Those lighthouse customers that tested Windows 7 initial upgrade and Windows Server 2008 R2 should install a security update, which is designed to fix the vulnerabilities in the ASP.NET that other Windows users also had to face during the last month.
This security update for Microsoft .NET Framework 3.5.1 is available for Windows 7 SPI Beta and Windows Server 2008 R2 SPI Beta as well as. .NET Framework4 fixes can also be downloaded from Microsoft Download centre.
During the last month, MS10-070 [Security Bulletin] was released by Microsoft that plugged the security issues in ASP.NET. The security issues concerning ASP. NET was publicly known. It also affected almost all the versions of .NET software which was developed after 3.5 SP1.
Microsoft is known to fix vital vulnerabilities in the software that are still in progress. But now it seems that the software giant has adopted a different strategy to tackle this new situation. The company had to offer Window 7 SP1 update while it was still in Beta.
According to Microsoft, “The vulnerability could allow information disclosure. An attacker who successfully exploited this vulnerability could read data, such as the view state, which was encrypted by the server.”
“This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server. Microsoft .NET Framework versions prior to Microsoft .NET Framework 3.5 Service Pack 1 are not affected by the file content disclosure portion of this vulnerability.”
The Silicon Valley based company says that ASP .NET vulnerability occurred because of the improper handling of the errors that appeared in the verification of encryption padding.
This vulnerability in .NET Framework 3.5 SPI will give the hackers the opportunity to get hold of any content found in ASP .NET application. Web.config file is also included in them.