Before closing of 2011 Microsoft Corp. released its 100th security update which is being viewed as a rare out-of-band update.
Termed as MS11-100, the update has been made available on Thursday which is surprisingly few days before their regular Patch Tuesday release.
The update has been rated as Critical for a Denial of Service (DoS) vulnerability and the
post specifically praises the team behind this update, the ASP.NET team for this "holidays heroics".
Four patches have been made available through the update which affected the Microsoft .NET Framework in a number of supported versions of Windows operating system that includes Windows Server 2003, Windows XP SP3, Windows 7, Windows Vista, Windows Server 2008 and also 2008 R2.
The unpatched systems might allow cyber attackers to "take any action in the context of an existing account on the ASP.NET site, including executing arbitrary commands."
The latest MS11-100 update will be made available without any intervention of the user with those machines which have their Automatic Updates option on. Manual update is also possible in case automatic updates are turned off.
Andrew Storms, director of security operations at nCircle, commented, "Microsoft has obviously been working overtime through the Christmas holiday to deliver an out-of-band patch for the DoS bug", reported CRN.
* * * * *
There comes a time in every operating system’s life when it needs to have an emergency patch slapped over a security hold in its guts, and for Windows, that time is today – and it’s an emergency. What you’re going to see here is a bulletin by the name of MS11-100 that acts as a sort of public service announcement as Microsoft wants you to update your system several weeks before the regularly scheduled “Patch Tuesday” in mid-January. What this patch does is to cut off access to a security hole that’d allow hackers to launch a DoS attack against people with Microsoft’s ASP .NET application framework in place.
Microsoft has the following to say:
“Attacks targeting this type of vulnerability are generically known as hash collision attacks,” the company said, adding that the hole is not specific to Microsoft’s Web services as it affects PHP 5, Java, .NET, v8 and to some extent PHP 4, Ruby and Python. The folks behind those platforms are expected to issue similar updates in the near future, but the holidays will undoubtedly delay that process.” – Microsoft
This is an attack you likely wont feel hitting you if you’re an average citizen, but better safe than sorry. This update to security is currently rated Critical for the following systems: Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5 Service Pack 1, Microsoft .NET Framework 3.5.1, and Microsoft .NET Framework 4 on all supported editions of Microsoft Windows. Don’t freak out, but don’t hesitate to update.
