Windows Enterprise Desktop

Sep 29 2010   1:04PM GMT

Out-of-band Security Update for Windows hits



Posted by: Ed Tittel
Tags:
ASP.NET gets out of band security update (MS10-070)
MS releases MS10-070 out of band
out of band updates for September 28 2010

I’m always curious when Windows Update drops something into my hopper outside the normal second-Tuesday-of-the-month timing for regular updates. Yesterday was no exception, when five updates appeared right after lunch. It turns out that only one of them merited a security bulletin (MS10-070), so I have to guess the others were dropped in because they were already ready to go and with MS pushing something critical out the door, these items simply came along for the ride.

Yes, it's an out-of-band security bulletin for 9/28/2010

Yes, there is an out-of-band security bulletin for 9/28/2010

The critical item addressed in MS10-070 addresses a vulnerability in two different versions of the .NET Framework — specifically, versions 3.5 SP1 (also denoted as 3.5.1 in MS publications) and 4 — that could, in the words of the bulletin text itself “…allow an attacker to compromise your Windows-based system that is running the Microsoft .NET Framework and gain access to information.” It is a publicly disclosed vulnerability in ASP.NET that could let attackers read data (MS mentions the view state specifically, even though it has been encrypted by the server). The vulnerability could also allow data tampering to decrypt and alter data encrypted by the server. Versions of the .NET Framework that precede version 3.5 Service Pack 1 are not affected by the file content disclosure portion of the vulnerability, but users all the way back to version 1.0 Service Pack 3 should still apply this update, which rates an “Important” severity rating across the board.

Here are the other items that coat-tailed their way into this out-of-band update:

  • September 2010 cumulative time zone update for Windows operating systems: Changes to daylight savings start/stop dates for Middle East Standard Time, Namibia Standard Time, and US Eastern Standard Time in Indiana
  • Update for Microsoft Silverlight (KB2416427): This update fixes an incompatibility issue between Microsoft Silverlight 4 GDR 1 (4.0.50826.0) and earlier versions of the Bing Toolbar. The current release of Bing Toolbar (version 6) is not affected. Other update description info (from the MS Update details): “This update to Silverlight improves security, reliability, accessibility support, startup performance, enhances line-of-business support and includes several fixes to support rich internet applications.”
  • Update for Windows 7 (KB979538): “Stop 0x0000007E” or “Stop 0×00000050″ Stop error message in Windows 7 or Windows Server 2008 R2. Install this update to prevent unexpected shutdowns or bluescreens when you are using a USB video device. After you install this item, you may have to restart your computer (caused restart on all 7 of my Windows machines, none of which uses a USB video adapter).
  • Update for Internet Explorer 8 Compatibility View List for Windows 7 (KB2362765): This continuing series of updates makes “…Web sites designed for older browsers look better in Internet Explorer 8.” Usually requires a restart of IE 8 after it’s installed (moot if the machine restarts anyway).

It’s always noteworthy when an out-of-band item appears between Patch Tuesdays. For those using .NET 3.5.1 or 4, this one’s important, but the rest of these items seem pretty humdrum to me.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: