Vulnerability in ASP.NET in Microsoft Windows Could Allow Denial of Service
Description: This security update addresses a privately reported Denial of Service vulnerability in the Microsoft .NET Framework component of Microsoft Windows. This vulnerability can be exploited only when Internet Information Services (IIS) 7.0 is installed and ASP.NET is configured to use integrated mode on affected versions of Microsoft Windows. An attacker could create specially crafted anonymous HTTP requests that could cause the affected Web server to become non-responsive until the associated application pool is restarted. Customers who are running IIS 7.0 application pools in classic mode are not affected by this vulnerability. The security update addresses the vulnerability by changing the way ASP.NET manages request scheduling.
Update type: Important
Release date: August 11, 2009
Applies to: All versions
Knowledge base: http://support.microsoft.com/kb/970957
Download link: 32-bit | 64-bit
Comments:Here are the specifics on the vulnerabilities covered by this update:
- Remote Unauthenticated Denial of Service in ASP.NET Vulnerability – CVE-2009-1536
For more information on this issue, including potential causes, workarounds, and resolutions, see: Microsoft KB Article KB970957.