Microsoft Releases Out-of-Band Patch for .NET Vulnerability -- Redmondmag.com

Microsoft Releases Out-of-Band Patch for .NET Vulnerability

By Chris Paoli
01/03/2012

A recently released Microsoft security bulletin targeted flaws in Microsoft .NET Framework which, if unpatched, could lead to an elevation of privilege attack.

The "critical" out-of-band bulletin, released on December 29, consists of one publicly disclosed issue and three privately disclosed holes, all found in Microsoft's framework for ASP.NET.

According to Microsoft's security bulletin summary, one of the most critical of issues being addressed by the patch is the ability of an attacker to gain access to a user's account on an ASP.NET-based Web site if a specially crafted Web link were clicked. To successfully exploit this vulnerability, the hacker would also need to know the specific user name being targeted.

The versions of .NET software supported by the update (running on any supported version of Windows) include Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5 Service Pack 1, Microsoft .NET Framework 3.5.1 and Microsoft .NET Framework 4.

The bulletin fixes these flaws "by correcting how the .NET Framework handles specially crafted requests, and how the ASP.NET Framework authenticates users and handles cached content," wrote Microsoft.

Microsoft's Pete Voss, Sr., response communications manager with the Trustworthy Computing Group, discussed how the flaws in .NET Framework could potentially be found in other software.

"This is an industry-wide issue that could affect a broad spectrum of technologies," said Voss in a December 30 webinar. "Since ASP.NET was at the greatest risk because of the public disclosure, we have focused our efforts so far on making sure we secure ASP.NET. We are actively investigating other technologies where this could be vulnerable and so far we do not think that classic ASP is vulnerable. Information on other affected technologies will be revealed as the issue develops."

Voss also clarified that shops "that are internet-facing and accept input from unauthenticated or untrusted user provided content" are at risk more than internal servers. He suggests these shops should deploy as soon as proper testing is complete.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.

Featured

Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.
What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.