Microsoft DotNet Framework Type Verification Remote Code Execution Vulnerability
Date Discovered:
10/13/2009
Severity:
High
Operating Systems
Affected:
Microsoft Windows 2000
Service Pack 4
Windows XP SP 2 & SP 3
Windows XP Professional x64 Edition SP 2
Windows Server 2003 SP 2
Windows Server 2003 x64 Edition SP 2
Windows Server 2003 SP2 for Itanium-based Systems
Windows Vista
Windows Vista SP 1 & SP 2
Windows Vista x64 Edition
Windows Vista x64 Edition SP 1 & SP 2
Windows Server 2008 for 32-bit Systems
Windows Server 2008 for 32-bit Systems SP 2
Windows Server 2008 for x64-based Systems
Windows Server 2008 for x64-based Systems SP 2
Windows Server 2008 for Itanium-based Systems
Windows Server 2008 for Itanium-based Systems SP 2
Application
Affected:
Microsoft .NET
Framework 1.0 SP 3
Microsoft .NET Framework 1.1 SP 1
Microsoft .NET Framework 2.0 SP 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 SP 1
Identifiers:
CVE-2009-0091
Synopsis
Microsoft DotNet
framework is vulnerable to Type verification vulnerability because
improper check before running a malicious DotNet application. Remote
attacker could exploit this vulnerability to bypass a type equality
check through malicious DotNet application and execute arbitrary code.
The
Microsoft DotNET Framework is a software framework that can be
installed on computers running Microsoft Windows operating systems.
Type verification vulnerability has been reported in Microsoft DotNet
Framework. Vulnerability occurs when a malformed DotNet application
tries to cast an object of one type into another type.
Successful exploitation of this vulnerability could allow remote
attacker use malicious DotNet application to bypass a type equality
check and cast an object of one type into another type. It could lead
to execute arbitrary code.
