Microsoft has released one last critical security update for this year, in between the regularly scheduled Patch Tuesdays, to address a major flaw that could allow attackers to exploit hash tables to perform a denial-of-service attack against a website built using Microsoft’s ASP.NET framework.
“This security update resolves one publicly disclosed vulnerability and three privately reported vulnerabilities in Microsoft .NET Framework. The most severe of these vulnerabilities could allow elevation of privilege if an unauthenticated attacker sends a specially crafted web request to the target site,” Microsoft explains on it’s website.
The attacker who successfully exploits this security hole would be able to take any type of action in the context of an existing account on the ASP.NET site. From what Microsoft is saying, the attacker must be able to register an account on the ASP.NET site and know an existing username.
This security update was released to address “vulnerabilities by correcting how the .NET Framework handles specially crafted requests, and how the ASP.NET Framework authenticates users and handles cached content.”
This security hole was first discovered in 2008 and the patch is now available on Windows Update. It does not require a reboot.Further reading: Microsoft, Security