Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.0317 Vulnerability in Silverlight Could Allow Security Feature Bypass (2932677) 12 March 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Microsoft Silverlight Publisher: Microsoft Operating System: Windows OS X Impact/Access: Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2014-0319 Original Bulletin: http://technet.microsoft.com/en-us/security/bulletin/ms14-014 - --------------------------BEGIN INCLUDED TEXT-------------------- Microsoft Security Bulletin MS14-014 - Important Vulnerability in Silverlight Could Allow Security Feature Bypass (2932677) Published Date: March 11, 2014 Version: 1.0 General Information Executive Summary This security update resolves a privately reported vulnerability in Microsoft Silverlight. The vulnerability could allow security feature bypass if an attacker hosts a website that contains specially crafted Silverlight content that is designed to exploit the vulnerability, and then convinces a user to view the website. In all cases, however, an attacker would have no way to force users to visit a website. Instead, an attacker would have to convince users to visit a website, typically by getting them to click a link in an email message or in an Instant Messenger message that takes them to the attacker's website. It could also be possible to display specially crafted web content by using banner advertisements or by using other methods to deliver web content to affected systems. This security update is rated Important for Microsoft Silverlight 5 and Microsoft Silverlight 5 Developer Runtime when installed on Mac and all supported releases of Microsoft Windows. Affected Software Microsoft Silverlight 5 Vulnerability Information Silverlight DEP/ASLR Bypass Vulnerability - CVE-2014-0319 A security feature bypass vulnerability exists in Silverlight due to improper implementation of Data Execution Protection (DEP) and Address Space Layout Randomization (ASLR). The vulnerability could allow an attacker to bypass the DEP/ASLR security feature, most likely during or in the course of exploiting a remote code execution vulnerability. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUx+fMhLndAQH1ShLAQKa8BAAuc1AWV5RJxXSGBMLzsHJzdH6I+aX0RIh LyZ+xUYYIYoSZMR4flEr1QzuGd9y8jqSUDogZ/JWeJRVWuWuQcHZn9/AP4Sj5+dC qu4vgSYAkFGkLXa+f8BFqii45P4k0datfGCT+fXVVOorPKh1HvuS440j22+g2lig SZfBuWjR+uxC5vuUQgKHkDGTdorUU0ByfJzU7TjWf/TvOT1cKeQaVFwzGjVYpC9J Gw/oBmIWLViG+30a1riA3L1lNJc5ieB4Kz5oFw2PqxjCgqMmchrxk1eNwj0qCo6n neO+jbU740n20dhd9mTlozWfGiWCT0YQvBEe/y3CG3r7EV1DarfR0+0ZMSGAZOcb UyqotSXD0qxrddJdmU+2KUhiGnzzdnkyaENxZIXRtbMA9Bgd7F6ZJJKoemYWAHau 0hagsABY2wuSbjtZS0SNJrFP9J4Zpj/PERTkX45HSwitfr88QQQMzfheR6w8/oWL PUM6Cydn9avKQK02PQFP+xEjEqyHKI2gBJWiWIRwMVtV/jDhXpT2GqIKEQEzYGeY ofhlxjo/4P0Vn2UZBHMsE5xNScjBqcc8ofOvyf2jzSGfXyeNsEl5NqdXV36DaHl9 iGFiFZ1YboSLmj8g/MQeUx2QnRSUqdWYSMnr4PpleH+NG1imyRZLwAdQaoMxoTVV PhEdzXDl3z4= =s141 -----END PGP SIGNATURE-----