September 2014 .NET Security Updates

The .NET Fundamentals Team

The .NET team released a security bulletin and a security advisory today as part of the monthly “patch Tuesday” cycle.

 

Microsoft Security Bulletin MS14-053 – Important, Vulnerabilities in .NET Framework Could Allow Denial of Service (2990931

This security update resolves one privately reported vulnerability in Microsoft .NET Framework. The vulnerability could allow denial of service if an attacker sends a small number of specially crafted requests to an affected .NET-enabled website. By default, ASP.NET is not installed when Microsoft .NET Framework is installed on any supported edition of Microsoft Windows. To be affected by the vulnerability, customers must manually install and enable ASP.NET by registering it with IIS.

This security update is rated Important for Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4, and Microsoft .NET Framework 4.5/4.5.1/4.5.2 on affected releases of Microsoft Windows.

More details about the versions affected by this vulnerability can be found in the security bulletin MS14-053.

 

Microsoft Security Advisory 2905247 – Important, Insecure ASP.NET site configuration could allow elevation of privilege (2905247)

Microsoft is announcing the rerelease of a security update to address a vulnerability in ASP.NET viewstate that exists when Machine Authentication Code (MAC) validation is disabled through configuration settings. Any ASP.NET site for which view state MAC has become disabled through configuration settings is vulnerable to elevation of privilege attack. This advisory has been rereleased to offer the security update via Microsoft  Update, in addition to the Download-Center-only option that was provided when this advisory was originally released. Furthermore, the updates for some of the affected platforms have been rereleased to address an issue that occasionally caused Page.IsPostBack to return an incorrect value.

Microsoft recommends that customers test the updates before deploying them in their environments as soon as possible. Please see the Suggested Actions section of this advisory for more information.

This vulnerability is rated Important and affects Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET  Framework 4, and Microsoft .NET Framework 4.5/4.5.1.

For administrators and enterprise installations with web-farm scenarios, Microsoft recommends following the guidance available in Microsoft Knowledge Base Article 2915218 before deploying this update.

More details about the versions affected by this vulnerability can be found in the Microsoft Security Advisory 2905247.

 

How to obtain help and support for this security update

 

 

0 comments

Discussion is closed.

Feedback usabilla icon