Microsoft Release Out of Band Security Update

Microsoft usually release patches and security updates on “patch Tuesday”, but on occasion, if an issue is serious enough, they release an our of band update, which is what they did yesterday.

Microsoft Security Bulletin MS11-100 – Critical

Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420)

This is what Microsoft posted:

This security update resolves one publicly disclosed vulnerability and three privately reported vulnerabilities in Microsoft .NET Framework. The most severe of these vulnerabilities could allow elevation of privilege if an unauthenticated attacker sends a specially crafted web request to the target site. An attacker who successfully exploited this vulnerability could take any action in the context of an existing account on the ASP.NET site, including executing arbitrary commands. In order to exploit this vulnerability, an attacker must be able to register an account on the ASP.NET site, and must know an existing user name.

This security update is rated Critical for Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5 Service Pack 1, Microsoft .NET Framework 3.5.1, and Microsoft .NET Framework 4 on all supported editions of Microsoft Windows.

If you have automatic updates enabled you will probably already have the update. If you don’t have them enabled, you should go get this update now.