<< Back
CVE Number Vulnerability Product Severity Date
MS09-036 Vulnerability in ASP.NET in Microsoft Windows Could Allow Denial of Service (970957) Windows Server Critical 12-08-2009

Technical Information

Brief overview of the risk:
This security update addresses a privately reported Denial of Service vulnerability in the Microsoft .NET Framework component of Microsoft Windows. This vulnerability can be exploited only when Internet Information Services (IIS) 7.0 is installed and ASP.NET is configured to use integrated mode on affected versions of Microsoft Windows.
Detailed Information on the risk:

A Denial of Service vulnerability exists in the way ASP.NET manages request scheduling. An attacker could exploit this vulnerability by creating specially crafted anonymous HTTP requests that would cause the affected Web server to become non-responsive until the associated application pool is restarted.

Further information on this exploit is available at : MS09-036

Affected Software

Windows Server 2008 for 32-bit Systems
Windows Server 2008 for Itanium-based Systems
Windows Server 2008 for x64-based Systems
Windows Vista
Windows Vista Service Pack 1
Windows Vista x64 Edition
Windows Vista x64 Edition Service Pack 1
Windows XP Service Pack 2