Microsoft Releases Out-Of-band Update to patch .NET Framework

Microsoft has released an infrequent, out of band update to fix a security hole in .Net Framework.

Usually, Microsoft updates its software regularly through Patch Tuesday program. But in certain situations like this one, where the risks of exploitability are high, they try to patch it immediately.

Incidentally, this is also the 100th security update released by them this year and will probably be the last with just a day left for New Year.

The MS11-100 update patches four vulnerabilities in .NET Framework – one publicly disclosed and three privately reported.

According to Microsoft Security Bulletin,

The most severe of these vulnerabilities could allow elevation of privilege if an unauthenticated attacker sends a specially crafted web request to the target site. An attacker who successfully exploited this vulnerability could take any action in the context of an existing account on the ASP.NET site, including executing arbitrary commands. In order to exploit this vulnerability, an attacker must be able to register an account on the ASP.NET site, and must know an existing user name.

The security update addresses the vulnerabilities by correcting how the .NET Framework handles specially crafted requests, and how the ASP.NET Framework authenticates users and handles cached content.

The update is available for all supported version of Windows such as XP SP3, Windows Server 2003 SP2, Vista SP2, Windows 7 and Windows Server 2008 R2 and is rated critical. For those who have Automatic Update enabled, no user interaction is necessary as the update will be automatically downloaded and installed. For everyone else, I recommend installing this update as soon as possible since this is an out-of-band update and hence the risk level is high.

As always, the update can be acquired through Windows Update or downloaded from Microsoft Update.

Patch Tuesday: Microsoft Releases 13 Security Updates for December

security  Yesterday, Microsoft released  13 security updates as part of the monthly patch Tuesday cycle to close 19 vulnerabilities found in their Windows, Office, Internet Explorer and Media Player/Media Center software.

Although they had planned to release 14 patches, the release of one of the updates had to be delayed. The patch in question was intended to close a vulnerability found in the SSL 3.0 and TLS 1.0 and the reason given for delaying the update was that they found an incompatibility during third party tests. The update will be released once the incompatibility issues are addressed properly.

Now coming back to the released updates, three are rated critical and the rest are marked important. All of the critical rated updates patch vulnerabilities that enable Remote Code Execution. A note-worthy update here is the MS11-087, which fixes the bug used by the infamous Duqu worm. Microsoft had earlier released a temporary workaround for this bug along with last month’s security bulletins which simply denied access to the vulnerable T2EMBED.DLL file.

The other updates are for vulnerabilities that enable Remote Code Execution as well as Elevation of Privilege. You can find more details on each of the updates here.

Microsoft has also released a Deployment Priority Guidance to assist customers in deploying the updates which is shown below.

7343.2011-12 dep

Make sure that you install these updates as soon as possible in order to make your system less susceptible to attacks.

WordPress 3.1.1 Released, Update Now; Fixes Security Bugs and XSS Flaw

The WordPress team has released a new update to which contains several security fixes in the code. WordPress 3.1.1 fixes almost thirty issues in WordPress 3.1.

WordPress

The new security patches were discovered by WordPress core developers and hardens CSRF prevention in the media uploader. It also adds a patch to avoid a PHP crash in certain environments because of links in comments. The third big patch fixes an XSS flaw in the code.

There are also several other performance improvements and fixes for IIS6 support, fixes for taxonomy and PATHINFO permalinks and fixes for various other query and taxonomy issues caused by plugin compatibility.

I highly recommend that you update your WordPress installation to WordPress 3.1.1 to avoid being affected by these security loopholes.

Microsoft Plans to Fail – Two Critical Bugs Left Unpatched

Next week, Microsoft’s first Patch Tuesdayfor 2011 will occur. A post in the Microsoft Security Response Center blog, outlines the planned patches. It appears that it’s going to be a smaller download than the 17 patches in December. That would be welcome, but the January downloads won’t include fixes for two serious flaws.

malwareThey said This month we will not be releasing updates to address Security Advisory 2490606 (public vulnerability affecting Windows Graphics Rendering Engine) and Security Advisory 2488013 (public vulnerability affecting Internet Explorer). We continue to actively monitor both vulnerabilities and for Advisory 2488013 we have started to see targeted attacks.

The Internet Explorer vulnerability affects nearly every PC running today. The Graphics Engine bug was only recently revealed at the POC conference a few days ago. It affects XP, Vista and 7 machines. We can forgive them for not reacting fast on the second one, but the other has been around long enough for at least a temporary fix to have been approved.

newyear-iconWe can’t wait much longer for these fixes. With users already seeing targeted attacks, Microsoft needs to recover from their New Year’s hangover and get back to work.

How to Update Windows XP to Service Pack 3

Just as my fellow author, Amit, had warned you, Microsoft has ended support for PCs running Windows XP Service Pack 2 (SP2). According to figures I’ve seen at InformationWeek, as many as 45% of Windows XP machines will need to update to SP3 in order to stay secure.

If you are running a PC that has not been updated yet, there’s no need to panic. Computers running SP2 will continue to work as usual. The end of support for SP2 simply means that those computers will not receive the most current security fixes from Microsoft’s update website or the automated updates.

Since it’s very important to keep your Windows up to date, how can you find out if your machine needs to update to SP3?

The quickest and easiest way to find out is a keyboard shortcut: [Windows key] [Pause/Break]

keyboard-win-break

Another way to view your current Windows version is to right click on a My Computermenu entry or desktop icon and choose the Propertiesitem in the list.

computer-properties

As a result of either of these actions, you should see your computer’s properties as shown below.

system-props-shown

If it says Service Pack 2, then you should use one of the links below to update your PC to SP3. I’ve included four ways to update and a brief description of each method.

A. Windows Update Website
Yes, it’s as easy as visiting Microsoft, however, you will need to use Internet Explorer because Microsoft hates to see you use any other type of web browser.

B. Service Pack 3 Network Install
Despite what the title implies, you can download this single executable file and it will install SP3 easily on any XP machine that needs it. The file is a bit over 300mb in size.

C. Service Pack 3 Add-on for Multi-Lingual Users
If you use languages other than English, you may need this file in addition to the download Babove. It’s only about 9mb in size.

D. Service Pack 3 ISO / CD Image
You can download this ISO file (CD image) and burn it to a CD. This makes it possible for you to have a backup copy and to use it on any XP machine that needs it. The file is over 500mb in size.

E. You can also order a CD from Microsoft by using one of the location links below:
Asia / Europe and Africa / North America / South America

Now, I’m feeling better after writing this important public service announcement. I hope you feel better too, after you’ve updated your old Windows XP machines.


Adobe Releases Reader 9.3 and 8.2, Fixes JavaScript Security Issue

Adobe has released a patch for Adobe Reader for 2 different versions. Adobe Reader 9.3   and 8.2 fix a JavaScript security issue which existed in the version.

adobe_reader

According to the security bulletin at Adobe:

Critical vulnerabilities have been identified in Adobe Reader 9.2 and Acrobat 9.2 for Windows, Macintosh and UNIX, and Adobe Reader 8.1.7 and Acrobat 8.1.7 for Windows and Macintosh. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.

If you are using Adobe Reader 9.2 or Reader 8.1.7, it is highly recommended that you apply the patch. You can download Adobe Reader 9.3 or Reader 8.2 from the official download page.

Release Notes: