On Thursday, December 29, Microsoft released an out of band patch to address a vulnerability identified in ASP.NET applications. If exploited, the vulnerability will cause a denial of service event. If you have ASP.NET applications on your webserver, it is recommended that this patch be applied as soon as possible.
Please see details at the following URLs –
http://technet.microsoft.com/en-us/security/advisory/2659883
http://technet.microsoft.com/en-us/security/bulletin/ms11-100.mspx
http://blogs.technet.com/b/srd/archive/2011/12/29/asp-net-security-update-is-live.aspx
http://blogs.technet.com/b/msrc/archive/2011/12/30/december-2011-out-of-band-security-bulletin-webcast-q-amp-a.aspx
Specific details regarding the exploit
General Information
Executive Summary
This security update resolves one publicly disclosed vulnerability and three privately reported vulnerabilities in Microsoft .NET Framework. The most severe of these vulnerabilities could allow elevation of privilege if an unauthenticated attacker sends a specially crafted web request to the target site. An attacker who successfully exploited this vulnerability could take any action in the context of an existing account on the ASP.NET site, including executing arbitrary commands. In order to exploit this vulnerability, an attacker must be able to register an account on the ASP.NET site, and must know an existing user name.