|CERT-In Vulnerability Note
Multiple Vulnerabilities in Microsoft Silverlight
Original Issue Date:December 09, 2015
Severity Rating: HIGH
- Microsoft Silverlight 5
- Microsoft Silverlight 5 Developer Runtime
Multiple vulnerabilities has been reported in Microsoft Silverlight which could allow a remote attacker to gain sensitive information or execute arbitrary code on the target system.
1. Arbitrary Code Execution Vulnerability
This vulnerability exists in Microsoft Silverlight due to improper handling of certain open and close web requests by the affected application. A remote attacker could exploit this vulnerability by enticing the user to visit a website that contains specially crafted Silverlight content. Successful exploitation of this vulnerability could allow the attacker to execute arbitrary code in the security context of the targeted user.
2. Information Disclosure Vulnerabilities
These vulnerabilities exist in Microsoft Silverlight due to improper handling of objects in memory by the affected application. A remote attacker could exploit this vulnerability by enticing the user to visit a website that contains specially crafted Silverlight content. Successful exploitation of this vulnerability could allow the attacker to more reliably predict pointer values and degrade the efficacy of the Address Space Layout Randomization (ASLR) feature.
- Temporarily prevent Microsoft Silverlight from running in Internet Explorer
- Temporarily prevent Microsoft Silverlight from running in Mozilla Firefox
- Remove Silverlight.Configuration.exe from the IE Elevation Policy
Apply appropriate updates as mentioned in the Microsoft Security Bulletin
The information provided herein is on "as is" basis, without warranty of any kind.
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003