Microsoft Security Bulletin MS13-022 - Critical

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

• In a web browsing attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website.
• An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
• By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2 and Windows Server 2012 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability. See the FAQ section of this security update for more information about Internet Explorer Enhanced Security Configuration.

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

• Temporarily prevent the Microsoft Silverlight ActiveX control from running in Internet Explorer (Method 1)

  You can help protect against these vulnerabilities by temporarily preventing attempts to instantiate the Silverlight ActiveX control in Internet Explorer by setting the kill bit for the control.

  Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

  We recommend that you back up the registry before you edit it.

  Use the following text to create a .reg file that temporarily prevents attempts to instantiate the Silverlight ActiveX control in Internet Explorer. You can copy the following text, paste it into a text editor such as Notepad, and then save the file with the .reg file name extension. Run the .reg file on the vulnerable client.

  Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{DFEAF541-F3E1-4C24-ACAC-99C30715084A}]
"Compatibility Flags"=dword:00000400

  Close Internet Explorer and reopen it for the changes to take effect.

  For detailed steps about stopping a control from running in Internet Explorer, see Microsoft Knowledge Base Article 240797. Follow these steps and create a Compatibility Flags value in the registry to prevent the Silverlight ActiveX control from running in Internet Explorer.

  Impact of workaround. Applications and websites that require the Microsoft Silverlight ActiveX control may no longer function correctly. If you implement this workaround it would affect any Silverlight ActiveX control you have installed on your system.

  How to undo the workaround. Remove the registry keys added to temporarily prevent attempts to instantiate the Silverlight ActiveX control in Internet Explorer.

• Temporarily prevent the Microsoft Silverlight ActiveX control from running in Internet Explorer (Method 2)

  To modify the registry key to disable Microsoft Silverlight, follow these steps:

  Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

  • Using the Interactive Method
    1. Click Start, click Run, type Regedit in the Open box, and then click OK.
    2. Locate and click the following registry subkey:

       HKEY_CLASSES_ROOT\CLSID\{DFEAF541-F3E1-4c24-ACAC-99C30715084A}

    3. Right-click {DFEAF541-F3E1-4c24-ACAC-99C30715084A} and select Export. Save the file to disk.
    4. Delete the entire {DFEAF541-F3E1-4c24-ACAC-99C30715084A} key.
    5. Close the registry editor.
  • Using a registry file
    1. Create a backup copy of the registry keys. A backup copy can be made using a managed deployment script with the following command:

       Regedit.exe /e SL_backup.reg HKEY_CLASSES_ROOT\CLSID\{DFEAF541-F3E1-4c24-ACAC-99C30715084A}

    2. Save the following to a file with a .REG extension (e.g., Disable_Silverlight.reg):

       Windows Registry Editor Version 5.00
[-HKEY_CLASSES_ROOT\CLSID\{DFEAF541-F3E1-4c24-ACAC-99C30715084A}]

    3. Run the above registry script created in step 2 on the target system with the following command:

       Regedit /s Disable_Silverlight.reg

• Temporarily prevent the Microsoft Silverlight ActiveX control from running in Firefox or Chrome

  To modify the registry key to disable Microsoft Silverlight, follow these steps:

  Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

  • Using the Interactive Method
    1. Click Start, click Run, type Regedit in the Open box, and then click OK.
    2. Locate and click the following registry subkey:

       HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0

    3. Right click on @Microsoft.com/NpCtrl,version=1.0 and select Export. Save the file to disk.
    4. Delete the entire @Microsoft.com/NpCtrl,version=1.0 key.
    5. Quit the registry editor.
  • Using a registry file
    1. Create a backup copy of the registry keys. A backup copy can be made using a managed deployment script with the following command:

       Regedit.exe /e SL_backup.reg HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0

    2. Save the following to a file with a .REG extension (e.g. Disable_Silverlight.reg):

       Windows Registry Editor Version 5.00
[-HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0]

    3. Run the above registry script created in step 2 on the target system with the following command:

       Regedit /s Disable_Silverlight.reg

  How to undo the workaround.

  • Using the Interactive Method
    1. Click Start, click Run, type Regedit in the Open box, and then click OK.
    2. On the File menu, click Import.
    3. In Look in, select the drive, folder, or network computer and folder where the file you previously exported is located.
    4. Select the correct file name and then click Open.
  • Using a Managed Deployment Script

    Restore the file backed up in Using a registry file Step 1, above, with the following command:

    Regedit /s SL_backup.reg

What is the scope of the vulnerability? 
This is a remote code execution vulnerability.

What causes the vulnerability? 
The vulnerability is caused by Microsoft Silverlight incorrectly checking a memory pointer when rendering an HTML object.

What is Microsoft Silverlight? 
Microsoft Silverlight is a cross-browser, cross-platform implementation of the Microsoft .NET Framework for building media experiences and rich interactive applications for the web. For more information, see the official site of Microsoft Silverlight.

What might an attacker use the vulnerability to do? 
In the web-browsing scenario, an attacker who successfully exploited this vulnerability could obtain the same permissions as the currently logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

How could an attacker exploit the vulnerability? 
An attacker could host a website that contains a specially crafted Silverlight application that could exploit this vulnerability and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker's website. It could also be possible to display specially crafted web content by using banner advertisements or by using other methods to deliver web content to affected systems.

What systems are primarily at risk from the vulnerability? 
Successful exploitation of this vulnerability requires that a user is logged on and is visiting websites using a web browser capable of instantiating Silverlight applications. Therefore, any systems where a web browser is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability. Servers could be at more risk if administrators allow users to browse and read email on servers. However, best practices strongly discourage allowing this.

I am running Internet Explorer for Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012. Does this mitigate this vulnerability? 
Yes. By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 runs in a restricted mode that is known as Enhanced Security Configuration. Enhanced Security Configuration is a group of preconfigured settings in Internet Explorer that can reduce the likelihood of a user or administrator downloading and running specially crafted web content on a server. This is a mitigating factor for websites that you have not added to the Internet Explorer Trusted sites zone.

Does EMET help mitigate attacks that try to exploit this vulnerability? 
Yes. The Enhanced Mitigation Experience Toolkit (EMET) helps mitigate the exploitation of this vulnerability by adding additional protection layers that make the vulnerability harder to exploit. EMET is a utility that helps prevent vulnerabilities in software from being successfully exploited for code execution, by applying the latest security mitigation technologies. At this time, EMET is provided with limited support and is only available in the English language. For more information, see Microsoft Knowledge Base Article 2458544.

What is the Enhanced Mitigation Experience Toolkit v3.0 (EMET)? 
The Enhanced Mitigation Experience Toolkit (EMET) is a utility that helps prevent vulnerabilities in software from being successfully exploited. EMET achieves this by using security mitigation technologies. These technologies function as special protections and obstacles that an exploit author must defeat in order to exploit software vulnerabilities. These security mitigation technologies do not guarantee that vulnerabilities cannot be exploited, but work to make exploitation as difficult to accomplish as possible. In many instances, a fully functional exploit that can bypass EMET may never be developed. For more information, see Microsoft Knowledge Base Article 2458544.

What does the update do? 
The update addresses this vulnerability by correcting how Microsoft Silverlight checks memory pointers when rendering HTML objects.

When this security bulletin was issued, had this vulnerability been publicly disclosed? 
No. Microsoft received information about this vulnerability through coordinated vulnerability disclosure.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? 
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.

Reference Table

The following table contains the security update information for this software.

Reference Table

The following table contains the security update information for this software.