Microsoft pushed out an out-of-band patch to address a security issue with ASP.NET that has come under attack.
Microsoft issued an emergency patch Sept. 28
to address a vulnerability in ASP.NET.
The fix was pushed out after reports of attacks on the issue began
to surface. ASP.NET is used by developers to build Web
applications and XML Web services.
Demonstrated earlier this month by researchers at the ekoparty
Security Conference in Buenos Aires, Argentina, the vulnerability is
due to improper error handling during encryption padding verification.
According to Microsoft, the issue affects Microsoft .NET Framework
3.5 Service Pack 1 and higher. If exploited, an attacker could use
the bug to read or tamper with data encrypted by the server, the
"MS10-070 updates the widely installed .NET Framework for all
supported Windows platforms, from XP SP3 to Windows 7," noted Wolfgang
Kandek, CTO of Qualys. "This makes this update applicable to many
machines, desktops and servers alike. However, the current known attack
is applicable only machines that run a Web server with ASP.NET
installed, so IT administrators should prioritize these machines.
Desktops and servers that do not run a Web server can be updated at a
later date, when convenient."
The impact of the attack
dependent on the Web application running on the server, he added. In
the worst-case scenario, attackers can gain complete control of the
"The exact impact will have to be determined by the server and
application engineers, we recommend patching this vulnerability on all
Windows machine that run ASP.NET applications," he said.
Microsoft first warned Sept. 20 that it had seen limited attacks
targeting the vulnerability. While desktop systems are listed as
affected, consumers are not vulnerable unless they are running a Web
server from their computer, blogged David Forstrom, director of
Trustworthy Computing at Microsoft.
"The update will be made available initially only through the Microsoft Download Center
and then released through Windows Update and Windows Server Update
Services within the next few days," Forstrom wrote. "This allows
customers the option to deploy it manually now without delaying for