CVE-2012-4776: Input Validation
First published: Wed Nov 14 2012(Updated: )
The Web Proxy Auto-Discovery (WPAD) functionality in Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4, and 4.5 does not validate configuration data that is returned during acquisition of proxy settings, which allows remote attackers to execute arbitrary JavaScript code by providing crafted data during execution of (1) an XAML browser application (aka XBAP) or (2) a .NET Framework application, aka "Web Proxy Auto-Discovery Vulnerability."
Credit: secure@microsoft.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| All of | ||
| Microsoft .NET Framework 4 | =2.0-sp2 | |
| Any of | ||
| Microsoft Windows Server | =sp2 | |
| Microsoft Windows Server | =sp2 | |
| Microsoft Windows Server | =sp2 | |
| Microsoft Windows Server | =sp2 | |
| Microsoft Windows Vista | =sp2 | |
| Microsoft Windows XP | =sp3 | |
| Microsoft Windows XP | =sp2 | |
| All of | ||
| Microsoft .NET Framework 4 | =3.5.1 | |
| Any of | ||
| Microsoft Windows 7 | ||
| Microsoft Windows 7 | ||
| Microsoft Windows 7 | =sp1 | |
| Microsoft Windows 7 | =sp1 | |
| Microsoft Windows Server | =r2 | |
| Microsoft Windows Server | =r2 | |
| All of | ||
| Microsoft .NET Framework 4 | =4.0 | |
| Any of | ||
| Microsoft Windows 7 | ||
| Microsoft Windows 7 | ||
| Microsoft Windows 7 | =sp1 | |
| Microsoft Windows 7 | =sp1 | |
| Microsoft Windows Server | =sp2 | |
| Microsoft Windows Server | =r2 | |
| Microsoft Windows Server | =r2 | |
| Microsoft Windows Server | =sp2 | |
| Microsoft Windows Server | =sp2 | |
| Microsoft Windows Vista | =sp2 | |
| Microsoft Windows XP | =sp3 | |
| Microsoft Windows XP | =sp2 | |
| All of | ||
| Microsoft .NET Framework 4 | =3.5 | |
| Any of | ||
| Microsoft Windows 8.0 | ||
| Microsoft Windows 8.0 | ||
| Microsoft Windows Server | ||
| All of | ||
| Microsoft .NET Framework 4 | =4.5 | |
| Any of | ||
| Microsoft Windows 7 | =sp1 | |
| Microsoft Windows 7 | =sp1 | |
| Microsoft Windows Server | =sp2 | |
| Microsoft Windows Server | =sp2 | |
| Microsoft Windows Vista | =sp2 | |
| Microsoft .NET Framework 4 | =2.0-sp2 | |
| Microsoft Windows Server | =sp2 | |
| Microsoft Windows Server | =sp2 | |
| Microsoft Windows Server | =sp2 | |
| Microsoft Windows Server | =sp2 | |
| Microsoft Windows Vista | =sp2 | |
| Microsoft Windows Vista | =sp2 | |
| Microsoft Windows XP | =sp3 | |
| Microsoft Windows XP | =sp2 | |
| Microsoft .NET Framework 4 | =3.5.1 | |
| Microsoft Windows 7 | ||
| Microsoft Windows 7 | ||
| Microsoft Windows 7 | =sp1 | |
| Microsoft Windows 7 | =sp1 | |
| Microsoft Windows Server | =r2 | |
| Microsoft Windows Server | =r2 | |
| Microsoft .NET Framework 4 | =4.0 | |
| Microsoft .NET Framework 4 | =3.5 | |
| Microsoft Windows 8.0 | ||
| Microsoft Windows 8.0 | ||
| Microsoft Windows Server | ||
| Microsoft .NET Framework 4 | =4.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://osvdb.org/87266
- http://secunia.com/advisories/51236
- http://www.securityfocus.com/bid/56463
- http://www.securitytracker.com/id?1027753
- http://www.us-cert.gov/cas/techalerts/TA12-318A.html
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-074
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15810
Frequently Asked Questions
What is the severity of CVE-2012-4776?
CVE-2012-4776 is classified as a critical vulnerability that could allow remote attackers to execute arbitrary JavaScript code.
How do I fix CVE-2012-4776?
To fix CVE-2012-4776, ensure that you apply the latest updates and patches from Microsoft for the affected .NET Framework versions.
What systems are vulnerable to CVE-2012-4776?
CVE-2012-4776 affects Microsoft .NET Framework versions 2.0 SP2, 3.5, 3.5.1, 4, and 4.5 running on various Windows systems.
What kind of attack can exploit CVE-2012-4776?
CVE-2012-4776 can be exploited by attackers providing crafted data during the acquisition of proxy settings, leading to arbitrary code execution.
Is CVE-2012-4776 targeted towards specific applications?
CVE-2012-4776 specifically targets applications that utilize the Web Proxy Auto-Discovery (WPAD) feature within the affected .NET Framework versions.
- agent/type
- agent/weakness
- agent/references
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/first-publish-date
- agent/source
- agent/author
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/microsoft
- canonical/microsoft .net framework 4
- version/microsoft .net framework 4/2.0-sp2
- canonical/microsoft windows server
- version/microsoft windows server/sp2
- canonical/microsoft windows vista
- version/microsoft windows vista/sp2
- canonical/microsoft windows xp
- version/microsoft windows xp/sp3
- version/microsoft windows xp/sp2
- version/microsoft .net framework 4/3.5.1
- canonical/microsoft windows 7
- version/microsoft windows 7/sp1
- version/microsoft windows server/r2
- version/microsoft .net framework 4/4.0
- version/microsoft .net framework 4/3.5
- canonical/microsoft windows 8.0
- version/microsoft .net framework 4/4.5