The Protect IU Blog

    Out-of-band .NET framework patch to fix publicly disclosed ASP.NET vulnerability

    Microsoft released security bulletin MS11-100 on December 29th to address four vulnerabilities in the .NET framework. The associated patch addresses the denial of service (DoS) attack publicly disclosed at the Chaos Communication Congress on December 28th, as well as three other vulnerabilities reported through Microsoft's disclosure program.

    The publicly disclosed DoS vulnerability affects most IIS servers running ASP.NET based sites. Given a single specially crafted packet can exploit the DoS vulnerability, it is likely exploit code will be publicly available and in weaponized form shortly. Anyone administering ASP.NET should plan on installing this patch as soon as possible.

    The Microsoft Security Research and Defense blog has posted