MS09-061 fixes vulnerabilities in the .NET Framework which could allow malicious .NET applications execute arbitrary native code, resulting in remote code execution. This post is intended to help clarify the attack vectors for these vulnerabilities, and to cover recommended workarounds.

 

Important note:
These vulnerabilities in the .NET framework do not affect applications built on the .NET framework – you do not need to recompile any of your applications after installing this update. These vulnerabilities lie only in the .NET framework and make it possible for malicious .NET applications to escape restrictions placed on them.

 

The attack vectors:
So how could these vulnerabilities be exploited?  In short, they make it possible for malicious .NET applications to break out of the Code Access Security (CAS) sandbox. There are 3 common scenarios where an attacker could take advantage of this to achieve remote code execution:

·         Malicious web page

o    A malicious web page could host a malicious XAML Brower Application (XBAP), Silverlight application, or managed plug-in (off by default in IE8).

o    Please note that Silverlight 3 is not affected by this bulletin. Users who have upgraded to Silverlight 3 are not vulnerable to attacks from malicious Silverlight applications.  

o    Note that Internet Explorer is not the only browser impacted as other browsers also support XBAPs.

o    If successful, a malicious application could use one of these vulnerabilities to execute arbitrary code on the client in the context of the current logged in user.

·         Malicious ASP.NET applications

o    Servers which allow untrusted ASP.NET applications to be uploaded and run are vulnerable and should prioritize installing this update.

o    Malicious ASP.NET applications could use one of these vulnerabilities to execute arbitrary code on the server in the context of user account of the application pool they are assigned to.

·         Malicious .NET applications on network shares

o    By default prior to .NET 3.5 SP1, .NET applications on network shares run in the CAS sandbox (they are considered partially trusted).

§  If .NET 3.5 SP1 is installed, then .NET applications on network shares run in full trust by default.

o    A malicious .NET application that has been run from a network share could use one of these vulnerabilities to escape the CAS sandbox and execute arbitrary code on the client in the context of the current logged in user.

 

How to protect computers without the security update:
First of all, we recommend installing this update as soon as possible. However, if it is not possible to install the update on all of your computers immediately, there are a couple of workarounds which, when applied together, can help protect your computers in the interim.

1.     Disable partially trusted .NET applications

a.     Detailed steps are available in the security bulletin: http://www.microsoft.com/technet/security/Bulletin/MS09-061.mspx.

b.    This workaround will not affect fully trusted .NET applications, such as .NET applications (EXEs) located on your local hard drive.

c.     However, partially trusted applications, such as XBAP, managed plug-ins, ASP.NET applications, and .NET applications on network shares (if you are using a .NET Framework version older than 3.5 SP1), will not be allowed to run.

d.    This workaround does not protect against malicious Silverlight applications.

e.     Note that this workaround will disable all ASP.NET applications.

2.     Temporarily disable Silverlight

a.     This workaround is not applicable for Silverlight 3 users as Silverlight 3 is not vulnerable.

b.     If you can upgrade to Silverlight 3, we recommend you do that instead of using this workaround.

c.     Detailed steps are available in the security bulletin: http://www.microsoft.com/technet/security/Bulletin/MS09-061.mspx.

d.    This workaround prevents Silverlight from loading, preventing malicious websites from exploiting this vulnerability, but also preventing non-malicious Silverlight applications from loading.

 

Why not disable fully trusted .NET applications?
There is no need to disable fully trusted .NET applications because they can already do anything in the context of the user account they run in, so arbitrary code execution within that same user account context would not gain an attacker anything.

However, partially trusted .NET applications are restricted by the .NET framework’s CAS feature, and are prevented from performing dangerous actions even if the user account they are running as is allowed to. These partially trusted applications would have something to gain by exploiting one of these vulnerabilities, as they could then perform sensitive actions. Essentially they could elevate from untrusted to trusted applications.

 

Wrap up
I hope you have found this information helpful in understanding the impact of these vulnerabilities, and in how to best protect your computers.

-Kevin Brown, MSRC Engineering

Special thanks to Eugene Bobukh of the MSEC PM team.

Updated October 17, 2009 - updated blog post to clarify that Silverlight 3 is not affected by this bulletin.

Updated August 30, 2010 - Fixed an incorrect link.  Thanks Robert for pointing this out!