← Blog

New security advisory regarding vulnerabilities in .Net

June 16, 2020

Today, we publish a new advisory for some vulnerabilities, that have been found by our team-mate Nils Ole Timm (@firzen14).

Nils spent some time with .Net deserialization attacks and research. In April 2020 we already published an article about his Deserialization Attacks in .Net Games.

While the gaming industry thankfully fixed all of the reported issues, Microsoft elected to manage rather than fix the reported issues. For this advisory, two of them were not considered vulnerabilities by Microsoft as "by design". The third one was originally planned to be fixed, but a week before the disclosure deadline Microsoft informed us that they would only add a warning to their documentation.

Proof of Concept code is provided for each vulnerability right here:

The direct link to the advisory is https://modzero.com/en/advisories/mz-20-03-vulnerabilities-in_dotnet/

Other News

All news →