Vulnerabilities > CVE-2012-0176 - Resource Management Errors vulnerability in Microsoft Silverlight

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

Double free vulnerability in Microsoft Silverlight 4 before 4.1.10329 on Windows allows remote attackers to execute arbitrary code via vectors involving crafted XAML glyphs, aka "Silverlight Double-Free Vulnerability."

Common Weakness Enumeration (CWE)

Msbulletin

bulletin_idMS12-034
bulletin_url
date2012-05-08T00:00:00
impactRemote Code Execution
knowledgebase_id2681578
knowledgebase_url
severityCritical
titleCombined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight

Nessus

  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS12-034.NASL
    descriptionThe remote Windows host is missing a security update. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in the Win32k TrueType font parsing engine that allows an unauthenticated, remote attacker to execute arbitrary code by convincing a user to open a Word document containing malicious font data. (CVE-2011-3402) - A flaw exists in the t2embed.dll module when parsing TrueType fonts. An unauthenticated, remote attacker can exploit this, via a crafted TTF file, to execute arbitrary code. (CVE-2012-0159) - A flaw exists in the .NET Framework due to a buffer allocation error when handling an XBAP or .NET application. An unauthenticated, remote attacker can exploit this, via a specially crafted application, to execute arbitrary code. (CVE-2012-0162) - A flaw exists in the .NET Framework due to an error when comparing the value of an index in a WPF application. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2012-0164) - A flaw exists in GDI+ when handling specially crafted EMF images that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2012-0165) - A heap buffer overflow condition exists in Microsoft Office in the GDI+ library when handling EMF images embedded in an Office document. An unauthenticated, remote attacker can exploit this to execute arbitrary code by convincing a user to open a specially crafted document. (CVE-2012-0167) - A double-free error exists in agcore.dll when rendering XAML strings containing Hebrew Unicode glyphs of certain values. An unauthenticated, remote attacker can exploit this to execute arbitrary code by convincing a user to visit a specially crafted web page. (CVE-2012-0176) - A privilege escalation vulnerability exists in the way the Windows kernel-mode driver manages the functions related to Windows and Messages handling. A local attacker can exploit this, via a specially crafted application, to gain elevated privileges. (CVE-2012-0180) - A privilege escalation vulnerability exists in the way the Windows kernel-mode driver manages Keyboard Layout files. A local attacker can exploit this, via a specially crafted application, to gain elevated privileges. (CVE-2012-0181) - A privilege escalation vulnerability exists in the way the Windows kernel-mode driver manages scrollbar calculations. A local attacker can exploit this, via a specially crafted application, to gain elevated privileges. (CVE-2012-1848)
    last seen2020-06-01
    modified2020-06-02
    plugin id59042
    published2012-05-09
    reporterThis script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/59042
    titleMS12-034: Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight (2681578)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    include("compat.inc");
    
    
    if (description)
    {
      script_id(59042);
      script_version("1.49");
      script_cvs_date("Date: 2018/11/15 20:50:31");
    
      script_cve_id(
        "CVE-2011-3402",
        "CVE-2012-0159",
        "CVE-2012-0162",
        "CVE-2012-0164",
        "CVE-2012-0165",
        "CVE-2012-0167",
        "CVE-2012-0176",
        "CVE-2012-0180",
        "CVE-2012-0181",
        "CVE-2012-1848"
      );
      script_bugtraq_id(
        50462,
        53324,
        53326,
        53327,
        53335,
        53347,
        53351,
        53358,
        53360,
        53363
      );
      script_xref(name:"MSFT", value:"MS12-034");
      script_xref(name:"IAVA", value:"2012-A-0079");
      script_xref(name:"EDB-ID", value:"18894");
      script_xref(name:"ZDI", value:"ZDI-12-131");
      script_xref(name:"MSKB", value:"2589337");
      script_xref(name:"MSKB", value:"2596672");
      script_xref(name:"MSKB", value:"2596792");
      script_xref(name:"MSKB", value:"2598253");
      script_xref(name:"MSKB", value:"2636927");
      script_xref(name:"MSKB", value:"2656405");
      script_xref(name:"MSKB", value:"2656407");
      script_xref(name:"MSKB", value:"2656409");
      script_xref(name:"MSKB", value:"2656410");
      script_xref(name:"MSKB", value:"2656411");
      script_xref(name:"MSKB", value:"2658846");
      script_xref(name:"MSKB", value:"2659262");
      script_xref(name:"MSKB", value:"2660649");
      script_xref(name:"MSKB", value:"2676562");
      script_xref(name:"MSKB", value:"2686509");
      script_xref(name:"MSKB", value:"2690729");
    
