Microsoft Puts Up [Yet] Another Out of Band Emergency Patch

Tomorrow, Microsoft will put out a patch for the ASP.net vulnerability that has been exploited, and has been described by Microsoft as serious.

Because the vulnerability is one of information disclosure, Microsoft has put some speed to the process, and the update is meant to repair problems that have been occurring on a limited basis, but are on the rise.

[ZDNet Security]

Microsoft plans to ship an out-of-band security update tomorrow (September 28, 2010) to fix a serious ASP.net vulnerability that’s being exploited in the wild.

The vulnerability, which exposes ASP.net applications to information disclosure attacks, was publicly discussed at this year’s ekoparty security conference in Argentina and Microsoft says there are “limited attacks” and ongoing attempts to bypass existing workarounds.

According to Juliano Rizzo, the researcher who disclosed this vulnerability, an attacker can easily decrypt cookies, view states, form authentication tickets, membership password, user data, and anything else encrypted using the ASP.NET framework’s API.

Rizzo said the vulnerabilities exploited affect the framework used by 25 percent of Web sites on the Internet. “The impact of the attack depends on the applications installed on the server, from information disclosure to total system compromise,” he added.

If Microsoft is admitting this much, you can bet it is very vulnerable, and the patch is imperative.

Less than a week after Rizzo’s disclosure, Microsoft says it will ship an emergency update with a severity rating of “important” for all versions of the .NET Framework when used on Windows Server operating systems.

Windows desktop systems are listed as affected, but consumers are not vulnerable unless they are running a Web server from their computer.

Good news! One time when we have no worries as desktop users! [if we can believe it!]

Based on our comprehensive monitoring of the threat landscape, we have determined an out-of-band release is needed to protect customers as we have seen limited attacks and continued attempts to bypass current defenses and workarounds.

Microsoft says the patch will only be available tomorrow at the Microsoft Download Center.

It will also be released through Windows Update and Windows Server Update Services within the next few days.

So, if you run a  server, it should be a priority.  Protecting the information there is always top priority and if there are bypasses to limited workarounds, you can bet it is a priority for the bad guys.

How many hacks to Net frame does this make?

§

Music is the only language in which you cannot say a mean or sarcastic thing.

– John Erskine

®