Microsoft Rushes Out 'Important' ASP.NET Patch
Microsoft can move pretty quickly to block zero-day holes when it wants to. The ASP.NET hole got the company's attention and it is rolling out a patch Tuesday, just ten days after it surfaced.
Microsoft plans to deliver an out-of-band patch Tuesday for an encryption flaw in a key Internet server technology after "limited attacks" were spotted on the Web.
Although the flaw in what's known as ASP.NET is only ranked as "important" -- the second-highest rating in Microsoft's (NASDAQ: MSFT) four-tier bug severity ranking scale -- the company is moving quickly to block any more attacks.
Microsoft sent out an advance notification to server and security administrators on Monday afternoon in advance of the release of the Security Bulletin. ASP.NET is a part of the .NET Framework and is used to write Web sites, Web applications and Web services that run on Microsoft servers. The company typically releases an advance notice prior to release of a patch in order to give administrators time to plan for testing and deployment.
The flaw cropped up ten days ago when two security researchers attending the Ekoparty Conference in Buenos Aires, Argentina, presented details of how to use the flaw to decrypt encrypted communications with Windows Internet Information Services (IIS), Microsoft's Web server and gradually compromise the server.
At that time, Microsoft released a Security Advisory, which contained workarounds for several different versions of the .NET Framework.
"Based on our comprehensive monitoring of the threat landscape, we have determined an out-of-band release is needed to protect customers as we have seen limited attacks and continued attempts to bypass current defenses and workarounds," Dave Forstrom, director of trustworthy computing, said in a post to the Microsoft Security Response Center (MSRC) blog, Monday.
While all supported versions of Windows are affected, most users are safe unless they run a Web server on their PCs.
Out-of-band patches are not uncommon for Microsoft to issue, particularly when a security vulnerability could affect large numbers of users. However, most out-of-band patches are released via Windows Update or Automatic Update.
This patch, however, will be initially released via the Microsoft Download Center.
"This enables us to get the update out as quickly as possible, allowing administrators with enterprise installations, or end users who want to install this security update manually, the ability to test and update their systems immediately," Forstrom added.
The patch will also be delivered using Windows Update and Windows Server Update Services over the next few days. Customers using the Automatic Update service will automatically receive the patch when it's broadly available.
"Once the Security Update is applied, customers are protected against known attacks related to [the ASP.NET flaw]," Forstrom said.
Follow eSecurityPlanet on Twitter @eSecurityP.