Microsoft releases out-of-band security update to plug .NET hole

Microsoft releases out-of-band security update to plug .NET hole

Summary: Just in time for the new year, Microsoft released a rare out-of-band security update, its 100th of the year. The update represents "holiday heroics" for the team that sacrificed Christmas to plug a serious security hole.


No one in Redmond is popping champagne to celebrate the 100th and last Microsoft security update of the year.

MS11-100, released today, is a rare out-of-band security update—one delivered on a Thursday, several weeks ahead of the next regularly scheduled Patch Tuesday release.

The bulletin, described in this blog post, is rated Critical for a Denial of Service (DoS) vulnerability and specifically praises the ASP.NET team for its "holiday heroics":

Yesterday evening, we published an Advanced Notification alerting customers to a new out-of-band security update planned to be released today. The notification listed the update as addressing a Critical Elevation-of-Privilege vulnerability, leading to several questions from customers who expected the bulletin addressing a Denial-of-Service vulnerability to be rated Important.

Before hearing about this vulnerability, we had planned to release a .NET security update addressing three vulnerabilities, one of which was a Critical elevation-of-privilege vulnerability. When this vulnerability notification arrived a few weeks ago, the ASP.NET team included the fix into the update already being developed and tested. So the bulletin today addresses four vulnerabilities, one of which is the ASP.NET Denial-of-Service vulnerability presented yesterday. You can read more about the other vulnerabilities in the Security Bulletin and we also invite you to join us for a webcast at 1:00 p.m. PST today (Dec 29) where we will describe the vulnerabilities and answer your questions live “on the air.” You can sign up for the webcast here.

The four patched vulnerabilities affect the Microsoft .NET Framework on every supported version of Windows, including Windows XP SP3, Windows Vista, Windows 7, Windows Server 2003, and Windows Server 2008 and 2008 R2. Exploits against unpatched systems could allow an attacker to "take any action in the context of an existing account on the ASP.NET site, including executing arbitrary commands."

The update will be delivered without user intervention to machines that have Automatic Updates turned on. If you prefer not to wait, open Windows Update and check for updates manually. Here's what it looks like.

Typically, an out-of-band update indicates that the risk of "in the wild" exploits is high, so this update demands immediate attention.

Topics: Microsoft, Operating Systems, Security, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • It would be nice

    if, for once, the following posts would acknowledge that Microsoft, like all reputable companies, cares about the security if their software and doing all they can.

    It would be nice.
    • Nice indeed


      Both you and I have our fair share of criticisms when it comes to Microsoft and the MS Way, but their attitude and attention to security today is light years beyond what it once was. If it weren't, the world of computing would be in a far uglier place as we speak.

      Criticized as he was for his prioritizations and principles, Jim Allchin's pragmatic decision to release the SEC-based XP SP2 instead of a new OS was one of the wisest moves the company ever made, irrespective of the short-term fallout that came from extending XP's serviceable life and reach.

      It gained the company what it was quickly losing in the evolving eco/security sphere: respect. Well needed respect. The kind that alienated, then ameliorated, many who were looking [i]seriously[/i] for alternatives and outs from that Swiss cheese fondue called Windows.

      Redmond made a similar slick move when it saw - belatedly - the light at the end of the quickly growing WWW, and the advantage of having their own window to that world. In time they hammered together a superior (and *free*) browser [goodbye Netscape]. :(

      Ironically, Mozilla - using reforged Netscape bits coined Firefox - would kick them in their complacent keester once again when they fell asleep at the progress switch only a light year or two later.
    • I have to agree

      @msalzberg I definitely believe in giving credit where it's due--they've taken security very seriously (some might argue a little too seriously in some cases, but that's subject to interpretation) in recent years. Comparing their general attitude now to the days of macro viruses in various Office programs is like comparing summer and winter.

      Overall, as much criticism as they get, I do think that when they do something right, it should get attention.
      Third of Five
    • They're just doing the job that they have to do

      Otherwise it'll be lawsuit heaven and we don't want that, now do we. ;)
      • RE: Microsoft releases out-of-band security update to plug .NET hole

        @ScorpioBlue <br><br>Lets just give them a golf clap.
    • Vulnerability was REPORTED IN 2003

      @msalzberg Kind of hard to acknowledge good work when the work is 8 years late and the problem was passed along to newer products.
      • Can you provide a credible reference?

        @wackoae: [i]Kind of hard to acknowledge good work when the work is 8 years late and the problem was passed along to newer products.[/i]

        I can't find a reference to this effect.
      • Right, but in the name of full disclosure


        The problem that caused a stir in the security community exists in many of the Web's most popular application and site programming languages, including ASP .Net, the open-source PHP and Ruby, Oracle's Java and Google's V8 JavaScript, according to two German researchers, Alexander Klink and Julian Walde.

        Andrew Storms, director of security operations at nCircle Security: "I'd have to agree that we all expected vendors to have fixed this by now. On the other hand, there is a lot of research out there and its not always possible to be on top of everything. It's not as though this kind of attack has been ongoing in the wild since 2003 and everyone refused to fix it."

        Microsoft's rush to patch the flaw in ASP .Net hinted at the seriousness of the bug.

        "Microsoft will be the one to watch and see if they go out of band and if so, when," Storms said Wednesday night, before Microsoft announced today's patch.

        Other programming language developers have already offered fixes to their software.

        Some, however, will take their time implementing a fix, said Klink and Walde.

        Excerpted source:
      • RE: Microsoft releases out-of-band security update to plug .NET hole

        @ye Here's another reference:
        "Perl was updated to fix this problem in version 5.8.1, which was released in September of 2003. For some reason most of the other languages did not take the cue from Perl and are still vulnerable to these attacks.
        Rabid Howler Monkey
      • Perhaps I'm missing something but I'm not seeing it.

