Well I was a bit surprised about this update especially since I didn't read about it on any of the blogs in my RSS Feedreader. Apparently Microsoft released yesterday (10th October 2006) a Security Update for System.Web.dll. Apparently there is a cross-site scripting vulnerability (categorized as moderate risk) that allows malicious users to compromise a computer running ASP.NET 2.0 and in doing so steal confidential data. Versions 1.0 and 1.1 of the .NET Framework are not affected. I guess that .NET Framework 3.0 will be patched by the time it RTM's.
The details:
Cross-site scripting (XSS) vulnerability in Microsoft .NET Framework 2.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving "ASP.NET controls that set the AutoPostBack property to true"
Download the Security Update here.
Links:
CVE-2006-3436
MS06-056
KB922770
Cross-posted from
The .NET Aficionado