KLA10753 Multiple vulnerabilities in Microsoft .NET Framework

Multiple serious vulnerabilities have been found in Microsoft .NET Framework. Malicious users can exploit these vulnerabilities to cause denial of service or obtain sensitive information.

Below is a complete list of vulnerabilities

1. An improper handling of XSLT can be exploited remotely via a specially designed XML content to cause denial of service;
2. An improper icon data handling at Windows Forms can be exploited remotely via a specially designed icon to obtain sensitive information.

Technical details

To mitigate vulnerability (1) do not load XSL stylesheets from untrusted sources.

Vulnerability (2) can be exploited by uploading specially designed data and getting response via uploaded icon information.

Original advisories

CVE-2016-0033

CVE-2016-0047

Related products

Microsoft-.NET-Framework

CVE list

CVE-2016-0033 warning

CVE-2016-0047 warning

KB list

3135173

3135174

3137893

Solution

Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)

Impacts

• OSI

Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.

• DoS

Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.

• SB

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

Affected Products

• Microsoft .NET Framework 2.0 Service Pack 2Microsoft .NET Framework 3.5.1Microsoft .NET Framework 4.5.2, 4.6, 4.6.1