        @Rabid Howler Monkey: All I've been able to find is a reference from 2003 to a generic issue with hashing but nothing pointing to a specific flaw in .NET.
      • You're almost there

        @ye<br>[i]All I've been able to find is a reference from 2003 to a generic issue with hashing but nothing pointing to a specific flaw in .NET.[/i]<br><br>That IS the issue (flaw), something all these languages share. <br><br>From my post above: [i]The problem that caused a stir in the security community exists in many of the Web's most popular application and site programming languages, including ASP .Net. [/i]<br><br>Now re-read RHM's comments.
      • Show me something from 2003.

        @klumper: Your link is dated December 29, 2011. The date of the patch advisory. I want to see some reference from Alexander Klink and Julian Walde dated 2003 which specifically names .NET as being vulnerable. All I can find is a generic reference to hashing algorithms but nothing about a specific implementation. At least not one dating back to 2003. Can you provide one?
      • Potential threat 2003 | Realization 2011

        @ye<br><br>From the same article I posted:<br>[i]Klink and Walde credited another pair of researchers -- Scott Crosby and Dan Wallach -- for outlining the attack vector in 2003, and applauded the Perl programming language for patching its flaw then.<br><br>In a security advisory issued the same day [Wednesday, December 28, 2011], Microsoft, whose ASP .Net programming language is one of several affected by the flaw, promised to patch the vulnerability and offered customers ways to protect their servers until it releases an update.[/i]<br><br>See also:<br>"Hash collision denial-of-service attacks were first detailed in 2003, but recent research details how these attacks apply to modern language hash table implementations."<br><a href="" target="_blank" rel="nofollow"></a><br><br>I think it can be safely concluded that MS was aware of it like everyone else, but until these latest developments, felt it merited less than full attention.
      • Again: Please show me something from 2003 with a specific reference to .NET

        @klumper: The quotes which have been given reference articles from December 2011. A search on "Scott Crosby and Dan Wallach" results in references to a generic issue about hashing but none of the articles I looked at specifically reference .NET.

        So again I ask: Can you provide a reference from 2003 which specifically mentions .NET. I don't want anything dated from December 2011 which references "Scott Crosby and Dan Wallach". I want a specific reference from 2003 which specifically calls out .NET. Can you?
      • Perspective

        @wackoae A link to the original, 2003, article:

        "Denial of Service via Algorithmic Complexity Attacks

        Perl was among the applications tested in this study and was adversely impacted. Additional applications tested in this study included the Bro intrusion detection system, SQUID web proxy server and Dan Bernstein's DNS server. As Perl was explicitly tested, adversely impacted, and the results of the study were published, fixes were implemented by Perl developers in 2003. Clearly, the developers of applications untested in this study were either unaware of the article or were unconcerned.

        In the article's conclusion, it is stated that the smaller address space of IPv4 systems provides some (limited) protection from this type of attack. It also states that the much larger address space of future IPv6 systems will make it much easier for an attacker to find collisions. And given that the last IPv4 address was assigned by IANA earlier this year, perhaps the timing of the current fixes by Microsoft and others is not as bad as some individuals are making it out to be.
        Rabid Howler Monkey
      • Is this really necessary?

        [i]I want a specific reference from 2003 which specifically calls out .NET.[/i]

        AFAIC, what constitutes the seriousness of any potential threat remains for those whose products are directly affected or involved, in this case Microsoft (et al), to weigh and decide.

        No one needs to [i]specifically[/i] call out MS (or cite .NET) from 2003, for no other reason than all of this is covered under [I]complicity by mutual association.[/i] ;)

        Again from the article I originally posted:
        [i]Can and Ness of Microsoft said that the company "anticipate(s) the [b]imminent public release of exploit code[/b]," and urged ASP .Net customers to apply the patch or the workarounds described in the advisory.[/i]

        AFAICT, with these latest developments (ref Klink and Walde, plus MS quotation above), that same potential threat, first documented in 2003, has now been amplified >> realized >> in 2011.

        Sometimes you've got to learn to read between the lines. If not, maybe contact Microsoft direct for the uniquely divine answer you seek. Ask if they were somehow caught unaware of this potentiality all this time, then let us know.

        [Or hey, maybe the Perl people are just leagues brighter?]
      • One of four vulnerabilities


        There were four vulns fixed in this update. One is the HashDOS vuln that was first theoretically identified in 2003 but was not specifically called out until last week.
        Ed Bott
      • RE: Microsoft releases out-of-band security update to plug .NET hole

        @Rabid Howler Monkey<br>@klumper<br><br>Good luck getting through to 'ye'.
        For him no reference will be good enough.
      • RE: Return_of_the_Jedi.

        @ROTJ ... Ever cut the trunk of a Christmas tree and get pine tar on your hands? You can't get away from it very easily.
      • RE: One of four vulnerabilities

        @Ed Bott wrote:
        "One is the HashDOS vuln that was first theoretically identified in 2003 but was not specifically called out until last week.

        There was nothing theoretical about the 2003 study for Perl and the other applications tested. The publication of the article effectively "called out" the vulnerability for the Perl devs who promptly included a fix in version 5.8.1. Clearly, other frameworks/languages such as .NET, Ruby, Python did not, for various reasons, connect the dots. From the original, 2003, article's (both referenced and linked above) conclusion:

        "As such, we strongly recommend that network packet processing code be audited for these vulnerabilities

        And Perl is available for both Windows and Mac OS X (by default). Aren't these the OSs that you *theoretically* cover in your blog?
        Rabid Howler Monkey