Microsoft Security Bulletin MS14-072 - Important,
Vulnerability in .NET Framework
Could Allow Elevation of Privilege (3005210)
This security update resolves a privately
reported vulnerability in Microsoft .NET…
<
http://blogs.msdn.com/b/dotnet/archive/2014/11/11/november-2014-net-security-updates.aspx >
"Only custom applications that have been specifically designed to use ..NET
Remoting would expose a system to the vulnerability......NET Remoting is
not
widely used by applications.....NET Remoting endpoints are not accessible
to
anonymous clients by default."
One has to be running .Net software that has built-in
remote communication. What kind of nut would install such
software, unless they're on a workstation inside a safe
intranet? One would also have to have set the software to
allow access to anonymous external sources. Even running
Internet-connected .Net software is not wise, just as running
Internet-connected Java software and Flash greatly increase
one's vulnerability. Here we're talking about running .Net
Remoting configured to allow anonymous communications
through.
The bug sounds similar to the advertised critical Windows
bug that was recently reported: It's very serious. There's
currently no cure. It affects all systems, at least from
Server 2003 up. But if one reads the warning it turns out
that the risk is to machines that allow incoming requests.
Servers are at big risk. A Desktop PC that doesn't have
risky protocols like file sharing and remote Desktop is
not at risk. (A Desktop with those protocols enabled
is always at risk and should at least have a good firewall
to filter incoming requests.)
So, many of these bugs sound serious on the surface,
but they're not necessarily a big deal once the details
are clear.