Context to present details at Blackhat USA 2012 in Las Vegas - “Are You My Type? - Breaking .NET Sandboxes Through Serialization”
Microsoft has today released a patch for all available .NET frameworks to fix vulnerabilities identified by a researcher at Context Information Security. These vulnerabilities could allow malicious remote code execution from within .NET applications. The risks relate to the use of "serialization" techniques; a fundamental feature of .NET applications that allows data or objects to be easily transferred and stored. They range from the disclosure of information to full remote code execution - whether they are accessible remotely or contained within trusted sandboxes deployed within technologies such as XBAP or ClickOnce.
The patch makes changes to the workings of the serialization framework to mitigate some of the original design decisions that were taken during the development of the first version of .NET. This required a substantial amount of effort on Microsoft's part to fix the problem without introducing compatibility issues. Context first made Microsoft aware of the .NET vulnerabilities last March and has been working with them since then to help fix the issues.
James Forshaw, Principal Security Consultant at Context, will be presenting full details of the .NET threats at the Blackhat USA 2012 conference in Las Vegas, from 21-26 July.
"There is no evidence to suggest these vulnerabilities have been exploited, " says James Forshaw; "but they would allow an attacker to target an application, either via a remote interface or through code executing within a sandbox, in order to disclose information such as authentication details or to circumvent security measures to execute code under malicious control."
The applications in question could be remotely accessible business services, local privileged applications or sandboxed environments such as XAML browser applications.
The Microsoft patch for these issues can be viewed and downloaded at:
Read more Context research here.