Security Update for .Net Framework 1.1, 1.0

There is a security update for both versions of the .Net Framework out on the Windows Update site.  I would recommend looking into getting this onto your web servers, but I want to provide a warning that it may disrupt development on some development machines.  In some cases, after applying this update, developers have been unable to initialize debugging for ASP.Net.  They get some strange message saying “can’t debug this application”, or something similar.  The fix for this is to open up IIS on the development machine, go to the properties of the Default Web Site.  On the Home Directory tab of the properties window ensure that there is no trailing backslash “" on the path.  If there is one, remove it, reset IIS (iisreset) and ensure the website is marked as Started in the IIS manager.  This should fix the debugging issue. 

According to Microsoft the reason for the update is as follows:

“This update resolves a public vulnerability in ASP.NET that could allow an attacker to bypass the security of an ASP.NET Web site and gain unauthorized access….. A canonicalization vulnerability exists in ASP.NET that could allow an attacker to bypass the security of an ASP.NET Web site and gain unauthorized access. An attacker who successfully exploited this vulnerability could take a variety of actions, depending on the specific contents of the website.”

This actually was announced quite a while back and a work around was published.  They have now incorporated a permanent fix into ASP.Net, which is what this download is (my guess anyway).  You can read more at the following link: http://www.microsoft.com/technet/security/bulletin/ms05-004.mspx.

Thanks to Dutch Vader for sending me a reference to the fix. I tested this on my own machine and the fix does work.