As promised, Microsoft shipped an out-of-band patch Tuesday to fix a zero-day security flaw in a company-originated technology that is popularly used for Web applications — a flaw that has already seen “limited, targeted attacks” in the wild.
Microsoft (NASDAQ: MSFT) first acknowledged about?ten days ago the bug that can be used to crack server encryption after two researchers disclosed details of how to exploit it at a security convention in Buenos Aires, Argentina. The company said at that time that it had a patch already in the works.
According to Microsoft, a determined attacker could incrementally break the encryption of certain important server communications and files by sending encrypted Web requests to the server and examining the error codes — or “hints” — that are returned. By sending repeated requests, eventually the attacker may be able to gain access to files containing sensitive information, such as passwords.
The company sent out an advance notice Monday to security administrators and other interested parties, warning them to begin gearing up to test and install the patch as soon as it was released.
Microsoft emphasized that most of the affected computers will be servers, since they are typically the hosts for Web servers.
“While desktop systems are listed as affected, consumers are not vulnerable unless they are running a Web server from their computer,” Dave Forstrom, director of trustworthy computing said in a post to the Microsoft Security Response Center (MSRC) blog.
Microsoft’s Security Bulletin, which accompanies the patch, outlined what operating systems are affected, and why the severity ranking of the fix is only “important,” the second-highest position on Microsoft’s four-tier scale.
“Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce information that could be used to try to further compromise the affected system,” the bulletin said.
That could include information from applications that use ASP.NET, even SharePoint and Exchange.
“The update addresses a vulnerability in the ASP.NET framework on Windows XP, Windows Vista, Windows 7, Windows Server 2003 and 2008 and Windows Server 2008 R2,” a Microsoft spokesperson said in an e-mail.
ASP.NET, which is used for building Web applications, is a part of Microsoft’s .NET Framework. Versions of the .NET Framework from version 3.5 Service Pack 1 and later are affected. Additionally, administrators who have been thinking that, since their servers were installed using the “server core” option, they may be safe, the bad news is that they too are affected, according to the bulletin.
Because of the importance that Microsoft puts on getting the patch deployed as quickly as possible to the customers who are most likely to be impacted, the company is initially only releasing the Security Bulletin and Patch via the Microsoft Download Center.
Follow eSecurityPlanet on Twitter @eSecurityP.