Microsoft Releases Emergency ASP.NET Patch to Block Attacks

Microsoft pushed out an out-of-band patch to address a security issue with ASP.NET that has come under attack.

Microsoft issued an emergency patch Sept. 28 to address a vulnerability in ASP.NET.

The fix was pushed out after reports of attacks on the issue began to surface. ASP.NET is used by developers to build Web applications and XML Web services.

Demonstrated earlier this month by researchers at the ekoparty Security Conference in Buenos Aires, Argentina, the vulnerability is due to improper error handling during encryption padding verification. According to Microsoft, the issue affects Microsoft .NET Framework 3.5 Service Pack 1 and higher. If exploited, an attacker could use the bug to read or tamper with data encrypted by the server, the company warned.

"MS10-070 updates the widely installed .NET Framework for all supported Windows platforms, from XP SP3 to Windows 7," noted Wolfgang Kandek, CTO of Qualys. "This makes this update applicable to many machines, desktops and servers alike. However, the current known attack is applicable only machines that run a Web server with ASP.NET installed, so IT administrators should prioritize these machines. Desktops and servers that do not run a Web server can be updated at a later date, when convenient."

The impact of the attack is dependent on the Web application running on the server, he added. In the worst-case scenario, attackers can gain complete control of the server.

"The exact impact will have to be determined by the server and application engineers, we recommend patching this vulnerability on all Windows machine that run ASP.NET applications," he said.

Microsoft first warned Sept. 20 that it had seen limited attacks targeting the vulnerability. While desktop systems are listed as affected, consumers are not vulnerable unless they are running a Web server from their computer, blogged David Forstrom, director of Trustworthy Computing at Microsoft.

"The update will be made available initially only through the Microsoft Download Center and then released through Windows Update and Windows Server Update Services within the next few days," Forstrom wrote. "This allows customers the option to deploy it manually now without delaying for broader distribution."