| By Susan Bradley |
We ended 2011 with an out-of-cycle .NET update — one that desktop users can ignore for now but Web-server admins should make a high priority.
There are also a few other leftover 2011 updates it’s time to put behind us.
Administrators: The cloud needs patching
Around the first of the year, workstation users running .NET Versions 1.1 to 4 might see the 100th update for 2011. Just hide KB 2638420 and ignore it. On the other hand, administrators managing Internet sites of any size — from server farms to WindowsSecrets.com — will want to pay attention.
A research firm recently discovered that nearly all Web-programming languages and platforms are vulnerable to denial-of-service attacks because of how they handle hash tables. An advisory on gmane.org states that Apache, ASP.NET, Java, PHP, and Ruby — to name a few — are vulnerable if an attacker sends maliciously crafted packets to the site.
According to Microsoft Security Bulletin MS11-100, the included .NET patch fixes a flaw that could let someone who knows user names on a website gain elevated rights and privileges to the site.
For those with premise servers that also use .net, I’m still not seeing that we need to rush. For those of you in charge of patching the Cloud, you might want to rush to update against this issue.