Microsoft Security Bulletin MS11-100 Out-of-Band Critical Alert

Bryan Von Axelson 2010

B   V   A 

As we all get back in the saddle this week, after the Q4 end of year and holiday season, I wanted to make sure and call attention to an Out-of-Band Critical Security update that was released on December 29, 2011. 

This security update resolves one publicly disclosed vulnerability and three privately reported vulnerabilities in Microsoft .NET Framework. The most severe of these vulnerabilities could allow elevation of privilege if an unauthenticated attacker sends a specially crafted web request to the target site. An attacker who successfully exploited this vulnerability could take any action in the context of an existing account on the ASP.NET site, including executing arbitrary commands. In order to exploit this vulnerability, an attacker must be able to register an account on the ASP.NET site, and must know an existing user name. 

This security update is rated Critical for Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5 Service Pack 1, Microsoft .NET Framework 3.5.1, and Microsoft .NET Framework 4 on all supported editions of Microsoft Windows.

The security update addresses the vulnerabilities by correcting how the .NET Framework handles specially crafted requests, and how the ASP.NET Framework authenticates users and handles cached content.  For more information, here is the link to Security TechCenter -

Recommendation. For customers who have automatic updating enabled, they will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually.

Comments (2)

  1. jrv says:

    This security update fails to download and install on nearly all systems ws2003/xp/win7.  The update shows as important or Critical.  All other updates install automatically.  The ones for this bulletin do not.

  2. ML49448 says:

    I want to make sure my Identity will not be disclosed, in case an attacker targets my checking accounts; here and overseas. So I updated a security framework that alerts Microsoft. Now Microsoft has the privilege to take action, automatically.

Skip to main content