Microsoft put out a security advisory yesterday regarding a vulnerability in the Microsoft .NET framework on almost all versions of Windows.
This security update resolves one publicly disclosed vulnerability and three privately reported vulnerabilities in Microsoft .NET Framework. The most severe of these vulnerabilities could allow elevation of privilege if an unauthenticated attacker sends a specially crafted web request to the target site. An attacker who successfully exploited this vulnerability could take any action in the context of an existing account on the ASP.NET site, including executing arbitrary commands. In order to exploit this vulnerability, an attacker must be able to register an account on the ASP.NET site, and must know an existing user name.
This security update is rated Critical for Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5 Service Pack 1, Microsoft .NET Framework 3.5.1, and Microsoft .NET Framework 4 on Windows XP – Windows 7 and Windows Server 2003 – Server 2008 R2.
The update coming out today also addresses a vulnerability disclosed yesterday that could allow for a denial of service attack on a server serving ASP.NET pages through a hash collision attack.
Those with automatic updating will not need to do anything as the patch will be download and installed automatically. Others will need to manually check and install updates related to MS11-100.
Microsoft Security is hosting a webcast to answer questions regarding this out-of-band patch at 1PM PST.