Security Update for Silverlight to Address Remote Code Execution (MS15-129)

ITS Advisory Number: 
2015-148
Date(s) Issued: 
Tuesday, December 8, 2015
Subject: 
Security Update for Silverlight to Address Remote Code Execution (MS15-129)
Overview: 

This security update resolves vulnerabilities in Microsoft Silverlight. The most severe of the vulnerabilities could allow remote code execution if Microsoft Silverlight incorrectly handles certain open and close requests that could result in read and write access violations. To exploit the vulnerability, an attacker could host a website that contains a specially crafted Silverlight application and then convince a user to visit a compromised website. The attacker could also take advantage of websites containing specially crafted content, including those that accept or host user-provided content or advertisements.

Systems Affected: 
  • Microsoft Silverlight 5
  • Microsoft Silverlight 5 Developer Runtime
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 
  • Microsoft Silverlight RCE Vulnerability - CVE-2015-6166

A remote code execution vulnerability exists when Microsoft Silverlight incorrectly handles certain open and close requests that can result in read and write-access violations.

To exploit the vulnerability, an attacker could host a website that contains a specially crafted Silverlight application and then convince a user to visit the compromised website. The attacker could also take advantage of websites containing specially crafted content, including those that accept or host user-provided content or advertisements. For example, an attacker could display specially crafted web content by using banner advertisements or by using other methods to deliver web content to affected systems. In all cases, however, an attacker would have no way to force users to visit a compromised website. Instead, an attacker would have to convince a user to visit the website, typically by enticing the user to click a link in an email or in an Instant Messenger message.

In the web-browsing scenario, an attacker who successfully exploited this vulnerability could obtain the same permissions as the currently logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The update addresses the vulnerability by correcting how Microsoft Silverlight handles certain open and close web requests.

 

  • Multiple Microsoft Silverlight Information Disclosure Vulnerabilities - CVE-2015-6114, CVE-2015-6165

Multiple information disclosure vulnerabilities exist when Silverlight fails to properly handle objects in memory, which could allow an attacker to more reliably predict pointer values and degrade the efficacy of the Address Space Layout Randomization (ASLR) security feature.

To exploit the vulnerabilities, in a web-browsing attack scenario, an attacker could potentially bypass the ASLR security feature, which protects users from a broad class of vulnerabilities. The ASLR bypass by itself does not allow arbitrary code execution. However, an attacker could use the vulnerabilities in conjunction with an ASLR bypass to compromise a targeted system.

In a web-based attack scenario, an attacker could host a website with specially crafted Silverlight content in an attempt to exploit the vulnerabilities. In addition, compromised websites and websites that accept or host user-provided content containing specially crafted content could also exploit the vulnerabilities. An attacker would have no way to force a user to visit a specially crafted website. Instead, an attacker would have to convince a user to take action. For example, an attacker could trick a user into clicking a link that takes the user to the attacker's website. The update addresses the vulnerabilities by correcting how memory is handled to maintain the integrity of ASLR in Silverlight.

 

Actions: 
  • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Remind users not to open email attachments from unknown users or suspicious emails from trusted sources.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.