CVE-2009-0091: Code Injection
First published: Wed Oct 14 2009(Updated: )
Microsoft .NET Framework 2.0, 2.0 SP1, and 3.5 does not properly enforce a certain type-equality constraint in .NET verifiable code, which allows remote attackers to execute arbitrary code via (1) a crafted XAML browser application (XBAP), (2) a crafted ASP.NET application, or (3) a crafted .NET Framework application, aka "Microsoft .NET Framework Type Verification Vulnerability."
Credit: secure@microsoft.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| All of | ||
| Microsoft Windows 2000 | =sp4 | |
| Any of | ||
| Microsoft .NET Framework 4 | =1.1-sp1 | |
| Microsoft .NET Framework 4 | =2.0-sp1 | |
| Microsoft .NET Framework 4 | =2.0-sp2 | |
| All of | ||
| Any of | ||
| Microsoft Windows Server | =sp2 | |
| Microsoft Windows Server | ||
| Microsoft Windows Server | ||
| Microsoft Windows Server | ||
| Microsoft Windows Server | =sp2 | |
| Microsoft Windows Server | =sp2 | |
| Microsoft Windows Server | =sp2 | |
| Microsoft Windows Server | =sp2 | |
| Any of | ||
| Microsoft .NET Framework 4 | =1.1-sp1 | |
| Microsoft .NET Framework 4 | =2.0-sp1 | |
| Microsoft .NET Framework 4 | =2.0-sp2 | |
| Microsoft .NET Framework 4 | =3.5 | |
| Microsoft .NET Framework 4 | =3.5-sp1 | |
| All of | ||
| Any of | ||
| Microsoft Windows Vista | ||
| Microsoft Windows Vista | ||
| Microsoft Windows Vista | =sp1 | |
| Microsoft Windows Vista | =sp2 | |
| Any of | ||
| Microsoft .NET Framework 4 | =1.1-sp1 | |
| Microsoft .NET Framework 4 | =2.0 | |
| Microsoft .NET Framework 4 | =2.0-sp1 | |
| Microsoft .NET Framework 4 | =2.0-sp2 | |
| Microsoft .NET Framework 4 | =3.5 | |
| Microsoft .NET Framework 4 | =3.5-sp1 | |
| All of | ||
| Microsoft .NET Framework 4 | =1.1-sp1 | |
| Any of | ||
| Microsoft Windows 7 | ||
| Microsoft Windows Server | =r2 | |
| Microsoft Windows Server | =r2 | |
| All of | ||
| Any of | ||
| Microsoft .NET Framework 4 | =1.0-sp3 | |
| Microsoft .NET Framework 4 | =1.1-sp1 | |
| Microsoft .NET Framework 4 | =2.0-sp1 | |
| Microsoft .NET Framework 4 | =2.0-sp2 | |
| Microsoft .NET Framework 4 | =3.5 | |
| Microsoft .NET Framework 4 | =3.5-sp1 | |
| Any of | ||
| Microsoft Windows XP | =sp2 | |
| Microsoft Windows XP | =sp3 | |
| Microsoft Windows XP | =sp2 | |
| Microsoft Windows 2000 | =sp4 | |
| Microsoft .NET Framework 4 | =1.1-sp1 | |
| Microsoft .NET Framework 4 | =2.0-sp1 | |
| Microsoft .NET Framework 4 | =2.0-sp2 | |
| Microsoft Windows Server | =sp2 | |
| Microsoft Windows Server | ||
| Microsoft Windows Server | ||
| Microsoft Windows Server | ||
| Microsoft Windows Server | =sp2 | |
| Microsoft Windows Server | =sp2 | |
| Microsoft Windows Server | =sp2 | |
| Microsoft Windows Server | =sp2 | |
| Microsoft .NET Framework 4 | =3.5 | |
| Microsoft .NET Framework 4 | =3.5-sp1 | |
| Microsoft Windows Vista | ||
| Microsoft Windows Vista | ||
| Microsoft Windows Vista | =sp1 | |
| Microsoft Windows Vista | =sp1 | |
| Microsoft Windows Vista | =sp2 | |
| Microsoft Windows Vista | =sp2 | |
| Microsoft .NET Framework 4 | =2.0 | |
| Microsoft Windows 7 | ||
| Microsoft Windows Server | =r2 | |
| Microsoft Windows Server | =r2 | |
| Microsoft .NET Framework 4 | =1.0-sp3 | |
| Microsoft Windows XP | =sp2 | |
| Microsoft Windows XP | =sp3 | |
| Microsoft Windows XP | =sp2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2009-0091?
CVE-2009-0091 is rated as critical due to its potential to allow remote code execution.
How do I fix CVE-2009-0091?
To resolve CVE-2009-0091, you should apply the latest security updates provided by Microsoft for the affected .NET Framework versions.
Which systems are affected by CVE-2009-0091?
CVE-2009-0091 affects Microsoft .NET Framework versions 1.0, 1.1, 2.0, 2.0 SP1, 2.0 SP2, 3.5, and various versions of Windows, including Windows 2000, Server 2003, Server 2008, Vista, and XP.
What types of attacks could exploit CVE-2009-0091?
Attackers can exploit CVE-2009-0091 via crafted XAML browser applications (XBAP) or ASP.NET applications that leverage the vulnerability.
Is there a workaround for CVE-2009-0091 if I cannot apply the fix immediately?
While the most effective mitigation for CVE-2009-0091 is to apply the security updates, temporarily restricting access to .NET applications may help reduce the risk until a patch can be applied.
- collector/nvd-historical
- agent/type
- agent/event
- agent/last-modified-date
- agent/first-publish-date
- agent/weakness
- agent/references
- agent/severity
- agent/description
- agent/author
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/microsoft
- canonical/microsoft windows 2000
- version/microsoft windows 2000/sp4
- canonical/microsoft .net framework 4
- version/microsoft .net framework 4/1.1-sp1
- version/microsoft .net framework 4/2.0-sp1
- version/microsoft .net framework 4/2.0-sp2
- canonical/microsoft windows server
- version/microsoft windows server/sp2
- version/microsoft .net framework 4/3.5
- version/microsoft .net framework 4/3.5-sp1
- canonical/microsoft windows vista
- version/microsoft windows vista/sp1
- version/microsoft windows vista/sp2
- version/microsoft .net framework 4/2.0
- canonical/microsoft windows 7
- version/microsoft windows server/r2
- version/microsoft .net framework 4/1.0-sp3
- canonical/microsoft windows xp
- version/microsoft windows xp/sp2
- version/microsoft windows xp/sp3