Microsoft releases patch for HashDos Vulnerability!

I received this in an email on the 29th of December:

in case the link is broken, here is the text:

ALERT: Microsoft Releases Patch for HashDos Vulnerability
December 29, 2011

Happy almost New Year! In response to some recent developments around a known vulnerability targeting .NET, Microsoft made the bold decision to issue an out-of-band patch to address the issue. We’ve provided a quick look at the bulletin below. For an in-depth look at the background of this flaw as well as the up to date version of Retina you can use to identify if you have vulnerable systems, you’ll want to check out the eEye Blog. We’ll be providing updates on this development for as long as we need to ensure the security community stays informed.

Microsoft Security Bulletin MS11-100
Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420)
Severity: Critical
eEye Recommendation: Patch Immediately

Interestingly, this patch covers not only the publicly disclosed “HashDos” vulnerability, but an additional three privately reported vulnerabilities in Microsoft .NET Framework. They all carry the potential for privilege escalation. As mentioned before, this is the first time in 2011 that Microsoft has released a patch outside of their typical Patch Tuesday release cycle. One could assume that this patch was to be part of an upcoming release cycle, and publicly disclosed attack methods being discussed online in the last few days may have forced their hand.

Stay Up to Date on This Issue
Be sure to check back in at the eEye Blog for new developments around this vulnerability and security bulletin, as well as updated product information on identifying and protecting vulnerable systems.


here are some other links for your reading pleasure:

Microsoft Security Bulletin MS11-100 – Critical

Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420)

Article ID: 2659968 – Last Review: December 29, 2011 – Revision: 1.0

Deployment guidance for security update 2638420, as described in MS11-100



As a side note, it looks like Microsoft is taking this seriously, we received a call directly from Microsoft to our CIO to let us know of the patches availability.  If i were you, i would get it installed. The patches are already in Windows Update, so it is not longer a out of band patch.