Just a few hours after Microsoft provided the advance notification of the planned releases in the July Security Update, it appears that a 0-day exploit for the .NET vulnerability (Critical patch expected) has been released at the SyScan '07 conference currently running in Singapore, according to a screenshot linked to by Dave Aitel.
Of interest from the above screenshot is the suggestion that there are multiple NULL byte injection opportunities in the .NET framework, which is being claimed as the reason for Microsoft's update next week - a delay that appears to have been delayed previously.
Of even more interest is the suggestion (from the bottom half of the slide) that there are plenty more exploitation opportunities to be found in the .NET framework. While this isn't likely to see the stampede of research effort that Cisco and Apple faced following recent Black Hat conferences, the widespread install-base for the .NET framework and its use in critical business applications is likely to see new critical .NET exploits make their way into attacker's toolkits over the coming weeks.
Even without sample exploit code being immediately freely available, the announcement should give administrators a reason to pause and reconsider the exposure of their .NET applications and systems.
7 July 2007
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.Comments will soon be available for registered users.