Microsoft .Net Framework Security Update Released
Microsoft has released an out-of-band security update for the Windows operating system that fixes a number of security vulnerabilities in the Microsoft .NET Framework.
The vulnerability affects all 32-bit and 64-bit versions of Windows that receive security updates, and the following versions of the Microsoft .NET Framework: Microsoft .Net Framework 1.1, 2.0, 3.5 Service Pack 1 and 4.
At least one of the vulnerabilities received the maximum severity rating of critical, the highest possible rating, on all affected operating systems and .Net versions.
Microsoft notes that the most severe vulnerability could allow elevation of privileges "if an unauthenticated attacker sends a specially crafted web request to" a target site. Attackers who successfully exploit the issue can "take any action in the context of an existing account on the ASP.NET site, including executing arbitrary commands".
Security updates are already listed on Windows Update. Windows users who have only installed the Microsoft .Net Framework 4.0 Client Profile may only see the update rated as important in Windows Update instead of critical. That is because ASP.Net, the component that is affected by the critical vulnerability, is not included in that version of the framework.
Most Windows users have configured automatic updates. Users who do not use automatic updates or Windows Update may download the patches from the Microsoft Update Catalog site instead. Please note that you can only open the site in Internet Explorer and not in other browsers.
Microsoft's Download Center is currently not listing the security updates. It is however likely that they will appear on the site in the next days.
A restart of the computer is not required after applying the patches. The patches will merely stop related services during patches before they are restarted.
Additional information about the security vulnerability is available on the Microsoft Security Bulletin page. This bulletin raises the count to 100 bulletins that have been released by the Redmond company in 2011.Advertisement