14 DAY TRIAL // On December 29th, 2011, Microsoft released an out-of-band security update for all Windows flavors starting with Windows XP, in an attempt to fix a number of vulnerabilities discovered in Microsoft .NET Framework 1.1 and later.
Four security holes were patched with this update, one of which was rated critical. While three of these vulnerabilities were reported privately, the third was already publicly disclosed.
“Microsoft released a Critical security update to address the publicly disclosed denial-of-service issue described in Security Advisory 2659883,” Dave Forstrom, director, Microsoft Trustworthy Computing, explains.
The new security update was rated critical for Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5 Service Pack 1, Microsoft .NET Framework 3.5.1, and Microsoft .NET Framework 4.
The update should be installed as soon as possible on Windows XP Service Pack 3, and Windows XP Professional x64 Edition SP2, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, Windows 7, Windows 7 SP1, Windows Server 2008 R2, and Windows Server 2008 R2 SP1 systems (x32, x64 and Itanium-based Systems).
The update will be automatically installed on all machines that have the automatic update feature enabled. Customers who disabled it should perform manual installations. They can use update management software for that, Microsoft suggests.
While there have been no specific reports regarding attacks targeting ASP.NET, Microsoft still encourages customers to update their systems as soon as possible. Only customers running a web server from their computer are vulnerable to such attacks.
The most severe of the four vulnerabilities addressed in this patch could allow elevation of privilege when an attacker sends a specific web request to the target site.
“An attacker who successfully exploited this vulnerability could take any action in the context of an existing account on the ASP.NET site, including executing arbitrary commands,” Microsoft explains.
“In order to exploit this vulnerability, an attacker must be able to register an account on the ASP.NET site, and must know an existing user name.
“The security update addresses the vulnerabilities by correcting how the .NET Framework handles specially crafted requests, and how the ASP.NET Framework authenticates users and handles cached content.”
Additional info on the new update can be found in the Microsoft Security Bulletin MS11-100 - Critical entry on Microsoft’s Security TechCenter.