      script_name(english:"MS12-034: Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight (2681578)");
      script_summary(english:"Checks the version of multiple files.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote Windows host is missing a security update. It is,
    therefore, affected by multiple vulnerabilities :
    
      - A flaw exists in the Win32k TrueType font parsing engine
        that allows an unauthenticated, remote attacker to
        execute arbitrary code by convincing a user to open a
        Word document containing malicious font data.
        (CVE-2011-3402)
    
      - A flaw exists in the t2embed.dll module when parsing
        TrueType fonts. An unauthenticated, remote attacker can
        exploit this, via a crafted TTF file, to execute
        arbitrary code. (CVE-2012-0159)
    
      - A flaw exists in the .NET Framework due to a buffer
        allocation error when handling an XBAP or .NET
        application. An unauthenticated, remote attacker can
        exploit this, via a specially crafted application, to
        execute arbitrary code. (CVE-2012-0162)
    
      - A flaw exists in the .NET Framework due to an error
        when comparing the value of an index in a WPF
        application. An unauthenticated, remote attacker can
        exploit this to cause a denial of service condition.
        (CVE-2012-0164)
    
      - A flaw exists in GDI+ when handling specially crafted
        EMF images that allows an unauthenticated, remote
        attacker to execute arbitrary code. (CVE-2012-0165)
    
      - A heap buffer overflow condition exists in Microsoft
        Office in the GDI+ library when handling EMF images
        embedded in an Office document. An unauthenticated,
        remote attacker can exploit this to execute arbitrary
        code by convincing a user to open a specially crafted
        document. (CVE-2012-0167)
    
      - A double-free error exists in agcore.dll when rendering
        XAML strings containing Hebrew Unicode glyphs of certain
        values. An unauthenticated, remote attacker can exploit
        this to execute arbitrary code by convincing a user to
        visit a specially crafted web page. (CVE-2012-0176)
    
      - A privilege escalation vulnerability exists in the
        way the Windows kernel-mode driver manages the functions
        related to Windows and Messages handling. A local
        attacker can exploit this, via a specially crafted
        application, to gain elevated privileges.
        (CVE-2012-0180)
    
      - A privilege escalation vulnerability exists in the way
        the Windows kernel-mode driver manages Keyboard Layout
        files. A local attacker can exploit this, via a
        specially crafted application, to gain elevated
        privileges. (CVE-2012-0181)
    
      - A privilege escalation vulnerability exists in the way
        the Windows kernel-mode driver manages scrollbar
        calculations. A local attacker can exploit this, via a
        specially crafted application, to gain elevated
        privileges. (CVE-2012-1848)");
      script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-12-131/");
      script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2012/Aug/60");
      script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2012/ms12-034");
      script_set_attribute(attribute:"solution", value:
    "Microsoft has released a set of patches for Windows XP, 2003, Vista,
    2008, 7, 2008 R2; Office 2003, 2007, and 2010; .NET Framework 3.0,
    3.5.1, and 4.0; and Silverlight 4 and 5.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2011/10/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2012/05/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/05/09");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:silverlight");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:.net_framework");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.");
    
      script_dependencies(
        "smb_hotfixes.nasl",
        "office_installed.nasl",
        "silverlight_detect.nasl",
        "ms_bulletin_checks_possible.nasl"
      );
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    
    include("audit.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("smb_func.inc");
    include("smb_reg_query.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = 'MS12-034';
    kbs = make_list(
      '2589337',
      '2596672',
      '2596672',
      '2596792',
      '2598253',
      '2636927',
      '2656405',
      '2656407',
      '2656409',
      '2656410',
      '2656411',
      '2658846',
      '2659262',
      '2660649',
      '2676562',
      '2686509',
      '2690729'
    );
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    vuln = 0;
    
