July Patch Tuesday plugs hole in .NET framework

Security analysts say an important bulletin to shut down a .NET framework vulnerability should get top patching priority on Windows Server systems.

Microsoft issued 11 security updates for July Patch Tuesday, six of which are rated as critical. This month's batch of patches focus mostly on vulnerabilities affecting the desktop, with few updates affecting Windows Server directly.

The most important bulletin for Windows Server administrators this month is MS16-091, which resolves a vulnerability in the .NET framework that could cause information disclosure if an attacker uploads a specially crafted XML file to a web-based application. If the XML file gets parsed by the .NET framework, the attacker can read any file the web application can access. Attackers will usually target configuration files or private information for other users, said Tod Beardsley, senior security research manager at Boston-based Rapid7.

Exploiting the vulnerability would not be automatic, but would be per application, Beardsley said .

The .NET framework is marked as important because of the consequences, said Amol Sarwate, director of vulnerability labs for Qualys Inc., in Redwood City, Calif.

The vulnerability is remotely exploitable, meaning someone can go to a website and be exploited without the attacker needing physical access to the machine.

While many administrators were unhappy with Microsoft after problems with last month's Group Policy update, security analysts say it's best to follow Microsoft's recommendation and apply all patches.  Administrators who deployed the patch reported it broke certain GPO settings and gave some users access to sensitive information.

"The mantra for server folks is that Microsoft is a very trustworthy vendor, but still it doesn't always make sense to quickly install the patch […] before mass deploying it," Sarwate said.

"Occasionally patches do break things, [and] you should test them in your test environment if you have the luxury of a test environment," Beardsley said. "But at the end of things, you kind of need these patches."

It's hard to avoid applying patches and, despite the occasional problem, Microsoft has made great strides with its security bulletins, Beardsley said.

"A lot of people don't remember that before Patch Tuesday, Microsoft issued guidance on their hot fixes in the MS01, 02 era of 'Don't install this unless you already see the problem,'" Beardsley said. "But if I've already seen the problem, it means I'm already totally owned and it's a little late now."

For more information about the July Patch Tuesday security bulletins, visit Microsoft's Security TechCenter site.

Dig Deeper on Microsoft Hyper-V management