SB2019021312 - Multiple vulnerabilities in Microsoft .NET Framework

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Spoofing attack (CVE-ID: CVE-2019-0657)

The vulnerability allows a remote attacker to conduct spoofing attack.

The vulnerability exists in thev .Net Framework API's and Visual Studio in the way they parse URL's. A remote attacker can provide a URL string to an application that attempts to verify that the URL belongs to a specific hostname or to a subdomain of that hostname, bypass security logic intended to ensure that a user-provided URL belonged to a specific hostname or a subdomain of that hostname to cause privileged communication to be made to an untrusted service as if it was a trusted service.

2) Memory corruption (CVE-ID: CVE-2019-0613)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in .NET Framework and Visual Studio software when the software fails to check the source markup of a file. A remote attacker can create a specially crafted document, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install update from vendor's website.

References

• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0657
• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0613