    #######################
    # KB2686509           #
    #######################
    winver = get_kb_item('SMB/WindowsVersion');
    spver = get_kb_item('SMB/CSDVersion');
    prodname = get_kb_item('SMB/ProductName');
    if (spver)
      spver = int(ereg_replace(string:spver, pattern:'.*Service Pack ([0-9]).*', replace:"\1"));
    if (
      winver && spver && prodname &&
      ((winver == '5.2' && spver == 2) ||
      (winver == '5.1' && spver == 3))
    )
    {
      if (winver == '5.2' && spver == 2 && 'XP' >< prodname)
        reg_name = "SOFTWARE\Microsoft\Updates\Windows XP Version 2003\SP3\KB2686509\Description";
      else if (winver == '5.2' && spver == 2)
        reg_name = "SOFTWARE\Microsoft\Updates\Windows Server 2003\SP3\KB2686509\Description";
      else if (winver == '5.1' && spver == 3)
        reg_name = "SOFTWARE\Microsoft\Updates\Windows XP\SP4\KB2686509\Description";
    
      registry_init();
      hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);
      desc = get_registry_value(handle:hklm, item:reg_name);
      RegCloseKey(handle:hklm);
      close_registry();
    
      if (isnull(desc))
      {
        hotfix_add_report('  According to the registry, KB2686509 is missing.\n', bulletin:bulletin, kb:"2686509");
        vuln++;
      }
    }
    
    rootfile = hotfix_get_systemroot();
    if (!rootfile) exit(1, "Failed to get the system root.");
    
    share = hotfix_path2share(path:rootfile);
    path  = ereg_replace(pattern:'^[A-Za-z]:(.*)', replace:"\1$", string:rootfile);
    
    login  = kb_smb_login();
    pass   = kb_smb_password();
    domain = kb_smb_domain();
    port   = kb_smb_transport();
    
    if(! smb_session_init()) audit(AUDIT_FN_FAIL, "smb_session_init");
    
    hcf_init = TRUE;
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    office_versions = hotfix_check_office_version();
    cdir = hotfix_get_commonfilesdir();
    
    ################################################################
    # Office Checks                                                #
    ################################################################
    
    #############################
    # Office 2003 SP3 KB2598253 #
    #############################
    if (office_versions["11.0"])
    {
      office_sp = get_kb_item("SMB/Office/2003/SP");
      if (!isnull(office_sp) && office_sp == 3)
      {
        path = hotfix_get_officeprogramfilesdir(officever:'11.0') + "\Microsoft Office\Office11";
    
        if (hotfix_is_vulnerable(file:"Gdiplus.dll", version:"11.0.8345.0", min_version:"11.0.0.0", path:path, bulletin:bulletin, kb:'2598253'))
          vuln++;
      }
    }
    
    #############################
    # Office 2007 SP2           #
    #   KB2596672, KB2596792    #
    #############################
    if (office_versions["12.0"])
    {
      office_sp = get_kb_item("SMB/Office/2007/SP");
      if (!isnull(office_sp) && (office_sp == 2 || office_sp == 3))
      {
        path = cdir + "\Microsoft Shared\Office12";
        if (hotfix_is_vulnerable(file:"Ogl.dll", version:"12.0.6659.5000", path:path, bulletin:bulletin, kb:'2596672'))
          vuln++;
    
        path = cdir + "\Microsoft SHared\MODI\12.0";
        if (hotfix_is_vulnerable(file:"Mspcore.dll", version:"12.0.6658.5001", path:path, bulletin:bulletin, kb:'2596792'))
          vuln++;
      }
    }
    
