Exploit Published for Web Service Vulnerability

Back at the end of December, I posted a note here about a newly-discovered vulnerability that affected a variety of Web service platforms, including PHP 5, Java, .NET, and Google’s v8.  Microsoft released an out-of-schedule Security Bulletin [MS11-100] and patch to fix the vulnerability in its .NET software, on December 29, for all supported versions of Windows.

Now, the ThreatPost security news service from Kaspersky Labs reports that a proof-of-concept exploit of this vulnerability has been published on the “Full Disclosure” mailing list.   (The SANS Internet Storm Center also has a diary entry on this.)  If you have a Windows web server, and have not applied the MS11-100 patch, I recommend that you do so as soon as you can.  Download links and more information are in the Security Bulletin, linked above.