News & Information for Technology Purchasers NewsFactor Sites:     Enterprise Security Today     CRM Daily     Business Report     Sci-Tech Today  
Home Enterprise I.T. Cloud Computing Applications Hardware More Topics...
Druva inSync Free Trial
Druva inSync with DLP, analytics & secure file sharing.
You are here: Home / Windows Security / Microsoft Releases Out-of-Band Patch
Gartner's #1 for endpoint backup
Microsoft Releases First and Only 2011 Out-of-Band Patch
Microsoft Releases First and Only 2011 Out-of-Band Patch
By Jennifer LeClaire / NewsFactor Network Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus

Microsoft on Thursday released its first and only out-of-band patch for 2011. But it's a critical one. MS11-100 addresses a vulnerability in ASP.NET that could allow a denial of service attack.

Dave Forstrom, Microsoft's director of trustworthy computing, said the security update is rated critical. The fix addresses a remote unauthenticated denial of service issue in ASP.NET versions 1.1 and above on all supported versions of .NET Framework. But Forstrom warned that Microsoft is not the only vendor that is vulnerable.

"Of note, the new method of hash collision attacks used to exploit this vulnerability is an industrywide issue affecting various Web platforms, including ASP.NET," Forstrom said. "While we have seen no attacks attempting to exploit this vulnerability, we encourage affected customers to test and deploy the update as soon as possible. Consumers are not vulnerable unless they are running a Web server from their computer."

Executing Remote Commands

In its security bulletin, Microsoft explained if an unauthenticated attacker sends a specially crafted Web request to a Web site targeted for take down it could open a back door. An attacker who successfully exploits this vulnerability could manipulate the ASP.NET site, executing remote commands at will.

However, in order to exploit this vulnerability an attacker must be able to register an account on the ASP.NET site, and must know an existing user name. Microsoft said customers who have not enabled automatic updating need to check for updates and install this update manually.

The out-of-band patch tackles four issues: CVE-2011-3416, an ASP.NET forms authentication bypass issue rated as critical; CVE-2011-3414, a hash table collision DoS issue rated as important; CVE-2011-3417, an ASP.NET ticket caching vulnerability rated important; and CVE-2011-3415, an insecure redirect vulnerability rated moderate.

How the Fix Works

"Microsoft tested and finished MS11-100 in record time, taking about 30 days for the process of integrating this new vulnerability with the fix that was already scheduled for January 2012," said Wolfgang Kandek, CTO of Qualys. "We consider Microsoft's reaction and implementation speed outstanding, as they were only notified at the tail end of the German security researchers' work."

Qualys is tracking how the other projects and vendors affected, including PHP, Oracle, Python, Ruby and others, are rolling out their patches.

"The bulletin fixes the DoS attack vector by providing a limit to the number of variables that can be submitted for a single HTTP POST request," Kandek said. "The default limit is 500 which should be enough for normal Web applications, but still low enough to neutralize the attack as described by the security researchers in Germany. This addresses the most obvious attack method immediately and leaves the reimplementation of the hash function for a future update."

Tell Us What You Think


Like Us on FacebookFollow Us on Twitter
Protect 100% of your Data The prevalence of laptops and mobile devices in the enterprise makes corporate data increasingly vulnerable to loss and breach. And yet, workforce productivity is now inextricably linked to mobility. Click here to access the white paper "Top 10 Endpoint Backup Mistakes" to learn more about how to confidently protect data across platforms and devices while also providing features designed to enhance the end user experience.
Product Information and Resources for Technology You Can Use To Boost Your Business

Network Security Spotlight
Russian Gang with Stolen IDs Hacks Hosting Company
In August, a Russian cyber gang obtained what researchers called “the largest cache of stolen data." Now, those hackers may be putting their ill-gotten gains to criminal use.
Dairy Queen Latest Retailer To Report Hack
Known for its hot fries and soft-serve ice cream, Dairy Queen just made cyber history as the latest victim of a hack attack. The fast food chain said that customer data at some stores may be at risk.
Lessons from the JPMorgan Chase Cyberattack
JPMorgan Chase is investigating a likely cyberattack. The banking giant is cooperating with law enforcement, including the FBI, to understand what data hackers may have obtained.

Enterprise Hardware Spotlight
AMD's New FX Series CPU Breaks Processing Speed Record
The new FX-8370 processor from Advanced Micro Devices has set a record for silicon processor speed, the company announced. Overclocked, the eight-core chip was measured at 8722.78 MHz.
Intel Intros Lightning-Fast PC Processors
Call it extreme. Intel just took the covers off its first-ever eight-core desktop processor, which is aimed at hardcore power users who expect more than the status quo from their computers.
HP Previews ProLiant Gen9 Data Center Servers
Because traditional data center and server architectures are “constraints” on businesses, HP is releasing new servers aimed at faster, simpler and more cost-effective delivery of computing services.

Mobile Technology Spotlight
Rumor Mill Puts Mobile Wallet in iPhone 6
Apple is moving toward the mobile wallet world with its next iPhone. The tech giant has partnered with retailers, banks and major payment networks to make it happen, according to Bloomberg.
Will iPhone Finally Catch Up with NFC Mobile Payment Ability?
Apple's latest version of the iPhone may have a mobile wallet to pay for purchases with a tap of the phone. The iPhone 6 reportedly is equipped with near-field communication (NFC) technology.
Visual Search To Shop: Gimmick or Game Changing?
Imagine using your phone to snap a photo of the cool pair of sunglasses your friend is wearing and instantly receiving a slew of information about the shades along with a link to order them.

NewsFactor Network
Home/Top News | Enterprise I.T. | Cloud Computing | Applications | Hardware | Mobile Tech | Big Data | Communications
World Wide Web | Network Security | CRM Systems | Microsoft/Windows | Apple/Mac | Linux/Open Source | Personal Tech | Press Releases
NewsFactor Network Enterprise I.T. Sites
NewsFactor Technology News | Enterprise Security Today | CRM Daily

NewsFactor Business and Innovation Sites
Sci-Tech Today | NewsFactor Business Report

NewsFactor Services
FreeNewsFeed | Free Newsletters

About NewsFactor Network | How To Contact Us | Article Reprints | Careers @ NewsFactor | Services for PR Pros | Top Tech Wire | How To Advertise

Privacy Policy | Terms of Service
© Copyright 2000-2014 NewsFactor Network. All rights reserved. Article rating technology by Blogowogo. Member of Accuserve Ad Network.