Microsoft Expands Distribution for ASP.NET Security Update

Microsoft made the emergency ASP.NET patch available through all its distribution channels.

Microsoft made the patch for a vulnerability in ASP.NET available through all its distribution channels Sept. 30.

Microsoft released the patch Sept. 28, roughly a week after reporting attackers were targeting the bug in the wild. Initially, the company only made the update available through the Microsoft Download Center, which forced users to seek out and install the update on their own.

"Today we released out-of-band Security Update MS10-070 through the remainder of our standard distribution channels, including Windows Update and Windows Server Update Services," blogged David Forstrom, director of the Trustworthy Computing at Microsoft. "We have completed our testing of these channels and confirmed the update can be successfully downloaded."

The vulnerability is due to ASP.NET's use of encryption padding. In a Sept. 28 blog post, Forstrom noted that while desktop systems are listed as affected, consumers are not vulnerable unless they are running a Web server from their computer.

If left unpatched, the flaw could be exploited to allow an attacker to read data, such as the view state, which was encrypted by the server. The problem can also be exploited to decrypt and tamper with data encrypted by the server. Microsoft .NET Framework versions prior to 3.5 Service Pack 1 are not affected by the file content disclosure portion of the vulnerability, Microsoft said in an advisory.

Researchers demonstrated a tool to exploit the vulnerability at the ekoparty Security Conference in September.

"Customers are strongly encouraged to download the Security Update, test it in their environments and deploy it as quickly as possible," Forstrom blogged Sept. 30. "For customers using Automatic Update, this update will automatically be applied."