MS12-025 and XBAP: No longer a driveby threat

One of the security bulletins released today, MS12-025, addresses a code execution vulnerability in the .NET Framework. To exploit the vulnerability, an attacker would build a malicious XBAP application and lure victims to a malicious website serving the XBAP.

The good news is that a zero-click “driveby” style attack is no longer possible from the Internet on workstations where MS11-044 (published June 2011) has been installed. MS11-044 introduced an additional security prompt for all XBAP’s encountered from the Internet Zone. A redacted example is pictured below:

We recommend not allowing XBAP’s to run unless you know and trust the Publisher listed in the security dialog. The security bulletin outlines steps to disable XAML browser applications in Internet Explorer on a per-zone basis if you do not need to use this functionality.

– Jonathan Ness, MSRC Engineering