Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (MS14-009)

ITS Advisory Number: 
2014-010
Date(s) Issued: 
Tuesday, February 11, 2014
Subject: 
Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (MS14-009)
Overview: 

Vulnerabilities have been discovered in the Microsoft .NET Framework which could allow elevation of privilege. Microsoft.NET is a software framework for applications designed to run under Microsoft Windows. The vulnerability can be exploited if a user visits or is redirected to a specially crafted website.  Successful exploitation could result in an attacker gaining complete control of the affected system.  An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Systems Affected: 
  • Microsoft .NET Framework 1.0
  • Microsoft .NET Framework 1.1
  • Microsoft .NET Framework 2.0
  • Microsoft .NET Framework 3.5
  • Microsoft .NET Framework 3.5.1
  • Microsoft .NET Framework 4
  • Microsoft .NET Framework 4.5
  • Microsoft .NET Framework 4.5.1
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

Multiple vulnerabilities have been discovered in the Microsoft .NET Framework that could allow an elevation of privilege. The details of these vulnerabilities are as follows:

Successful exploitation of these vulnerabilities could result in an attacker gaining complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Actions: 
  • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
References: 
Microsoft:
http://technet.microsoft.com/en-us/security/bulletin/ms14-009
CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0253
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0257
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0295