CVE-2009-2497: Code Injection
First published: Wed Oct 14 2009(Updated: )
The Common Language Runtime (CLR) in Microsoft .NET Framework 2.0, 2.0 SP1, 2.0 SP2, 3.5, and 3.5 SP1, and Silverlight 2, does not properly handle interfaces, which allows remote attackers to execute arbitrary code via (1) a crafted XAML browser application (XBAP), (2) a crafted Silverlight application, (3) a crafted ASP.NET application, or (4) a crafted .NET Framework application, aka "Microsoft Silverlight and Microsoft .NET Framework CLR Vulnerability."
Credit: secure@microsoft.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| All of | ||
| Microsoft Windows 2000 | =sp4 | |
| Any of | ||
| Microsoft .NET Framework 4 | =2.0-sp1 | |
| Microsoft .NET Framework 4 | =2.0-sp2 | |
| All of | ||
| Any of | ||
| Microsoft Windows Server | =sp2 | |
| Microsoft Windows Server | ||
| Microsoft Windows Server | ||
| Microsoft Windows Server | ||
| Microsoft Windows Server | =sp2 | |
| Microsoft Windows Server | =sp2 | |
| Microsoft Windows Server | =sp2 | |
| Microsoft Windows Server | =sp2 | |
| Any of | ||
| Microsoft .NET Framework 4 | =1.1-sp1 | |
| Microsoft .NET Framework 4 | =2.0-sp1 | |
| Microsoft .NET Framework 4 | =2.0-sp2 | |
| Microsoft .NET Framework 4 | =3.5 | |
| Microsoft .NET Framework 4 | =3.5-sp1 | |
| All of | ||
| Any of | ||
| Microsoft Windows Vista | ||
| Microsoft Windows Vista | ||
| Microsoft Windows Vista | =sp1 | |
| Microsoft Windows Vista | =sp2 | |
| Any of | ||
| Microsoft .NET Framework 4 | =1.1-sp1 | |
| Microsoft .NET Framework 4 | =2.0 | |
| Microsoft .NET Framework 4 | =2.0-sp1 | |
| Microsoft .NET Framework 4 | =2.0-sp2 | |
| Microsoft .NET Framework 4 | =3.5 | |
| Microsoft .NET Framework 4 | =3.5-sp1 | |
| All of | ||
| Microsoft .NET Framework 4 | =1.1-sp1 | |
| Any of | ||
| Microsoft Windows 7 | ||
| Microsoft Windows Server | =r2 | |
| Microsoft Windows Server | =r2 | |
| All of | ||
| Any of | ||
| Microsoft .NET Framework 4 | =1.0-sp3 | |
| Microsoft .NET Framework 4 | =1.1-sp1 | |
| Microsoft .NET Framework 4 | =2.0-sp1 | |
| Microsoft .NET Framework 4 | =2.0-sp2 | |
| Microsoft .NET Framework 4 | =3.5 | |
| Microsoft .NET Framework 4 | =3.5-sp1 | |
| Any of | ||
| Microsoft Windows XP | =sp2 | |
| Microsoft Windows XP | =sp3 | |
| Microsoft Windows XP | =sp2 | |
| Microsoft Windows 2000 | =sp4 | |
| Microsoft .NET Framework 4 | =2.0-sp1 | |
| Microsoft .NET Framework 4 | =2.0-sp2 | |
| Microsoft Windows Server | =sp2 | |
| Microsoft Windows Server | ||
| Microsoft Windows Server | ||
| Microsoft Windows Server | ||
| Microsoft Windows Server | =sp2 | |
| Microsoft Windows Server | =sp2 | |
| Microsoft Windows Server | =sp2 | |
| Microsoft Windows Server | =sp2 | |
| Microsoft .NET Framework 4 | =1.1-sp1 | |
| Microsoft .NET Framework 4 | =3.5 | |
| Microsoft .NET Framework 4 | =3.5-sp1 | |
| Microsoft Windows Vista | ||
| Microsoft Windows Vista | ||
| Microsoft Windows Vista | =sp1 | |
| Microsoft Windows Vista | =sp1 | |
| Microsoft Windows Vista | =sp2 | |
| Microsoft Windows Vista | =sp2 | |
| Microsoft .NET Framework 4 | =2.0 | |
| Microsoft Windows 7 | ||
| Microsoft Windows Server | =r2 | |
| Microsoft Windows Server | =r2 | |
| Microsoft .NET Framework 4 | =1.0-sp3 | |
| Microsoft Windows XP | =sp2 | |
| Microsoft Windows XP | =sp3 | |
| Microsoft Windows XP | =sp2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2009-2497?
CVE-2009-2497 has a critical severity rating due to its potential for remote code execution.
How do I fix CVE-2009-2497?
To mitigate CVE-2009-2497, it is recommended to apply the latest security updates from Microsoft for affected versions of the .NET Framework and Windows.
Which software is affected by CVE-2009-2497?
CVE-2009-2497 affects Microsoft .NET Framework versions 1.0, 1.1, 2.0, 3.5, and several versions of Windows including XP, Vista, 2000, Server 2003, and Server 2008.
Can CVE-2009-2497 affect my application?
Yes, applications utilizing the vulnerable versions of the .NET Framework may be exploited due to CVE-2009-2497.
What attack vectors are associated with CVE-2009-2497?
CVE-2009-2497 can be exploited via crafted XAML browser applications (XBAP) or Silverlight applications.
- collector/nvd-historical
- agent/type
- agent/weakness
- agent/references
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/author
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/microsoft
- canonical/microsoft windows 2000
- version/microsoft windows 2000/sp4
- canonical/microsoft .net framework 4
- version/microsoft .net framework 4/2.0-sp1
- version/microsoft .net framework 4/2.0-sp2
- canonical/microsoft windows server
- version/microsoft windows server/sp2
- version/microsoft .net framework 4/1.1-sp1
- version/microsoft .net framework 4/3.5
- version/microsoft .net framework 4/3.5-sp1
- canonical/microsoft windows vista
- version/microsoft windows vista/sp1
- version/microsoft windows vista/sp2
- version/microsoft .net framework 4/2.0
- canonical/microsoft windows 7
- version/microsoft windows server/r2
- version/microsoft .net framework 4/1.0-sp3
- canonical/microsoft windows xp
- version/microsoft windows xp/sp2
- version/microsoft windows xp/sp3