Vitaliy Toropov

**Name of the Vulnerable Software and Affected Versions** Apple OS X versions prior to 10.10.3 **Description** The issue is related to a buffer overflow in the IOHIDFamily component of Apple OS X, allowing local users to gain privileges. Additionally, there are reports of a heap buffer overflow in the IOHIDSecurePromptClient and an untrusted pointer dereference, which can lead to arbitrary code execution. **Recommendations** For versions prior to 10.10.3, update to version 10.10.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the IOHIDFamily component and the IOHIDSecurePromptClient until a patch is applied. Avoid using the affected `IOHIDSecurePromptClient` function in sensitive operations until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Apple OS X (affected versions not specified) **Description** The issue is related to the IOHIDSecurePromptClient function, which does not properly validate pointer values. This allows remote attackers to execute arbitrary code or cause a denial of service, resulting in a system crash, via a crafted web site. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Silverlight versions prior to 5.1.20513.0 **Description** The issue is related to improper array initialization, which can be exploited by remote attackers to execute arbitrary code or cause a denial of service through a NULL pointer dereference. This can be achieved via a crafted Silverlight application. **Recommendations** For versions prior to 5.1.20513.0, update to version 5.1.20513.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apple iTunes versions prior to 11.0.3 **Description** The issue allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service, resulting in memory corruption and application crash. This is related to vectors involving iTunes Store browsing. **Recommendations** For Apple iTunes versions prior to 11.0.3, update to version 11.0.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Microsoft .NET Framework versions 2.0 SP2 through 4.5 **Description** A buffer overflow issue exists in the System.DirectoryServices.Protocols namespace method, allowing remote attackers to execute arbitrary code via a crafted XAML browser application or a crafted .NET Framework application. This occurs due to a missing array-size check during a memory copy operation. The vulnerability can be exploited to gain elevation of privilege, enabling an attacker to take complete control of an affected system, install programs, view, change, or delete data, or create new accounts with full user rights. **Recommendations** For Microsoft .NET Framework versions 2.0 SP2 through 4.5, consider disabling the vulnerable System.DirectoryServices.Protocols namespace method until a patch is available. Restrict access to the affected .NET Framework applications to minimize the risk of exploitation. Avoid using crafted XAML browser applications or .NET Framework applications that leverage the missing array-size check during a memory copy operation until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Microsoft .NET Framework versions 2.0 SP2, 3.5, 3.5.1, 4, and 4.5 **Description** The issue allows remote attackers to execute arbitrary code via a crafted XAML browser application or a crafted .NET Framework application. This is due to the improper handling of function pointers. An attacker who successfully exploits this issue could take complete control of an affected system, allowing them to install programs, view, change, or delete data, or create new accounts with full user rights. Users with fewer user rights on the system could be less impacted than users operating with administrative user rights. **Recommendations** For Microsoft .NET Framework versions 2.0 SP2, 3.5, 3.5.1, 4, and 4.5, update to a version that properly handles function pointers to prevent remote code execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft .NET Framework version 4 **Description** A remote code execution issue exists due to improper buffer allocation. This allows attackers to execute arbitrary code via a crafted XAML browser application or a specially crafted .NET Framework application. An attacker who successfully exploits this issue could run arbitrary code in the security context of the logged-on user, potentially installing programs, viewing, changing, or deleting data, or creating new accounts with full user rights. The impact may be less severe for users with limited user rights compared to those operating with administrative rights. **Recommendations** For Microsoft .NET Framework version 4, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft .NET Framework versions 1.0 SP3 through 4.5 **Description** A remote code execution issue exists due to improper validation of function parameters. This allows attackers to execute arbitrary code via crafted applications, potentially giving them complete control of an affected system. They could then install programs, view, change, or delete data, or create new accounts with full user rights. The impact may be less severe for users with limited user rights compared to those with administrative rights. **Recommendations** For Microsoft .NET Framework versions 1.0 SP3 through 4.5, at the moment, there is no information about a newer version that contains a fix for this vulnerability.