Friday, December 30, 2011

Unusual out-of-cycle Microsoft Patch

This one shouldn't affect most people, but system admins would be well advised to take a look at this seriously.  For Microsoft to issue an out-of-cycle patch on a Thursday is very unusual, so there may be some serious side-effects they're not disclosing.  Even if you don't think you're running an ASP.NET server you might be, as many modern services actually run a web server inside your machine.

None of my systems (XP Pro , Windows 7 Pro, Windows Server 2008 R2) required a reboot.

Microsoft releases out-of-band security update to plug .NET hole | ZDNet

MS11-100, released today, is a rare out-of-band security update—one delivered on a Thursday, several weeks ahead of the next regularly scheduled Patch Tuesday release. ...

The four patched vulnerabilities affect the Microsoft .NET Framework on every supported version of Windows, including Windows XP SP3, Windows Vista, Windows 7, Windows Server 2003, and Windows Server 2008 and 2008 R2. Exploits against unpatched systems could allow an attacker to “take any action in the context of an existing account on the ASP.NET site, including executing arbitrary commands.”
Typically, an out-of-band update indicates that the risk of “in the wild” exploits is high, so this update demands immediate attention.
Microsoft delivers rare out-of-band patch for ASP.NET issue - SC Magazine US
Microsoft engineers on Thursday gave IT administrators a late Christmas present: a fix for an unpatched and publicly known vulnerability affecting the software giant's ASP.NET web application framework.

One day after disclosing the flaw, which affects ASP.NET versions 1.1 and later on all supported versions of the .NET Framework, Microsoft released an emergency patch, which also addresses three other bugs, all of which were privately reported.

"An attacker who successfully exploited this vulnerability could take
any action in the context of an existing account on the ASP.NET site,
including executing arbitrary commands," the bulletin from Micrsoft

What makes the previously unpatched bug particularly worrisome is
that it enables attackers to use limited means to launch a devastating
denial-of-service (DoS) attack against web servers. According to
Microsoft, "a single, specially crafted ~100kb HTTP request can consume
100 percent of one CPU core for between 90 to 110 seconds."

No comments: