Launch Printer Friendly Page Security TechCenter > > Microsoft Security Bulletin MS09-061

Microsoft Security Bulletin MS09-061 - Critical

Vulnerabilities in the Microsoft .NET Common Language Runtime Could Allow Remote Code Execution (974378)

Published: | Updated:

Version: 1.4

General Information

Executive Summary

This security update resolves three privately reported vulnerabilities in Microsoft .NET Framework and Microsoft Silverlight. The vulnerabilities could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs) or Silverlight applications, or if an attacker succeeds in persuading a user to run a specially crafted Microsoft .NET application. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerabilities could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and executing it, as could be the case in a Web hosting scenario. Microsoft .NET applications, Silverlight applications, XBAPs and ASP.NET pages that are not malicious are not at risk of being compromised because of this vulnerability.

This security update is rated Critical for all affected editions of the Microsoft .NET Framework on Microsoft Windows 2000, Windows XP, and Windows Vista; Microsoft Silverlight 2 when installed on Mac; and Microsoft Silverlight 2 when installed on all releases of Microsoft Windows clients.

This security update is rated Important for all affected editions of the Microsoft .NET Framework on Windows Server 2003 and Windows Server 2008.

This security update is rated Moderate for Microsoft Silverlight 2 when installed on all releases of Microsoft Windows servers.

For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerabilities by modifying the way in which the Microsoft .NET verifies and enforces the rules of Microsoft .NET verifiable code and by modifying the way in which the Microsoft .NET Common Language Runtime (CLR) handles interfaces. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

Recommendation. The majority of customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.

For administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.

See also the section, Detection and Deployment Tools and Guidance, later in this bulletin.

Known Issues. None

Affected and Non-Affected Software

The following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.

Affected Software

Operating SystemComponentMaximum Security ImpactAggregate Severity RatingBulletins Replaced by this Update
Microsoft Windows 2000
Microsoft Windows 2000 Service Pack 4Microsoft .NET Framework 1.1 Service Pack 1
(KB953297)
Remote Code ExecutionCriticalMS07-040
Microsoft Windows 2000 Service Pack 4Microsoft .NET Framework 2.0 Service Pack 1
(KB953300)

Microsoft .NET Framework 2.0 Service Pack 2
(KB974417)
Remote Code ExecutionCriticalNone
Windows XP
Windows XP Service Pack 2 and Windows XP Service Pack 3Microsoft .NET Framework 1.0 Service Pack 3
(KB953295)
(Media Center Edition 2005 and Tablet PC Edition 2005 only)

Microsoft .NET Framework 1.1 Service Pack 1
(KB953297)
Remote Code ExecutionCriticalMS07-040
Windows XP Service Pack 2 and Windows XP Service Pack 3Microsoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.5
(KB953300)

Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1
(KB974417)
Remote Code ExecutionCriticalNone
Windows XP Professional x64 Edition Service Pack 2Microsoft .NET Framework 1.1 Service Pack 1
(KB953297)
Remote Code ExecutionCriticalMS07-040
Windows XP Professional x64 Edition Service Pack 2Microsoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.5
(KB953300)

Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1
(KB974417)
Remote Code ExecutionCriticalNone
Windows Server 2003
Windows Server 2003 Service Pack 2Microsoft .NET Framework 1.1 Service Pack 1
(KB953298)
Remote Code ExecutionImportantMS07-040
Windows Server 2003 Service Pack 2Microsoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.5
(KB953300)

Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1
(KB974417)
Remote Code ExecutionImportantNone
Windows Server 2003 x64 Edition Service Pack 2Microsoft .NET Framework 1.1 Service Pack 1
(KB953297)
Remote Code ExecutionImportantMS07-040
Windows Server 2003 x64 Edition Service Pack 2Microsoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.5
(KB953300)

Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1
(KB974417)
Remote Code ExecutionImportantNone
Windows Server 2003 with SP2 for Itanium-based SystemsMicrosoft .NET Framework 1.1 Service Pack 1
(KB953297)
Remote Code ExecutionImportantMS07-040
Windows Server 2003 with SP2 for Itanium-based SystemsMicrosoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.5
(KB953300)

Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1
(KB974417)
Remote Code ExecutionImportantNone
Windows Vista
Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2Microsoft .NET Framework 1.1 Service Pack 1
(KB953297)
Remote Code ExecutionCriticalMS07-040
Windows VistaMicrosoft .NET Framework 2.0
(KB974468)

Microsoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.5
(KB974292)

Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1
(KB974467)
Remote Code ExecutionCriticalNone
Windows Vista Service Pack 1Microsoft .NET Framework 2.0 Service Pack 1
(KB974291)

Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1
(KB974469)
Remote Code ExecutionCriticalNone
Windows Vista Service Pack 2Microsoft .NET Framework 2.0 Service Pack 2
(KB974470)
Remote Code ExecutionCriticalNone
Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2Microsoft .NET Framework 1.1 Service Pack 1
(KB953297)
Remote Code ExecutionCriticalMS07-040
Windows Vista x64 EditionMicrosoft .NET Framework 2.0
(KB974468)

Microsoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.5
(KB974292)

Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1
(KB974467)
Remote Code ExecutionCriticalNone
Windows Vista x64 Edition Service Pack 1Microsoft .NET Framework 2.0 Service Pack 1
(KB974291)

Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1
(KB974469)
Remote Code ExecutionCriticalNone
Windows Vista x64 Edition Service Pack 2Microsoft .NET Framework 2.0 Service Pack 2
(KB974470)
Remote Code ExecutionCriticalNone
Windows Server 2008
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2*Microsoft .NET Framework 1.1 Service Pack 1
(KB953297)
Remote Code ExecutionImportantMS07-040
Windows Server 2008 for 32-bit Systems*Microsoft .NET Framework 2.0 Service Pack 1
(KB974291)

Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1
(KB974469)
Remote Code ExecutionImportantNone
Windows Server 2008 for 32-bit Systems Service Pack 2*Microsoft .NET Framework 2.0 Service Pack 2
(KB974470)
Remote Code ExecutionImportantNone
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2*Microsoft .NET Framework 1.1 Service Pack 1
(KB953297)
Remote Code ExecutionImportantMS07-040
Windows Server 2008 for x64-based Systems*Microsoft .NET Framework 2.0 Service Pack 1
(KB974291)

Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1
(KB974469)
Remote Code ExecutionImportantNone
Windows Server 2008 for x64-based Systems Service Pack 2*Microsoft .NET Framework 2.0 Service Pack 2
(KB974470)
Remote Code ExecutionImportantNone
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2Microsoft .NET Framework 1.1 Service Pack 1
(KB953297)
Remote Code ExecutionImportantMS07-040
Windows Server 2008 for Itanium-based SystemsMicrosoft .NET Framework 2.0 Service Pack 1
(KB974291)

Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1
(KB974469)
Remote Code ExecutionImportantNone
Windows Server 2008 for Itanium-based Systems Service Pack 2Microsoft .NET Framework 2.0 Service Pack 2
(KB974470)
Remote Code ExecutionImportantNone

*Server Core installation not affected. The vulnerabilities addressed by this update do not affect supported editions of Windows Server 2008 when installed using the Server Core installation option. For more information on this installation option, see the MSDN article, Server Core. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008; see Compare Server Core Installation Options.

Operating System and Other SoftwareMaximum Security ImpactAggregate Severity RatingBulletins Replaced by this Update
Microsoft Silverlight 2* when installed on Mac
(KB970363)
Remote Code ExecutionCriticalNone
Microsoft Silverlight 2* when installed on all releases of Microsoft Windows clients
(KB970363)
Remote Code ExecutionCriticalNone
Microsoft Silverlight 2* when installed on all releases of Microsoft Windows servers**
(KB970363)
Remote Code ExecutionModerateNone

*This download upgrades Microsoft Silverlight 2 to Microsoft Silverlight 3, which addresses the vulnerability.

**Server Core installation not affected. The vulnerabilities addressed by this update do not affect supported editions of Windows Server 2008 and Windows Server 2008 R2 when installed using the Server Core installation option. For more information on this installation option, see the MSDN articles, Server Core and Server Core for Windows Server 2008 R2. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008 and Windows Server 2008 R2; see Compare Server Core Installation Options.

Non-Affected Software

Operating System and Other SoftwareComponent
Microsoft .NET Framework
All supported releases of Microsoft WindowsMicrosoft .NET Framework 3.0
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5.1
Windows Vista Service Pack 1Microsoft .NET Framework 3.5
Windows Vista Service Pack 2Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 Service Pack 1
Windows Vista x64 Edition Service Pack 1Microsoft .NET Framework 3.5
Windows Vista x64 Edition Service Pack 2Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 Service Pack 1
Windows Server 2008 for 32-bit Systems
Windows Server 2008 for x64-based Systems
Windows Server 2008 for Itanium-based Systems
Microsoft .NET Framework 3.5
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 Service Pack 1
Microsoft Silverlight
Microsoft Silverlight 3Not applicable

Frequently Asked Questions (FAQ) Related to This Security Update

Vulnerability Information

Severity Ratings and Vulnerability Identifiers

Microsoft .NET Framework Pointer Verification Vulnerability - CVE-2009-0090

Microsoft .NET Framework Type Verification Vulnerability - CVE-2009-0091

Microsoft Silverlight and Microsoft .NET Framework CLR Vulnerability - CVE-2009-2497

Update Information

Detection and Deployment Tools and Guidance

Security Update Deployment

Other Information

Acknowledgments

Microsoft thanks the following for working with us to help protect customers:

  • Pavel Minaev for reporting the Microsoft .NET Framework Pointer Verification Vulnerability (CVE-2009-0090)
  • Jeroen Frijters of Sumatra for reporting the Microsoft .NET Framework Type Verification Vulnerability (CVE-2009-0091)

Microsoft Active Protections Program (MAPP)

To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections Web sites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.

Support

  • Customers in the U.S. and Canada can receive technical support from Security Support or 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. For more information about available support options, see Microsoft Help and Support.
  • International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (October 13, 2009): Bulletin published.
  • V1.1 (October 21, 2009): Corrected the deployment information for Microsoft .NET Framework on all supported releases of Microsoft Windows. This is an informational change only. Customers who have successfully installed this update do not need to reinstall.
  • V1.2 (November 4, 2009): Added an entry to the Frequently Asked Questions (FAQ) Related to This Security Update section to explain this revision. Customers who have successfully installed this update do not need to reinstall.
  • V1.3 (May 11, 2010): Revised this bulletin to announce a detection logic change to fix a reoffer issue with Windows XP and Windows Server 2003. This is a detection change only that does not affect the files contained in the initial update. Also, corrected installation switches for KB953300 and KB974417 on Windows 2000, Windows XP, and Windows Server 2003, and corrected verification registry keys for KB953300 on Windows XP. Customers who have successfully updated their systems do not need to reinstall this update.
  • V1.4 (June 22, 2010): Removed .NET Framework 1.1 Service Pack 1 as an affected component on Windows 7 and Windows Server 2008 R2.