    #############################
    # Office 2010 KB2589337     #
    #############################
    if (office_versions["14.0"])
    {
      office_sp = get_kb_item("SMB/Office/2010/SP");
      if (!isnull(office_sp) && (office_sp == 0 || office_sp == 1))
      {
        path = cdir + "\Microsoft Shared\Office14";
        if (hotfix_is_vulnerable(file:"Ogl.dll", version:"14.0.6117.5001", path:path, bulletin:bulletin, kb:'2589337'))
          vuln++;
      }
    }
    
    # Silverlight 4.x / 5.x
    slfix = NULL;
    slkb = NULL;
    ver = get_kb_item("SMB/Silverlight/Version");
    if (ver =~ '^4\\.' && ver_compare(ver:ver, fix:'4.1.10329.0') == -1)
    {
      slfix = '4.1.10329';
      slkb = '2690729';
    }
    else if (ver =~ '^5\\.' && ver_compare(ver:ver, fix:'5.1.10411.0') == -1)
    {
      slfix = '5.1.10411';
      slkb = '2636927';
    }
    if (slfix)
    {
      path = get_kb_item("SMB/Silverlight/Path");
      report +=
        '\n  Product           : Microsoft Silverlight' +
        '\n  Path              : ' + path +
        '\n  Installed version : ' + ver +
        '\n  Fixed version     : ' + slfix + '\n';
      hotfix_add_report(report, bulletin:bulletin, kb:slkb);
      vuln++;
    }
    
    if (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'0,1') <= 0)
    {
      if (vuln > 0)
      {
        set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
        hotfix_security_hole();
        hotfix_check_fversion_end();
        exit(0);
      }
      else audit(AUDIT_OS_SP_NOT_VULN);
    }
    
    if (!is_accessible_share()) exit(1, "is_accessible_share() failed.");
    ################################################################
    # .NET Framework Checks                                        #
    ################################################################
    
    
    net3path = hotfix_get_programfilesdir() + "\Reference Assemblies\Microsoft\Framework\v3.0";
    if (!isnull(net3path))
    {
      # .NET Framework 3.0 on Windows XP / Windows Server 2003
      missing = 0;
      missing += hotfix_is_vulnerable(os:"5.1", file:"PresentationCore.dll", version:"3.0.6920.4021", min_version:"3.0.6920.0", dir:net3path);
      missing += hotfix_is_vulnerable(os:"5.1", file:"PresentationCore.dll", version:"3.0.6920.5810", min_version:"3.0.6920.5700", dir:net3path);
      missing += hotfix_is_vulnerable(os:"5.2", file:"PresentationCore.dll", version:"3.0.6920.4021", min_version:"3.0.6920.0", dir:net3path);
      missing += hotfix_is_vulnerable(os:"5.2", file:"PresentationCore.dll", version:"3.0.6920.5810", min_version:"3.0.6920.5700", dir:net3path);
      if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:"2656407");
      vuln += missing;
    
      # .NET Framework 3.0 on Windows Vista / Windows Server 2008
      missing = 0;
      missing += hotfix_is_vulnerable(os:"6.0", file:"PresentationCore.dll", version:"3.0.6920.4213", min_version:"3.0.6920.0", dir:net3path);
      missing += hotfix_is_vulnerable(os:"6.0", file:"PresentationCore.dll", version:"3.0.6920.5794", min_version:"3.0.6920.5700", dir:net3path);
      if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:"2656409");
      vuln += missing;
    
      # .NET Framework 3.5.1 on Windows 7 / Server 2008 R2
      missing = 0;
      missing += hotfix_is_vulnerable(os:"6.1", sp:0, file:"PresentationCore.dll", version:"3.0.6920.5809", min_version:"3.0.6920.5700", dir:net3path);
      missing += hotfix_is_vulnerable(os:"6.1", sp:0, file:"PresentationCore.dll", version:"3.0.6920.5005", min_version:"3.0.6920.5000", dir:net3path);
    
      if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:"2656410");
      vuln += missing;
    
      # .NET Framework 3.5.1 on Windows 7 SP1 / Server 2008 R2 SP1
      missing = 0;
      missing += hotfix_is_vulnerable(os:"6.1", sp:1, file:"PresentationCore.dll", version:"3.0.6920.5794", min_version:"3.0.6920.5700", dir:net3path);
      missing += hotfix_is_vulnerable(os:"6.1", sp:1, file:"PresentationCore.dll", version:"3.0.6920.5448", min_version:"3.0.6920.5000", dir:net3path);
    
      if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:"2633873");
      vuln += missing;
    }
    # .NET Framework 4.0 on all supported versions of Windows
    missing = 0;
    missing += hotfix_is_vulnerable(os:"5.1", file:"PresentationCore.dll", version:"4.0.30319.275", min_version:"4.0.30319.0",   dir:"\Microsoft.NET\Framework\v4.0.30319\WPF");
    missing += hotfix_is_vulnerable(os:"5.1", file:"PresentationCore.dll", version:"4.0.30319.550", min_version:"4.0.30319.400", dir:"\Microsoft.NET\Framework\v4.0.30319\WPF");
    missing += hotfix_is_vulnerable(os:"5.2", file:"PresentationCore.dll", version:"4.0.30319.275", min_version:"4.0.30319.0",   dir:"\Microsoft.NET\Framework\v4.0.30319\WPF");
    missing += hotfix_is_vulnerable(os:"5.2", file:"PresentationCore.dll", version:"4.0.30319.550", min_version:"4.0.30319.400", dir:"\Microsoft.NET\Framework\v4.0.30319\WPF");
    missing += hotfix_is_vulnerable(os:"6.0", file:"PresentationCore.dll", version:"4.0.30319.275", min_version:"4.0.30319.0",   dir:"\Microsoft.NET\Framework\v4.0.30319\WPF");
    missing += hotfix_is_vulnerable(os:"6.0", file:"PresentationCore.dll", version:"4.0.30319.550", min_version:"4.0.30319.400", dir:"\Microsoft.NET\Framework\v4.0.30319\WPF");
    missing += hotfix_is_vulnerable(os:"6.1", file:"PresentationCore.dll", version:"4.0.30319.275", min_version:"4.0.30319.0",   dir:"\Microsoft.NET\Framework\v4.0.30319\WPF");
    missing += hotfix_is_vulnerable(os:"6.1", file:"PresentationCore.dll", version:"4.0.30319.550", min_version:"4.0.30319.400", dir:"\Microsoft.NET\Framework\v4.0.30319\WPF");
    
    if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:"2656405");
    vuln += missing;
    
    ################################################################
    # Windows Checks                                               #
    ################################################################
    
    #######################
    # KB2676562           #
    #######################
    missing = 0;
    # Windows 7 / 2008 R2
    missing += hotfix_is_vulnerable(os:"6.1", sp:1, file:"Win32k.sys", version:"6.1.7601.21955", min_version:"6.1.7601.21000", dir:"\system32");
    missing += hotfix_is_vulnerable(os:"6.1", sp:1, file:"Win32k.sys", version:"6.1.7601.17803", min_version:"6.1.7601.17000", dir:"\system32");
    missing += hotfix_is_vulnerable(os:"6.1", sp:0, file:"Win32k.sys", version:"6.1.7600.21179", min_version:"6.1.7600.20000", dir:"\system32");
    missing += hotfix_is_vulnerable(os:"6.1", sp:0, file:"Win32k.sys", version:"6.1.7600.16988", min_version:"6.1.7600.16000", dir:"\system32");
    
    # Windows Vista / 2008
    missing += hotfix_is_vulnerable(os:"6.0", sp:2, file:"Win32k.sys", version:"6.0.6002.22831", min_version:"6.0.6002.22000", dir:"\system32");
    missing += hotfix_is_vulnerable(os:"6.0", sp:2, file:"Win32k.sys", version:"6.0.6002.18607", min_version:"6.0.6002.18000", dir:"\system32");
    
