aka "TrueType Font Parsing Vulnerability." | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2013-3129 | Version: | 23 |
Platform(s): | Microsoft Windows 7 Microsoft Windows 8 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Server 2012 Microsoft Windows Vista Microsoft Windows XP | Product(s): | Microsoft .NET Framework 3.0 Microsoft .NET Framework 3.5 Microsoft .NET Framework 3.5.1 Microsoft .NET Framework 4.0 Microsoft .NET Framework 4.5 Microsoft Silverlight 5 Microsoft Office 2003 Microsoft Office 2007 Microsoft Office 2010 Microsoft Lync 2010 Microsoft Lync Basic 2013 Microsoft Lync 2010 Attendee Microsoft Visual Studio .NET 2003 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:17389 | |||
Oval ID: | oval:org.mitre.oval:def:17389 | ||
Title: | Null pointer vulnerability in Microsoft Silverlight - MS13-052 | ||
Description: | Microsoft Silverlight 5 before 5.1.20513.0 does not properly initialize arrays, which allows remote attackers to execute arbitrary code or cause a denial of service (NULL pointer dereference) via a crafted Silverlight application, aka "Null Pointer Vulnerability." | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2013-3178 | Version: | 5 |
Platform(s): | Microsoft Windows 7 Microsoft Windows 8 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Server 2012 Microsoft Windows Vista Microsoft Windows XP | Product(s): | Microsoft Silverlight 5 |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:17421 | |||
Oval ID: | oval:org.mitre.oval:def:17421 | ||
Title: | Anonymous method injection vulnerability in Microsoft .NET Framework - MS13-052 | ||
Description: | Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4, and 4.5 does not properly check the permissions of objects that use reflection, which allows remote attackers to execute arbitrary code via (1) a crafted XAML browser application (XBAP) or (2) a crafted .NET Framework application, aka "Anonymous Method Injection Vulnerability." | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2013-3133 | Version: | 8 |
Platform(s): | Microsoft Windows 7 Microsoft Windows 8 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Server 2012 Microsoft Windows Vista Microsoft Windows XP | Product(s): | Microsoft .NET Framework 2.0 Microsoft .NET Framework 3.5 Microsoft .NET Framework 3.5.1 Microsoft .NET Framework 4.0 Microsoft .NET Framework 4.5 |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2013-07-11 | IAVM : 2013-A-0135 - Microsoft GDI+ Remote Code Execution Vulnerability Severity : Category II - VMSKEY : V0039199 |
2013-07-11 | IAVM : 2013-B-0071 - Multiple Vulnerabilities in Microsoft .NET Framework and Silverlight Severity : Category II - VMSKEY : V0039211 |
Snort® IPS/IDS
Date | Description |
---|---|
2014-01-10 | Microsoft Windows .NET CLR mutlidimensional array handling remote code execut... RuleID : 27139 - Revision : 3 - Type : OS-WINDOWS |
2014-01-10 | Microsoft Windows .NET CLR mutlidimensional array handling remote code execut... RuleID : 27136 - Revision : 4 - Type : OS-WINDOWS |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-07-10 | Name : A multimedia application framework installed on the remote Mac OS X host is a... File : macosx_ms13-052.nasl - Type : ACT_GATHER_INFO |
2013-07-10 | Name : The .NET Framework install on the remote Windows host could allow arbitrary c... File : smb_nt_ms13-052.nasl - Type : ACT_GATHER_INFO |
2013-07-10 | Name : The Windows kernel on the remote host is affected by multiple vulnerabilities. File : smb_nt_ms13-053.nasl - Type : ACT_GATHER_INFO |
2013-07-10 | Name : The remote Windows host has a remote code execution vulnerability. File : smb_nt_ms13-054.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2016-04-27 02:02:10 |
|
2014-02-17 11:47:42 |
|
2014-01-19 21:30:57 |
|
2013-11-11 12:41:34 |
|
2013-11-04 21:33:46 |
|
2013-08-13 21:26:07 |
|
2013-08-13 21:20:28 |
|
2013-07-10 17:30:54 |
|
2013-07-10 13:22:54 |
|
2013-07-09 21:29:51 |
|
2013-07-09 21:16:39 |
|