Endpoint Vulnerability

Microsoft Silverlight Memory Corruption Vulnerability

Description

A remote code execution vulnerability exists when Microsoft Silverlight improperly allows applications to access objects in memory. The vulnerability could corrupt system memory, which could allow an attacker to execute arbitrary code. In a web-browsing scenario, an attacker who successfully exploited this vulnerability could obtain the same permissions as the currently logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. To exploit the vulnerability, an attacker could host a website that contains a specially crafted Silverlight application and then convince a user to visit the compromised website. The attacker could also take advantage of websites containing specially crafted content, including those that accept or host user-provided content or advertisements. For example, an attacker could display specially crafted web content by using banner advertisements or by using other methods to deliver web content to affected systems. However, in all cases, an attacker would have no way to force a user to visit a compromised website. Instead, an attacker would have to convince a user to visit the website, typically by enticing the user to click a link in either an email or instant message. The update addresses the vulnerability by correcting how Microsoft Silverlight allocates memory for inserting and appending strings in StringBuilder.

Affected Products

Microsoft Silverlight 5 Developer Runtime when installed on Apple Mac OS (Intel-based),Microsoft Silverlight 5 when installed on Microsoft Windows (x64-based),Microsoft Silverlight 5 Developer Runtime when installed on Microsoft Windows (x64-based),Microsoft Silverlight 5 when installed on Apple Mac OS (Intel-based),Microsoft Silverlight 5 when installed on Microsoft Windows (32-bit),Microsoft Silverlight 5 Developer Runtime when installed on Microsoft Windows (32-bit)

References

CVE-2016-3367,