News

Sept. Patch Tuesday Includes .NET Fixes

Two issues related to the .NET Framework and ASP.NET are included in Microsoft's monthly security bulletin release.

Like Microsoft OS software, its programming tools are no different and are often just as vulnerable. The company's latest security bulletin has two .NET-related nuggets that shouldn't be ignored, both rated as "Important."

The first one, MS14-053, involves a .NET Framework flaw that can be exploited only if ASP.NET is installed in tandem with it on a Windows system. With this combination, hackers can send a Denial of Service attack to .NET-enabled Web sites on those systems. The flaw affects .NET Framework versions 1.1 SP1, 2.0 SP2, 3.0 SP2, 3.5, 3.5.1, 4, 4.5, 4.5.1, and 4.5.2 on various Windows versions (see full matrix here).

A fix for this flaw is downloaded and applied automatically for those using automatic updates; customers who prefer manual updating to test and apply the updates as soon as possible -- Microsoft's bulletin states that the flaw was privately reported, so there isn't any report so far of this flaw being exploited in the wild.

The second issue, which is a re-release of a bulletin from May, relates to an elevation of privilege attack that can be exploited with ASP.NET. Specifically, hackers would be able to take control of a system in ASP.NET viewstate where MAC code validation is disabled upon configuration (MAC code validation is enabled by default, so those who don't have this disabled are not affected; even so, it behooves developers and admins to be sure and check whether it's on or off).

Microsoft states that the bulletin was re-released so that customers using Microsoft Update are able to get the update automatically.

The flaw affects the same version of the .NET Framework noted in the first bulletin, except for versions 3.0 SP2 and 4.5.2.

A more comprehensive report on all the fixes and updates to the September security bulletin is on Redmondmag.com.

About the Author

You Tell 'Em, Readers: If you've read this far, know that Michael Domingo, Visual Studio Magazine Editor in Chief, is here to serve you, dear readers, and wants to get you the information you so richly deserve. What news, content, topics, issues do you want to see covered in Visual Studio Magazine? He's listening at [email protected].

comments powered by Disqus

Featured

  • ML.NET Improves Object Detection

    Microsoft improved the object detection capabilities of its ML.NET machine learning framework for .NET developers, adding the ability to train custom models with Model Builder in Visual Studio.

  • More Improvements for VS Code's New Python Language Server

    Microsoft announced more improvements for the new Python language server for Visual Studio Code, Pylance, specializing in rich type information.

  • Death of the Dev Machine?

    Here's a takeaway from this week's Ignite 2020 event: An advanced Azure cloud portends the death of the traditional, high-powered dev machine packed with computing, memory and storage components.

  • COVID-19 Is Ignite 2020's Elephant in the Room: 'Frankly, It Sucks'

    As in all things of our new reality, there was no escaping the drastic changes in routine caused by the COVID-19 pandemic during Microsoft's big Ignite 2020 developer/IT pro conference, this week shifted to an online-only event after drawing tens of thousands of in-person attendees in years past.

  • Visual Studio 2019 v16.8 Preview Update Adds Codespaces

    To coincide with the Microsoft Ignite 2020 IT pro/developer event, the Visual Studio dev team shipped a new update, Visual Studio 2019 v16.8 Preview 3.1, with the main attraction being support for cloud-hosted Codespaces, now in a limited beta.

Upcoming Events