'

Microsoft fixes .NET security holes

Microsoft has released an out-of-band update that fixes four security holes in .NET, one of which could allow privilege escalation.

Microsoft has released an out-of-band update that fixes four security holes in .NET, one of which could allow privilege escalation.

The MS11-100 security update, released on Thursday, is rated Critical for a Denial of Service (DoS) vulnerability.

"This security update resolves one publicly disclosed vulnerability and three privately reported vulnerabilities in Microsoft .NET Framework. The most severe of these vulnerabilities could allow elevation of privilege if an unauthenticated attacker sends a specially crafted web request to the target site," Microsoft wrote. "An attacker who successfully exploited this vulnerability could take any action in the context of an existing account on the ASP.NET site, including executing arbitrary commands."

The security update should be applied automatically, Microsoft said, but customers who haven't turned on automated updating will need to install it manually.

Affected software includes Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2.

Microsoft applauded the efforts of its ASP.NET team for working through the holidays to get the patch out.

"The ASP.NET team has worked straight through the past several weeks to make this short turnaround release possible — building, packaging, and testing this security update in order to release packages in such a short time so we could protect customers as quickly as possible," it wrote.