NET Framework in a number of supported versions of Windows operating system that includes Windows Server 2003, Windows XP SP3, Windows 7, Windows Vista, Windows Server 2008 and also 2008 R2. The unpatched systems might allow cyber attackers to "take any action in the context of an existing account on the ASP.NET site, including executing arbitrary commands." Manual update is also possible in case automatic updates are turned off. "An attacker who successfully exploited this vulnerability could take any action in the context of an existing account on the ASP.NET site, including executing arbitrary commands.
The update is rated Critical for Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5. Service Pack 1, Microsoft .NET Framework 3.5.1, and Microsoft .NET Framework 4 on all supported editions of Windows, including Windows 7. In a security advisory issued the same day, Microsoft, whose ASP .Net programming language is one of several affected by the flaw, promised to patch the vulnerability and offered customers ways to protect their servers until it releases an update. Microsoft confirmed that a single 100K specially-crafted HTTP request sent to a server running ASP .Net would consume 100% of one CPU core for 90-110 seconds. The implications are significant for Web apps and sites that run on those servers. Microsoft's rush to patch the flaw in ASP .Net hinted at the seriousness of the bug.
Post a Comment