The Protect IU Blog

    Out-of-band .NET framework patch to fix publicly disclosed ASP.NET vulnerability

    Microsoft released security bulletin MS11-100 on December 29th to address four vulnerabilities in the .NET framework. The associated patch addresses the denial of service (DoS) attack publicly disclosed at the Chaos Communication Congress on December 28th, as well as three other vulnerabilities reported through Microsoft's disclosure program.

    The publicly disclosed DoS vulnerability affects most IIS servers running ASP.NET based sites. Given a single specially crafted packet can exploit the DoS vulnerability, it is likely exploit code will be publicly available and in weaponized form shortly. Anyone administering ASP.NET should plan on installing this patch as soon as possible.

    The Microsoft Security Research and Defense blog has posted additional details regarding the vulnerability, impact on servers, detection methods, and workarounds.

    Links:

    Microsoft Security Bulletin MS11-100

    More information about the December 2011 ASP.Net vulnerability - Microsoft SRD Blog

    ASP.NET security update is live! - Microsoft SRD Blog