[UPDATE 01/10/2010: MS10-070 was released to Windows Update overnight last night and will be being applied to computers configured with Automatic updates. As usual, as a UKFast customer, you benefit from updates being applied automatically unless you have opted out of this service.]
On September 28th 2010, Microsoft released MS10-070 – a windows update released outside of the normal update schedule.
This update addresses vulnerabilities in the .NET framework and affects all versions of .NET on Server Operating Systems.
“The vulnerability could allow information disclosure. An attacker who successfully exploited this vulnerability could read data, such as the view state, which was encrypted by the server. This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server. Microsoft .NET Framework versions prior to Microsoft .NET Framework 3.5 Service Pack 1 are not affected by the file content disclosure portion of this vulnerability.” – from Microsoft Security Bulletin MS10-070.
As the vulnerability has been publically disclosed, the update is classified as important and Microsoft (whilst not yet releasing to Windows Update) are advising implementation of the update at the ‘earliest’ convenience. The update will be released to the broader audience via Windows Update over the next few days and we will report on this here when we are informed.
Because this is an update to the .NET framework, the update applies across the board to Windows XP, Vista, Windows 7, Windows Server 2003, 2008 and 2008 R2.
Once applied, the update does not require a reboot unless the update process was unable to stop services or access files associated. This will therefore require interuption to services for applications which utilise .NET, regardless of whether a reboot is necessary.
There are known issues associated with updating the .NET framework code and any issues experienced in applying this update should first refer to the Microsoft knowledge base article 2418042.
For the time being, prior to release via Windows Update, the update can be located via the Microsoft Download site by searching on MS10-070.