September 2014 .NET Security Updates
The .NET team released a security bulletin and a security advisory today as part of the monthly “patch Tuesday” cycle.
Microsoft Security Bulletin MS14-053 – Important, Vulnerabilities in .NET Framework Could Allow Denial of Service (2990931)
This security update resolves one privately reported vulnerability in Microsoft .NET Framework. The vulnerability could allow denial of service if an attacker sends a small number of specially crafted requests to an affected .NET-enabled website. By default, ASP.NET is not installed when Microsoft .NET Framework is installed on any supported edition of Microsoft Windows. To be affected by the vulnerability, customers must manually install and enable ASP.NET by registering it with IIS.
This security update is rated Important for Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4, and Microsoft .NET Framework 4.5/4.5.1/4.5.2 on affected releases of Microsoft Windows.
More details about the versions affected by this vulnerability can be found in the security bulletin MS14-053.
Microsoft Security Advisory 2905247 – Important, Insecure ASP.NET site configuration could allow elevation of privilege (2905247)
Microsoft is announcing the rerelease of a security update to address a vulnerability in ASP.NET viewstate that exists when Machine Authentication Code (MAC) validation is disabled through configuration settings. Any ASP.NET site for which view state MAC has become disabled through configuration settings is vulnerable to elevation of privilege attack. This advisory has been rereleased to offer the security update via Microsoft Update, in addition to the Download-Center-only option that was provided when this advisory was originally released. Furthermore, the updates for some of the affected platforms have been rereleased to address an issue that occasionally caused Page.IsPostBack to return an incorrect value.
Microsoft recommends that customers test the updates before deploying them in their environments as soon as possible. Please see the Suggested Actions section of this advisory for more information.
This vulnerability is rated Important and affects Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4, and Microsoft .NET Framework 4.5/4.5.1.
For administrators and enterprise installations with web-farm scenarios, Microsoft recommends following the guidance available in Microsoft Knowledge Base Article 2915218 before deploying this update.
More details about the versions affected by this vulnerability can be found in the Microsoft Security Advisory 2905247.
How to obtain help and support for this security update
- Help installing updates: Support for Microsoft Update
- Security solutions for IT professionals: TechNet Security Troubleshooting and Support
- Help protect your computer that is running Windows from viruses and malware: Virus Solution and Security Center
- Local support according to your country: International Support