    # Windows 2003 / XP 64-bit
    missing += hotfix_is_vulnerable(os:"5.2", sp:2, file:"Win32k.sys", version:"5.2.3790.4980", dir:"\system32");
    
    # Windows XP 32-bit
    missing += hotfix_is_vulnerable(os:"5.1", sp:3, file:"Win32k.sys", version:"5.1.2600.6206", dir:"\system32");
    if (missing > 0) hotfix_add_report(bulletin:bulletin, kb:'2676562');
    vuln+= missing;
    
    ################################
    # WinSxS Checks                #
    ################################
    winsxs = ereg_replace(pattern:'^[A-Za-z]:(.*)', replace:"\1\WinSxS", string:rootfile);
    
    #######################
    # KB2659262           #
    #######################
    kb = '2659262';
    files = list_dir(basedir:winsxs, level:0, dir_pat:'microsoft.windows.gdiplus', file_pat:'^gdiplus\\.dll$');
    
    # Windows XP / 2003
    vuln += hotfix_check_winsxs(os:'5.1', sp:3, files:files, versions:make_list('5.2.6002.22791'), bulletin:bulletin, kb:kb);
    vuln += hotfix_check_winsxs(os:'5.2', sp:2, files:files, versions:make_list('5.2.6002.22791'), bulletin:bulletin, kb:kb);
    
    # Windows Vista / 2008
    versions = make_list('5.2.6002.18581', '5.2.6002.22795', '6.0.6002.18581', '6.0.6002.22795');
    max_versions = make_list('5.2.6002.20000', '5.2.6002.99999', '6.0.6002.20000', '6.0.6002.99999');
    vuln += hotfix_check_winsxs(os:'6.0', sp:2, files:files, versions:versions, max_versions:max_versions, bulletin:bulletin, kb:kb);
    
    # Windows 7 / 2008 R2
    versions = make_list('5.2.7600.17007', '5.2.7600.21198', '5.2.7601.17825', '5.2.7601.21977', '6.1.7600.17007', '6.1.7600.21198', '6.1.7601.17825', '6.1.7601.21977');
    max_versions = make_list('5.2.7600.20000', '5.2.7600.99999', '5.2.7601.20000', '5.2.7601.99999', '6.1.7600.20000', '6.1.7600.99999', '6.1.7601.20000', '6.1.7601.99999');
    vuln += hotfix_check_winsxs(os:'6.1', files:files, versions:versions, max_versions:max_versions, bulletin:bulletin, kb:kb);
    
    #######################
    # KB2658846           #
    #######################
    kb = '2658846';
    files = list_dir(basedir:winsxs, level:0, dir_pat:'microsoft-windows-directwrite', file_pat:'^Dwrite\\.dll$');
    
    # Windows Vista / Windows Server 2008
    vuln += hotfix_check_winsxs(os:'6.0', files:files, versions:make_list('7.0.6002.18592', '7.0.6002.22807'), max_versions:make_list('7.0.6002.20000', '7.0.6002.99999'), bulletin:bulletin, kb:kb);
    
    # Windows 7 2008 R2
    versions = make_list('6.1.7600.16972', '6.1.7600.21162', '6.1.7601.17789', '6.1.7601.21935');
    max_versions = make_list('6.1.7600.20000', '6.1.7600.99999', '6.1.7601.20000', '');
    vuln += hotfix_check_winsxs(os:'6.1', files:files, versions:versions, max_versions:max_versions, bulletin:bulletin, kb:kb);
    
    #######################
    # KB2660649           #
    #######################
    kb = '2660649';
    
