September 28, 2010
Security Update Now Available to protect MSCRM Servers
We recommend installing this update as soon as possible on your web-servers. - While all CRM Servers need this patch, CRM deployments that have enabled the IFD (Internet Facing Deployment) option are especially important to keep secure.
Where do I find these hotfixes?
I ran Windows Update – is that enough?
Not yet, these patches are new enough that they are not yet in the download channels for Windows Update.
Is the previously blogged CRM Update/Hotfix still needed?
How does this change functionality within CRM?
It doesn’t in any meaningful way for users. – The only change would be the removal of some encrypted data previously included in error messages.
Note - The following information from Scott Guthrie is helpful and important to users – especially if they have multiple CRM servers in a web-farm / cluster.
What is the impact of applying the update to a live web-server?
If you apply the update to a live web-server, there will be some period of time when the web-server will be offline (although an OS reboot should not be required). You’ll want to schedule and coordinate your updates appropriately.
Importantly – if your site or application is running across multiple web-servers in a web-farm, you’ll want to make sure the update is applied to all of the machines (and not just some of them). This is because the update changes the encryption/signing behavior of certain features in ASP.NET, and a mix of patched and un-patched servers will cause that encryption/signing behavior to be incompatible between them. If you are using a web-farm topology, you might want to look at pulling half of the machines out of rotation, update them, and then swap the active and inactive machines (so that the updated machines are in rotation, and the non-updated ones are pulled from rotation and patched next) to avoid these mismatches.
(From Scott Guthrie - http://weblogs.asp.net/scottgu/archive/2010/09/28/asp-net-security-update-now-available.aspx )