Open Data protocol vulnerability could allow denial of service
Report ID: MS201301007
Date Published: 10 January 2013
Criticality: Important
Compromise Type: denial-of-service
Compromise From: remote
Affected Product/Component:
Windows XP
Windows Server 2003
Windows Vista
Windows Server 2008
Windows 7
Windows Server 2008 R2
Windows 8
Windows Server 2012
Summary
A vulnerability in Open Data (OData) specification could cause a server or a service to stop responding and restart.
Detailed Description
Microsoft has released a security update following the report of a vulnerability in the Open Data (OData) protocol which resulted when Windows Communication Foundation (WCF) fails to properly sanitize specially crafted values. An attacker could exploit this condition to perform denial of service attack and causes sites that use .NET WCF Services to be inaccessible.
The vulnerability issue has been fixed in the latest security update by turning off the WCF Replace function by default. Users are recommended to install the update as a protection measure against potential exploit attempts.
CVE Reference
CVE-2013-0005
Solution
Install the latest security patch for applicable system, available for download from (https://technet.microsoft.com/en-us/security/bulletin/ms13-007)
F-Secure Health Check
F-Secure's free tool, the Health Check, detects if your system is missing the patch for the vulnerability covered in this report.
