Microsoft Releases First Unscheduled Patch of 2011

With just one day to go, a vulnerability in the .NET Framework has forced Microsoft to release its first out-of-band update of 2011.

So close, yet so far. For years, Microsoft has been criticized for releasing what some believe to be buggy, insecure software that’s vulnerable to attack from numerous exploits. The sheer number of infections and holes found in Microsoft software would seem to support that point. One must consider, however, the immense resources that are dedicated to finding holes in Microsoft’s products and the security improvements made (especially to Windows) over time; it would be difficult to argue that Windows 7 is somehow less secure than older versions of Windows, for example.The lack of severe vulnerabilities recently has allowed Microsoft to stick to its scheduled “Patch Tuesday” releases for almost all of 2011. Unfortunately, just today (December 30), Microsoft was forced to release a patch to the .NET Framework to plug a major hole.

“Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420): This security update resolves one publicly disclosed vulnerability and three privately reported vulnerabilities in Microsoft .NET Framework. The most severe of these vulnerabilities could allow elevation of privilege if an unauthenticated attacker sends a specially crafted web request to the target site. An attacker who successfully exploited this vulnerability could take any action in the context of an existing account on the ASP.NET site, including executing arbitrary commands. In order to exploit this vulnerability, an attacker must be able to register an account on the ASP.NET site, and must know an existing user name.

This security update is rated Critical for Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5 Service Pack 1, Microsoft .NET Framework 3.5.1, and Microsoft .NET Framework 4 on all supported editions of Microsoft Windows. For more information, see the subsection, Affected and Non-Affected Software, in this section.”If you’ve got the .NET Framework installed on any of your systems—and odds are, you do—head over to Microsoft’s site for the update. If you’ve got automatic updates enabled though, you should have gotten the patch already.

Copyright © 2011 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022