Microsoft made the emergency ASP.NET patch available through all its distribution channels.
Microsoft made the patch for a vulnerability in ASP.NET
available through all its distribution channels Sept. 30.
the patch Sept. 28
, roughly a week after reporting attackers were targeting
the bug in the wild. Initially, the company only made the update available
through the Microsoft Download Center, which forced users to seek out and install
the update on their own.
"Today we released out-of-band Security
through the remainder of our standard distribution
channels, including Windows Update and Windows Server Update Services,"
blogged David Forstrom, director of the Trustworthy Computing at Microsoft. "We
have completed our testing of these channels and confirmed the update can be
The vulnerability is due to ASP.NET's use
of encryption padding. In a Sept. 28 blog post, Forstrom noted that while
desktop systems are listed as affected, consumers are not vulnerable unless
they are running a Web server from their computer.
If left unpatched, the flaw could be exploited to allow an attacker to read
data, such as the view state, which was encrypted by the server. The problem
can also be exploited to decrypt and tamper with data encrypted by the server.
Microsoft .NET Framework versions prior to
3.5 Service Pack 1 are not affected by the file content disclosure portion of
the vulnerability, Microsoft said in an advisory.
Researchers demonstrated a tool to exploit the vulnerability at the
ekoparty Security Conference in September.
"Customers are strongly encouraged to download the Security Update,
test it in their environments and deploy it as quickly as possible,"
Forstrom blogged Sept. 30. "For customers using Automatic Update, this
update will automatically be applied."