XBAPs Security Considerations

Microsoft's patch Tuesday exposed critical vulnerability issues with the XAML Browser Application (XBAPs). XBAP is a new Windows technology employed in creating Rich Interactive Applications for the web. It combines the features of web application and rich-client application. XBAP applications are specifically run in sandbox to prevent unauthorized applications from controlling local system resources.

Security vulnerabilities in Microsoft .NET Framework and Silverlight could allow a remote code execution on a client system when a user views specifically crafted web-pages on a browser running XAML Browser application or Silverlight application.

The vulnerability could also allow a remote code execution on a server system running IIS (Internet Information Server), if the server allows processing ASP.NET pages and an attacker succeeds in uploading a specific crafted ASP.NET page to the server and then executes the page, as could be the case in a web hosting scenario.

This security vulnerability, albeit, labelled private has now been resolved in the latest Microsoft security update, MS11-078. The vulnerability was resolved by correcting the manner in which .NET restricts inheritance within classes.

Microsoft recommended that as majority of its customers have enabled automatic update, they will not need to take any action as the security update will be downloaded and installed automatically. However, customers who have not enabled automatic update will still need to manually download and install the latest security fixes.

The configuration information for automatic update has been made available, Microsoft advised that customers apply the update immediately using the update management software, or by checking for updates using the Microsoft Update service.
Next Post »