Today, Microsoft released an update to protect customers against an industry-wide issue described in this Security Advisory. The good news is that if you have automatic updating enabled, which most customers do, you will not need to take any action because this security update will be downloaded and installed automatically. If you have disabled automatic updating, you will need to check for updates and install the update manually by following the recommendation located here. To put you further at ease, your computer is not vulnerable unless you are running a Web server from it.
For more information please check out the many resources below.
Thanks,
The SMB Team
| What is the purpose of this alert? |
This alert is to provide you with an overview of the new security bulletin being released (out-of-band) on December 29, 2011.
New Security Bulletin
Microsoft is releasing one new security bulletin (out-of-band) for newly discovered vulnerabilities:
| Bulletin ID | Bulletin Title | Maximum Severity Rating | Vulnerability Impact | Restart Requirement | Affected Software* |
| MS11-100 | Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420) | Critical | Elevation of Privilege | This update may require a restart | All supported versions of ASP.NET on all supported versions of Windows and Windows Server.* |
| * Where indicated in the Affected Software table on the bulletin webpage, the vulnerabilities addressed by this update may affect supported editions of Windows Server 2008 or Windows Server 2008 R2, when installed using the Server Core installation option. Affected software listed above is an abstract. Please see the security bulletin at the link provided for complete details. |
Public Bulletin Webcast
Microsoft will host a webcast to address customer questions on this bulletin:
Title: Information About Microsoft’s December 2011 Out-of-Band Security Bulletin Release
Date: Thursday, December 29, 2011, at 1:00 P.M. (GMT-08:00) Pacific Time (U.S. & Canada)
URL: https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032502798
Public Resources related to this alert
· Security Bulletin MS11-100 – Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420): http://technet.microsoft.com/security/bulletin/MS11-100
· Security Advisory 2659883 – Vulnerability in ASP.NET Could Allow Denial of Service http://technet.microsoft.com/security/advisory/2659883
· Microsoft Security Response Center (MSRC) Blog: http://blogs.technet.com/msrc/
· Microsoft Security Research & Defense (SRD) Blog: http://blogs.technet.com/srd/
New Security Bulletin Technical Details
In the following tables of affected and non-affected software, software editions that are not listed are past their support lifecycle. To determine the support lifecycle for your product and edition, visit the Microsoft Support Lifecycle website at http://support.microsoft.com/lifecycle/.
| Bulletin Identifier | Microsoft Security Bulletin MS11-100 |
| Bulletin Title | Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420) |
| Executive Summary | This security update resolves one publicly disclosed vulnerability and three privately reported vulnerabilities in Microsoft .NET Framework. The most severe of these vulnerabilities could allow elevation of privilege if an unauthenticated attacker sends a specially crafted web request to the target site. An attacker who successfully exploited this vulnerability could take any action in the context of an existing account on the ASP.NET site, including executing arbitrary commands.
The security update addresses the vulnerabilities by correcting the manner in which the .NET Framework handles specially crafted requests, and the manner in which the ASP.NET Framework authenticates users and handles cached content. This security update also addresses the vulnerability first described in Microsoft Security Advisory 2659883. |
| Affected Software | This security update is rated Critical for Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5 Service Pack 1, Microsoft .NET Framework 3.5.1, and Microsoft .NET Framework 4 on all supported editions of Microsoft Windows. |
| CVE, Exploitability Index Rating | · CVE-2011-3414: Collisions in Hash Table May Cause DoS Vulnerability (EI = 3)
· CVE-2011-3415: Insecure Redirect in .NET Forms Authentication Vulnerability (EI = NA) · CVE-2011-3416: ASP.NET Forms Authentication Bypass Vulnerability (EI = 1) · CVE-2011-3417: ASP.NET Forms Authentication Ticket Caching Vulnerability (EI = 2) |
| Attack Vectors | · An unauthenticated attacker could send a small number of specially crafted ASP.NET requests to an affected ASP.NET site, causing a denial of service condition. (CVE-2011-3414)
· An attacker could create a specially crafted URL and convince a user to click it. After the user logs on to an expected website, the attacker then redirects the user to a website controlled by the attacker. Once there, the attacker could convince the user to divulge information otherwise intended to remain private. (CVE-2011-3415) · An unauthenticated attacker would need to obtain a valid account name to the site. The attacker could then craft a special web request using a previously registered account name to gain access to that account. (CVE-2011-3416) · An attacker could exploit the vulnerability by sending a specially crafted link to the user and convincing the user to click the link. (CVE-2011-3417) |
| Mitigating Factors | CVE-2011-3414 (Collisions in Hash Tables May Cause DoS Vulnerability)
· By default, IIS is not enabled on any Windows operating system. · Sites that disallow “application/x-www-form-urlencoded” or “multipart/form-data” HTTP content types are not vulnerable. CVE-2011-3415 (for Insecure Redirect in .NET Form Authentication Vulnerability) · This vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce information that could be used to try to further compromise user information. · By default, installing ASP.NET does not enable Forms Authentication. It has to be explicitly configured per-application to be enabled. · IIS is not installed by default. · By default, ASP.NET is not installed when .NET Framework is installed. Only customers who manually install and enable ASP.NET are likely to be vulnerable to this issue. · The attacker would have to convince the user to click a link in order to exploit the vulnerability. CVE-2011-3416 (Forms Authentication Bypass Vulnerability) · An attacker must be able to register an account on the ASP.NET application, and must know an existing user name. · By default, installing ASP.NET does not enable Forms Authentication. It has to be explicitly configured per-application to be enabled. · IIS is not installed by default. · By default, ASP.NET is not installed when .NET is installed. Only customers who manually install and enable ASP.NET are likely to be vulnerable to this issue. CVE-2011-3417 (Forms Authentication Ticket Caching Vulnerability) · By default, ASP.NET responses are not cached by the OutputCache. The developer of the site has to opt-in to output caching via the OutputCache directive on a page. · An attacker who successfully exploited this vulnerability could gain the same user rights as the target user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. · By default, IIS is not installed on any affected operating system version. Only customers who manually install this are likely to be vulnerable to this issue. · By default, ASP.NET is not installed when .NET is installed. Only customers who manually install and enable ASP.NET are likely to be vulnerable to this issue. |
| Restart Requirement | This update may require a restart. |
| Bulletins Replaced by This Update | MS10-070 and MS11-078. |
| Publicly Disclosed?
Exploited? |
CVE-2011-3414 (Collisions in Hash Tables May Cause Denial of Service Vulnerability) was publicly disclosed prior to release. The other three vulnerabilities were private.
At this time we are not aware of any exploits in the wild for any of these vulnerabilities. |
| Full Details | http://technet.microsoft.com/security/bulletin/MS11-100 |
Regarding Information Consistency
We strive to provide you with accurate information in static (this mail) and dynamic (web-based) content. Microsoft’s security content posted to the web is occasionally updated to reflect late-breaking information. If this results in an inconsistency between the information here and the information in Microsoft’s web-based security content, the information in Microsoft’s web-based security content is authoritative.
Microsoft respects your privacy. To learn more, please read our Privacy Statement.
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052 USA
