.NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability

Vulnerability

CVE-2023-24895 is a remote code execution vulnerability in .NET, .NET Framework, and Visual Studio, specifically in the Windows Presentation Foundation (WPF) framework's handling of XPS documents [1][2]. The root cause lies in how WPF applications load and render XPS documents, which can be exploited to execute arbitrary code on a target system [2][3].

Exploitation

No authentication is required to trigger the vulnerability; an attacker would need to convince a user to open a specially crafted XPS document [2]. This can be achieved via a malicious email attachment or a compromised website hosting the exploit file [1][2]. The attack surface is limited to Windows desktop applications built with WPF running .NET 6.0 (≤6.0.16) or .NET 7.0 (≤7.0.5) [2][3].

Impact

Successful exploitation grants the attacker the ability to execute arbitrary code in the context of the current user, potentially leading to full system compromise, data theft, installation of malware, or other malicious activities [1][2]. Microsoft notes no mitigating factors exist for this vulnerability, making it a high-severity issue for affected applications [2][3].

Mitigation

Microsoft has released patches for .NET 6.0 (6.0.18) and .NET 7.0 (7.0.7) via updated runtime packages [2][3]. Developers and users should update their .NET installations to the latest versions, which can be done through Visual Studio update prompts or by running 'dotnet --info' to check and manually apply updates [2][3]. WPF is a .NET Core UI framework for building Windows desktop applications, so any application using the affected 'Microsoft.WindowsDesktop.App.Runtime' packages is vulnerable and must be updated [2][4].