Microsoft Security Bulletin MS15-049 - Important

Vulnerability in Silverlight Could Allow Elevation of Privilege (3058985)

Published: May 12, 2015 | Updated: June 23, 2015

Version: 1.1

Executive Summary

This security update resolves a vulnerability in Microsoft Silverlight. The vulnerability could allow elevation of privilege if a specially crafted Silverlight application is run on an affected system. To exploit the vulnerability an attacker would first have to log on to the system or convince a logged on user to execute the specially crafted application.

This security update is rated Important for Microsoft Silverlight 5 and Microsoft Silverlight 5 Developer Runtime when installed on Mac or all supported releases of Microsoft Windows. For more information, see the Affected Software section.

The security update addresses the vulnerability by adding additional checks to ensure that non-elevated processes are restricted to run at a low integrity level (very limited permissions). For more information about the vulnerability, see the Vulnerability Information section.

For more information about this update, see Microsoft Knowledge Base Article 3058985.

Affected Software

The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.

Operating System Maximum Security Impact Aggregate Severity Rating Updates Replaced
Software
Microsoft Silverlight 5 when installed on Mac
(3056819)
Important Elevation of Privilege 2932677 in MS14-014
Microsoft Silverlight 5 Developer Runtime when installed on Mac
(3056819)
Important Elevation of Privilege 2932677 in MS14-014
Microsoft Silverlight 5 when installed on all supported releases of Microsoft Windows clients
(3056819)
Important Elevation of Privilege 2932677 in MS14-014
Microsoft Silverlight 5 Developer Runtime when installed on all supported releases of Microsoft Windows clients
(3056819)
Important Elevation of Privilege 2932677 in MS14-014
Microsoft Silverlight 5 when installed on all supported releases of Microsoft Windows servers
(3056819)
Important Elevation of Privilege 2932677 in MS14-014
Microsoft Silverlight 5 Developer Runtime when installed on all supported releases of Microsoft Windows servers
(3056819)
Important Elevation of Privilege 2932677 in MS14-014

Severity Ratings and Vulnerability Identifiers

The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the May bulletin summary.

Vulnerability Severity Rating and Maximum Security Impact by Affected Software
Affected Software Microsoft Silverlight Out of Browser Application Vulnerability - CVE-2015-1715 Aggregate Severity Rating
Microsoft Silverlight 5 when installed on Mac
(3056819)
Important
Elevation of Privilege
Important
Microsoft Silverlight 5 Developer Runtime when installed on Mac
(3056819)
Important
Elevation of Privilege
Important
Microsoft Silverlight 5 when installed on all supported releases of Microsoft Windows clients
(3056819)
Important
Elevation of Privilege
Important
Microsoft Silverlight 5 Developer Runtime when installed on all supported releases of Microsoft Windows clients
(3056819)
Important
Elevation of Privilege
Important
Microsoft Silverlight 5 when installed on all supported releases of Microsoft Windows servers
(3056819)
Important
Elevation of Privilege
Important
Microsoft Silverlight 5 Developer Runtime when installed on all supported releases of Microsoft Windows servers
(3056819)
Important
Elevation of Privilege
Important

Update FAQ

Why are the same update files in this bulletin also denoted in the GDI+ bulletin?
Although this bulletin and the GDI+ bulletin releasing simultaneously each address different security vulnerabilities, the security updates for each have been consolidated, hence the occurrence of identical update files being present across the two bulletins.

Note that identical update packages denoted in multiple bulletins do not need to be installed more than once.

Which web browsers support Microsoft Silverlight applications?
In order to run Microsoft Silverlight applications, most web browsers, including Microsoft Internet Explorer, require Microsoft Silverlight to be installed and the corresponding plug-in to be enabled. For more information about Microsoft Silverlight, see the official site, Microsoft Silverlight. Please refer to the documentation of your browser to learn more about how to disable or remove plug-ins.

What versions of Microsoft Silverlight 5 are affected by the vulnerability?
Microsoft Silverlight build 5.1.40416.00, which was the current build of Microsoft Silverlight as of when this bulletin was first released, addresses the vulnerability and is not affected. Builds of Microsoft Silverlight previous to 5.1.40416.00 are affected.

How do I know which version and build of Microsoft Silverlight is currently installed on my system?
If Microsoft Silverlight is already installed on your computer, you can visit the Get Microsoft Silverlight page, which will indicate which version and build of Microsoft Silverlight is currently installed on your system. Alternatively, you can use the Manage Add-Ons feature of current versions of Microsoft Internet Explorer to determine the version and build information that is currently installed on your system.

You can also manually check the version number of sllauncher.exe located in the "%ProgramFiles%\Microsoft Silverlight" directory (on x86 Microsoft Windows systems) or in the "%ProgramFiles(x86)%\Microsoft Silverlight" directory (on x64 Microsoft Windows systems).

