Jon Erickson

**Name of the Vulnerable Software and Affected Versions** Apache Santuario XML Security for C++ versions prior to 1.7.2 **Description** The issue is related to a heap-based buffer overflow in the XML Signature Reference functionality, which can be exploited by context-dependent attackers using malformed XPointer expressions. This could lead to a denial of service (crash) and possibly the execution of arbitrary code. The vulnerability may also compromise the confidentiality, integrity, and availability of protected information. Exploitation can be done remotely. **Recommendations** For versions prior to 1.7.2, update to version 1.7.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of the XML Signature Reference functionality until a patch is applied. Avoid using malformed XPointer expressions in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Microsoft .NET Framework versions 1.0 SP3 through 4.5 **Description** An information disclosure issue exists due to improper initialization of memory arrays in the Windows Forms component. This allows remote attackers to obtain sensitive information via a crafted XAML browser application (XBAP) or a crafted .NET Framework application that leverages a pointer to an unmanaged memory location. **Recommendations** For Microsoft .NET Framework versions 1.0 SP3 through 4.5, update to a version that properly initializes memory arrays to prevent information disclosure. At the moment, there is no information about a newer version that contains a fix for this vulnerability.