MS11-100: Vulnerability in the .NET Framework could allow elevation of privilege: December 29, 2011

2017-01-07T21:22:02
ID KB2638420
Type mskb
Reporter Microsoft
Modified 2012-07-18T17:12:59

Description

<html><body><p>This article contains details for the ASP.NET update for the .NET Framework.</p><h2>Introduction</h2><div class="kb-summary-section section">Microsoft has released security bulletin MS11-100. To view the complete security bulletin, visit one of the following Microsoft websites:<br/><ul class="sbody-free_list"><li>Home users:<br/><div class="indent"><a href="http://www.microsoft.com/security/pc-security/bulletins/201112.aspx" id="kb-link-1" target="_self">http://www.microsoft.com/security/pc-security/bulletins/201112.aspx</a></div><span class="text-base">Skip the details</span>: Download the updates for your home computer or laptop from the Microsoft Update website now:<br/><div class="indent"><a href="http://update.microsoft.com/microsoftupdate" id="kb-link-2" target="_self">http://update.microsoft.com/microsoftupdate</a></div></li><li>IT professionals:<br/><div class="indent"><a href="http://technet.microsoft.com/security/bulletin/ms11-100" id="kb-link-3" target="_self">http://technet.microsoft.com/security/bulletin/MS11-100</a></div></li></ul><span><h3 class="sbody-h3">How to obtain help and support for this security update</h3> <br/>Help installing updates: <br/><a href="https://support.microsoft.com/ph/6527" id="kb-link-4" target="_self">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals: <br/><a href="http://technet.microsoft.com/security/bb980617.aspx" id="kb-link-5" target="_self">TechNet Security Troubleshooting and Support</a><br/><br/>Help protect your computer that is running Windows from viruses and malware:<br/><a href="https://support.microsoft.com/contactus/cu_sc_virsec_master" id="kb-link-6" target="_self">Virus Solution and Security Center</a><br/><br/>Local support according to your country: <br/><a href="https://support.microsoft.com/common/international.aspx" id="kb-link-7" target="_self">International Support</a><br/><br/></span><br/></div><h2>More Information</h2><div class="kb-moreinformation-section section"><h4 class="sbody-h4">Known issues and additional information about this security update</h4>The security updates that are offered in security bulletin MS11-100 change the way that ASP.NET creates forms authentication tickets. The new behavior is incompatible with the previous behavior. Tickets that are generated by using the new behavior cannot be read by servers that use the old behavior, and vice versa. Therefore, because of the ticket behavior change, administrators whose applications use forms authentication must take specific steps when they deploy the security updates offered in bulletin MS11-100 to make sure that all servers switch to the new behavior concurrently. <br/><br/>For more information, click the following article number to view the article in the Microsoft Knowledge Base:<br/><div class="indent"><a href="https://support.microsoft.com/en-us/help/2659968" id="kb-link-8">2659968 </a> Deployment guidance for security update 2638420, as described in MS11-100<br/></div>The following articles contain additional information about this security update as it relates to individual product versions. The articles may contain known issue information. If this is the case, the known issue is listed below each article link.<br/><br/> <ul class="sbody-free_list"><li><div class="indent"><a href="https://support.microsoft.com/en-us/help/2656351" id="kb-link-9">2656351 </a> MS11-100: Description of the security update for the .NET Framework 4 on Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: December 29, 2011<br/><br/></div></li><li><div class="indent"><a href="https://support.microsoft.com/en-us/help/2656356" id="kb-link-10">2656356 </a> MS11-100: Description of the security update for the .NET Framework 3.5.1 on Windows 7 SP1 and Windows Server 2008 R2 SP1: December 29, 2011 </div></li><li><div class="indent"><a href="https://support.microsoft.com/en-us/help/2657424" id="kb-link-11">2657424 </a> MS11-100: Description of the security update for the .NET Framework 3.5 SP1 on Windows Server 2003, Windows Server 2008, Windows Vista, and Windows XP: December 29, 2011  </div></li><li><div class="indent"><a href="https://support.microsoft.com/en-us/help/2656352" id="kb-link-12">2656352 </a> MS11-100: Description of the security update for the .NET Framework 2.0 SP2 on Windows XP and Windows Server 2003: December 29, 2011 </div></li><li><div class="indent"><a href="https://support.microsoft.com/en-us/help/2656362" id="kb-link-13">2656362 </a> MS11-100: Description of the security update for the .NET Framework 2.0 SP2 on Windows Vista SP2 and Windows Server 2008 SP2: December 29, 2011 </div></li><li><div class="indent"><a href="https://support.microsoft.com/en-us/help/2656355" id="kb-link-14">2656355 </a> MS11-100: Description of the security update for the .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2: December 29, 2011 </div></li><li><div class="indent"><a href="https://support.microsoft.com/en-us/help/2656358" id="kb-link-15">2656358 </a> MS11-100: Description of the security update for the .NET Framework 1.1 SP1 on 32-bit editions of Windows Server 2003 SP2: December 29, 2011<br/><br/></div></li><li><div class="indent"><a href="https://support.microsoft.com/en-us/help/2656353" id="kb-link-16">2656353 </a> MS11-100: Description of the security update for the .NET Framework 1.1 SP1 on Windows XP, Windows Vista and Windows Server 2008, and on x64 and Itanium-based versions of Windows Server 2003: December 29, 2011 </div></li></ul></div></body></html>