In addition, on Microsoft Windows, the version and build information of the currently installed version of Microsoft Silverlight can be found in the registry at [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Silverlight]:Version on x86 Microsoft Windows systems, or [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Silverlight]:Version on x64 Microsoft Windows systems.

On Apple Mac OS, the version and build information of the currently installed version of Microsoft Silverlight can be found as follows:

  1. Open the Finder
  2. Select the system drive and go to the folder Internet Plug-ins - Library
  3. Right-click the file Silverlight.Plugin (if your mouse has only one button, press the Ctrl key while clicking on the file) to bring up the context menu, then click Show Package Contents
  4. Inside the contents folder, locate the file info.plist and open it with an editor. It will contain an entry like this, which shows you the version number:
    SilverlightVersion
    5.1.40416.00

The version installed with this security update for Microsoft Silverlight 5 is 5.1.40416.00. If your Microsoft Silverlight 5 version number is higher than or equal to this version number, your system is not vulnerable.

How do I upgrade my version of Microsoft Silverlight?
The Microsoft Silverlight auto-update feature helps make sure that your Microsoft Silverlight installation is kept up to date with the latest version of Microsoft Silverlight, Microsoft Silverlight functionality, and security features. For more information about the Microsoft Silverlight auto-update feature, see the Microsoft Silverlight Updater. Windows users who have disabled the Microsoft Silverlight auto-update feature can enroll in Microsoft Update to obtain the latest version of Microsoft Silverlight, or can download the latest version of Microsoft Silverlight manually using the download link in the Affected Software table in the earlier section, Affected and Non-Affected Software. For information about deploying Microsoft Silverlight in an enterprise environment, see the Silverlight Enterprise Deployment Guide.

Will this update upgrade my version of Silverlight?
The 3056819 update upgrades previous versions of Silverlight to Silverlight version 5.1.40416.00. Microsoft recommends upgrading to be protected against the vulnerability described in this bulletin.

Where can I find additional information about the Silverlight product lifecycle?
For lifecycle information specific to Silverlight, see the Microsoft Silverlight Support Lifecycle Policy.

Vulnerability Information

Microsoft Silverlight Out of Browser Application Vulnerability - CVE-2015-1715

An elevation of privilege vulnerability exists in Microsoft Silverlight that is caused when Silverlight improperly allows applications that are intended to run at a low integrity level (very limited permissions) to be executed at a medium integrity level (permissions of the current user) or higher. To exploit this vulnerability an attacker would first have to log on to the system or convince a logged on user to execute a specially crafted Silverlight application.

An attacker who successfully exploited this vulnerability could execute arbitrary code with the same or higher level of permissions as the currently logged on user. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights. The update addresses the vulnerability by adding additional checks to ensure that non-elevated processes are restricted to run at a low integrity level (very limited permissions).

Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was originally issued Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.

Mitigating Factors

Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds

The following workarounds may be helpful in your situation:

  • Temporarily prevent Microsoft Silverlight from running in Internet Explorer

    1. In Internet Explorer, go to the Tools menu and then click Internet Options.
    2. In the Internet Options window, click the Programs tab and then click Manage add-ons.
    3. In the Toolbars and Extensions list, locate and select Microsoft Silverlight, and then click Disable.
  • Temporarily prevent Microsoft Silverlight from running in Mozilla Firefox

    1. In Mozilla Firefox, go to the Tools menu and then click Addons.
    2. In the Addons window, click the Plugins tab.
    3. Locate the Silverlight plugin and then click Disable.
  • Temporarily prevent Microsoft Silverlight from running in Google Chrome

    1. In Google Chrome, type about:plugins in the address bar.
    2. In the resulting window, locate the Silverlight plugin and then disable it.
  • Remove Silverlight.Configuration.exe from the IE ElevationPolicy
    Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

    1. Open Registry Editor.
    2. Expand HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Internet Explorer > Low Rights > ElevationPolicy
    3. Select {003B91A6-61E3-4591-891D-01E94C8CB11E}
    4. Click the File menu and then click Export.
    5. In the Export Registry File window type silverlight.configuration.exe_backup.reg and then click Save.
    6. Click the File menu, click Delete, and then click Yes.
    7. Close Registry Editor.
    8. Log off and then log on again, or restart the computer.

How to undo the workaround.

  1. Open Registry Editor.
  2. Click the File menu and then click Import.
  3. In the Import Registry File window, click silverlight.configuration.exe_backup.reg and then click Open.
  4. Close Registry Editor.
  5. Log off and then log on again, or restart the computer.

Security Update Deployment

For Security Update Deployment information, see the Microsoft Knowledge Base article referenced here in the Executive Summary.

Acknowledgments

Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgments for more information.

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (May 12, 2015): Bulletin published.
  • V1.1 (June 23, 2015): Bulletin revised to announce a detection change in the 3056819 update for Microsoft Silverlight 5. This is a detection change only. Customers who have already successfully updated their systems do not need to take any action.

Page generated 2015-06-23 10:35Z-07:00.