MS12-034 - Silverlight Hebrew Unicode Engine Glyph Rendering Heap Double Free

A string in XAML containing 33 Hebrew Unicode Glyphs of certain Unicode values (0×0591 – 0×05AF) causes a double free to occur in the Silverlight engine.

Package Name
Silverlight agcore.dll
Date
2012-05-28
Affected Versions
Silverlight 4, Silverlight 5
Author
Alex Plaskett
Severity
High
Vulnerability Class
Remote Code Execution – Heap Memory Corruption
Vendor
Microsoft
Vendor Response
http://technet.microsoft.com/en-us/security/bulletin/ms12-034

Impact

The heap memory corruption could potentially be used by an attacker to execute arbitrary code on vulnerable instances of Silverlight. The vulnerability could be used to break out of the .NET sandbox to achieve native code execution. This vulnerability can be triggered remotely through a web browser through use of a specially crafted web page.

Cause

The vulnerability is caused by Microsoft Silverlight incorrectly freeing memory when rendering specially crafted XAML glyphs. (For example: Unicode Glyph characters for the Hebrew accent and point character set).

Interim Workaround

In order to mitigate this vulnerability from exploitation remotely through the browser Silverlight can be disabled. However, applications which make use of Silverlight will still be vulnerable. Full remediation requires the application of MS12-034 patch available through Windows Updates.

Solution

Microsoft patch MS12-034 was issued to address this issue.