Posted by: Ed Tittel
ASP.NET gets out of band security update (MS10-070), MS releases MS10-070 out of band, out of band updates for September 28 2010
I’m always curious when Windows Update drops something into my hopper outside the normal second-Tuesday-of-the-month timing for regular updates. Yesterday was no exception, when five updates appeared right after lunch. It turns out that only one of them merited a security bulletin (MS10-070), so I have to guess the others were dropped in because they were already ready to go and with MS pushing something critical out the door, these items simply came along for the ride.
The critical item addressed in MS10-070 addresses a vulnerability in two different versions of the .NET Framework — specifically, versions 3.5 SP1 (also denoted as 3.5.1 in MS publications) and 4 — that could, in the words of the bulletin text itself “…allow an attacker to compromise your Windows-based system that is running the Microsoft .NET Framework and gain access to information.” It is a publicly disclosed vulnerability in ASP.NET that could let attackers read data (MS mentions the view state specifically, even though it has been encrypted by the server). The vulnerability could also allow data tampering to decrypt and alter data encrypted by the server. Versions of the .NET Framework that precede version 3.5 Service Pack 1 are not affected by the file content disclosure portion of the vulnerability, but users all the way back to version 1.0 Service Pack 3 should still apply this update, which rates an “Important” severity rating across the board.
Here are the other items that coat-tailed their way into this out-of-band update:
- September 2010 cumulative time zone update for Windows operating systems: Changes to daylight savings start/stop dates for Middle East Standard Time, Namibia Standard Time, and US Eastern Standard Time in Indiana
- Update for Microsoft Silverlight (KB2416427): This update fixes an incompatibility issue between Microsoft Silverlight 4 GDR 1 (4.0.50826.0) and earlier versions of the Bing Toolbar. The current release of Bing Toolbar (version 6) is not affected. Other update description info (from the MS Update details): “This update to Silverlight improves security, reliability, accessibility support, startup performance, enhances line-of-business support and includes several fixes to support rich internet applications.”
- Update for Windows 7 (KB979538): “Stop 0x0000007E” or “Stop 0×00000050″ Stop error message in Windows 7 or Windows Server 2008 R2. Install this update to prevent unexpected shutdowns or bluescreens when you are using a USB video device. After you install this item, you may have to restart your computer (caused restart on all 7 of my Windows machines, none of which uses a USB video adapter).
- Update for Internet Explorer 8 Compatibility View List for Windows 7 (KB2362765): This continuing series of updates makes “…Web sites designed for older browsers look better in Internet Explorer 8.” Usually requires a restart of IE 8 after it’s installed (moot if the machine restarts anyway).
It’s always noteworthy when an out-of-band item appears between Patch Tuesdays. For those using .NET 3.5.1 or 4, this one’s important, but the rest of these items seem pretty humdrum to me.