Microsoft Rushes Out 'Important' ASP.NET Patch

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Microsoft plans to deliver an out-of-band patch Tuesday for an encryption flaw in a key Internet server technology after "limited attacks" were spotted on the Web.

Although the flaw in what's known as ASP.NET is only ranked as "important" -- the second-highest rating in Microsoft's (NASDAQ: MSFT) four-tier bug severity ranking scale -- the company is moving quickly to block any more attacks.

Microsoft sent out an advance notification to server and security administrators on Monday afternoon in advance of the release of the Security Bulletin. ASP.NET is a part of the .NET Framework and is used to write Web sites, Web applications and Web services that run on Microsoft servers. The company typically releases an advance notice prior to release of a patch in order to give administrators time to plan for testing and deployment.

The flaw cropped up ten days ago when two security researchers attending the Ekoparty Conference in Buenos Aires, Argentina, presented details of how to use the flaw to decrypt encrypted communications with Windows Internet Information Services (IIS), Microsoft's Web server and gradually compromise the server.

At that time, Microsoft released a Security Advisory, which contained workarounds for several different versions of the .NET Framework.

"Based on our comprehensive monitoring of the threat landscape, we have determined an out-of-band release is needed to protect customers as we have seen limited attacks and continued attempts to bypass current defenses and workarounds," Dave Forstrom, director of trustworthy computing, said in a post to the Microsoft Security Response Center (MSRC) blog, Monday.

While all supported versions of Windows are affected, most users are safe unless they run a Web server on their PCs.

Out-of-band patches are not uncommon for Microsoft to issue, particularly when a security vulnerability could affect large numbers of users. However, most out-of-band patches are released via Windows Update or Automatic Update.

This patch, however, will be initially released via the Microsoft Download Center.

"This enables us to get the update out as quickly as possible, allowing administrators with enterprise installations, or end users who want to install this security update manually, the ability to test and update their systems immediately," Forstrom added.

The patch will also be delivered using Windows Update and Windows Server Update Services over the next few days. Customers using the Automatic Update service will automatically receive the patch when it's broadly available.

"Once the Security Update is applied, customers are protected against known attacks related to [the ASP.NET flaw]," Forstrom said.

Stuart J. Johnston is a contributing writer at InternetNews.com, the news service of Internet.com, the network for technology professionals. Follow him on Twitter @stuartj1000.

Follow eSecurityPlanet on Twitter @eSecurityP.