News Stay informed about the latest enterprise technology news and product updates.

July Patch Tuesday plugs hole in .NET framework

Security analysts say an important bulletin to shut down a .NET framework vulnerability should get top patching priority on Windows Server systems.

Microsoft issued 11 security updates for July Patch Tuesday, six of which are rated as critical. This month's batch...

of patches focus mostly on vulnerabilities affecting the desktop, with few updates affecting Windows Server directly.

The most important bulletin for Windows Server administrators this month is MS16-091, which resolves a vulnerability in the .NET framework that could cause information disclosure if an attacker uploads a specially crafted XML file to a web-based application. If the XML file gets parsed by the .NET framework, the attacker can read any file the web application can access. Attackers will usually target configuration files or private information for other users, said Tod Beardsley, senior security research manager at Boston-based Rapid7.

Exploiting the vulnerability would not be automatic, but would be per application, Beardsley said .

The .NET framework is marked as important because of the consequences, said Amol Sarwate, director of vulnerability labs for Qualys Inc., in Redwood City, Calif.

The vulnerability is remotely exploitable, meaning someone can go to a website and be exploited without the attacker needing physical access to the machine.

While many administrators were unhappy with Microsoft after problems with last month's Group Policy update, security analysts say it's best to follow Microsoft's recommendation and apply all patches.  Administrators who deployed the patch reported it broke certain GPO settings and gave some users access to sensitive information.

"The mantra for server folks is that Microsoft is a very trustworthy vendor, but still it doesn't always make sense to quickly install the patch […] before mass deploying it," Sarwate said.

"Occasionally patches do break things, [and] you should test them in your test environment if you have the luxury of a test environment," Beardsley said. "But at the end of things, you kind of need these patches."

It's hard to avoid applying patches and, despite the occasional problem, Microsoft has made great strides with its security bulletins, Beardsley said.

"A lot of people don't remember that before Patch Tuesday, Microsoft issued guidance on their hot fixes in the MS01, 02 era of 'Don't install this unless you already see the problem,'" Beardsley said. "But if I've already seen the problem, it means I'm already totally owned and it's a little late now."

For more information about the July Patch Tuesday security bulletins, visit Microsoft's Security TechCenter site.

Dig Deeper on Windows Server Virtualization and Microsoft Hyper-V

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Microsoft's Whack-a-Mole Tuesday, one Tuesday after another. Since MS is a relatively smart company, don't you wonder when they'll realize that their approach isn't working very well. And since you and I are relatively smart people, when will we get weary of being unpaid beta testers for MS...?
Cancel
First one of these I have heard of in a while. Glad it was deemed important enough to notify the masses...
Cancel

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchEnterpriseDesktop

SearchVirtualDesktop

Close