October 26, 2016

Microsoft Fixes Four Critical Vulnerabilities for April’s Patch Tuesday

(LiveHacking.Com) – Microsoft has released six security bulletins, four of which are rated Critical in severity, and two Important. The bulletins fix vulnerabilities in Microsoft Windows, Internet Explorer, .NET Framework, Office, SQL Server, Server Software, Developer Tools, and Forefront United Access Gateway.

The first Critical severity bulletin (MS12-023) patches Internet Explorer to fix five vulnerabilities in Internet Explorer. The most severe of these could allow remote code execution if a user views a specially crafted webpage designed to exploit the vulnerability. The hacker would then gain the same user rights as the current user.

Next Microsoft fixed a remote code execution vulnerability in Microsoft Windows (MS12-024). The vulnerability could allow remote code execution if a user or application runs or installs a specially crafted, signed portable executable (PE) file on an affected system.

Remote code execution vulnerabilities were also fixed in the .NET framework (MS12-025):

  1. If a user views a specially crafted webpage using a web browser that can run XAML Browser Applications (XBAPs) then an attacker could execute arbitrary code on the PC.
  2. Remote code execution could also occur on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and then executes the page, as could be the case in a web hosting scenario.
  3. This vulnerability could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions. In a web browsing attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability.
  4. Finally, a compromised website or a  website that accepts user-provided content or advertisements could host specially crafted content to exploit this vulnerability.

The fourth and finally Critical severity vulnerability fixed is in the Windows common controls (MS12-027). The vulnerability could allow remote code execution if a user visits a website containing specially crafted content designed to exploit the vulnerability. The Windows common controls are installed on a PC with software like Microsoft Office, Microsoft SQL Server and  Microsoft Visual FoxPro.

Mono 2.8.2 Fixes Source Code Disclosure Bug

MonoThe Mono Project have release Mono 2.8.2 which “contains an important security fix for users of ASP.NET”. The vulnerability, tagged CVE-2010-4225, allows under some circumstances ASP.NET applications to misbehave and return the source code (.aspx) of the application or any other file in the web application directory.

Affected are all 2.8.x versions of Mono. The components affected are the XSP web server and the mod_mono Apache module.

The Mono Project advise every Mono 2.8.xx user to upgrade to Mono 2.8.2 if they host web applications with it.