Microsoft has released an infrequent, out of band update to fix a security hole in .Net Framework.
Usually, Microsoft updates its software regularly through Patch Tuesday program. But in certain situations like this one, where the risks of exploitability are high, they try to patch it immediately.
Incidentally, this is also the 100th security update released by them this year and will probably be the last with just a day left for New Year.
The MS11-100 update patches four vulnerabilities in .NET Framework – one publicly disclosed and three privately reported.
According to Microsoft Security Bulletin,
The most severe of these vulnerabilities could allow elevation of privilege if an unauthenticated attacker sends a specially crafted web request to the target site. An attacker who successfully exploited this vulnerability could take any action in the context of an existing account on the ASP.NET site, including executing arbitrary commands. In order to exploit this vulnerability, an attacker must be able to register an account on the ASP.NET site, and must know an existing user name.
The security update addresses the vulnerabilities by correcting how the .NET Framework handles specially crafted requests, and how the ASP.NET Framework authenticates users and handles cached content.
The update is available for all supported version of Windows such as XP SP3, Windows Server 2003 SP2, Vista SP2, Windows 7 and Windows Server 2008 R2 and is rated critical. For those who have Automatic Update enabled, no user interaction is necessary as the update will be automatically downloaded and installed. For everyone else, I recommend installing this update as soon as possible since this is an out-of-band update and hence the risk level is high.
As always, the update can be acquired through Windows Update or downloaded from Microsoft Update.