    # Windows XP / Windows Server 2003
    #(hotfix_check_sp(xp:4, win2003:3) > 0 && (version_cmp(a:ver, b:'1.7.2600.6189') >= 0)) ||
    
    base_path = hotfix_get_programfilesdir();
    if (!base_path) base_path = hotfix_get_programfilesdirx86();
    
    if (!base_path) audit(AUDIT_PATH_NOT_DETERMINED, "Common Files");
    
    full_path = hotfix_append_path(path:base_path, value:"\windows journal");
    
    if (
      # Vista
      hotfix_is_vulnerable(os:"6.0", sp:2, file:"jnwdrv.dll", version:"0.3.6002.22789", min_version:"0.3.6002.20000", path:full_path, bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"6.0", sp:2, file:"jnwdrv.dll", version:"0.3.6002.18579", min_version:"0.3.6002.18000", path:full_path, bulletin:bulletin, kb:kb) ||
    
      # Windows 7
      hotfix_is_vulnerable(os:"6.1", sp:1, file:"jnwdrv.dll", version:"0.3.7601.21955", min_version:"0.3.7601.18000", path:full_path, bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"6.1", sp:1, file:"jnwdrv.dll", version:"0.3.7601.17803", min_version:"0.3.7601.16000", path:full_path, bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"6.1", sp:1, file:"jnwdrv.dll", version:"0.3.7600.21179", min_version:"0.3.7600.18000", path:full_path, bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"6.1", sp:1, file:"jnwdrv.dll", version:"0.3.7600.16988", min_version:"0.3.7600.16000", path:full_path, bulletin:bulletin, kb:kb)
    )
      vuln += 1;
    hotfix_check_fversion_end();
    #######################
    # Report              #
    #######################
    if (vuln > 0)
    {
      set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, 'affected');
    }
    
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_MS12-034.NASL
    descriptionThe version of Microsoft Silverlight installed on the remote host is reportedly affected by several vulnerabilities : - Incorrect handling of TrueType font (TTF) files could lead to arbitrary code execution. (CVE-2011-3402 / CVE-2012-0159) - A double-free condition leading to arbitrary code execution could be triggered when rendering specially crafted XAML glyphs. (CVE-2012-0176)
    last seen2020-06-01
    modified2020-06-02
    plugin id59045
    published2012-05-09
    reporterThis script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/59045
    titleMS12-034: Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight (2681578) (Mac OS X)

Oval

accepted2013-04-22T04:00:10.921-04:00
classvulnerability
contributors
  • nameDragos Prisaca
    organizationSymantec Corporation
  • nameJosh Turpin
    organizationSymantec Corporation
  • nameShane Shaffer
    organizationG2, Inc.
definition_extensions
commentMicrosoft Silverlight 4 is installed
ovaloval:org.mitre.oval:def:14639
descriptionDouble free vulnerability in Microsoft Silverlight 4 before 4.1.10329 on Windows allows remote attackers to execute arbitrary code via vectors involving crafted XAML glyphs, aka "Silverlight Double-Free Vulnerability."
familywindows
idoval:org.mitre.oval:def:15574
statusaccepted
submitted2012-05-08T13:00:00
titleSilverlight Double-Free Vulnerability
version8

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 53360 CVE ID: CVE-2012-0176 Microsoft Silverlight是跨浏览器、跨平台的.NET实现,用于为Web构建媒体体验和交互应用。 Microsoft Silverlight 中存在一个远程执行代码漏洞,它可能允许特制的 Silverlight 应用程序以不安全的方式访问内存。成功利用此漏洞的攻击者可以在登录用户的安全上下文中运行任意代码。攻击者可随后安装程序;查看、更改或删除数据;或者创建拥有完全用户权限的新帐户。那些帐户被配置为拥有较少系统用户权限的用户比具有管理用户权限的用户受到的影响要小。 0 Microsoft Silverlight 4.0 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS12-034)以及相应补丁: MS12-034:Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight (2681578) 链接:http://www.microsoft.com/technet/security/bulletin/MS12-034.asp
idSSV:60105
last seen2017-11-19
modified2012-05-09
published2012-05-09
reporterRoot
titleMicrosoft Silverlight双重释放远程代码执行漏洞(CVE-2012-0176)(MS12-034)