Microsoft Releases Emergency ASP.NET Patch to Block Attacks
Cybersecurity
SHARE
Facebook X Pinterest WhatsApp

Microsoft Releases Emergency ASP.NET Patch to Block Attacks

Written By
Brian Prince
Brian Prince
Sep 28, 2010
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Microsoft issued an emergency patch Sept. 28 to address a vulnerability in ASP.NET.

The fix was pushed out after reports of attacks on the issue began to surface. ASP.NET is used by developers to build Web applications and XML Web services.

Demonstrated earlier this month by researchers at the ekoparty Security Conference in Buenos Aires, Argentina, the vulnerability is due to improper error handling during encryption padding verification. According to Microsoft, the issue affects Microsoft .NET Framework 3.5 Service Pack 1 and higher. If exploited, an attacker could use the bug to read or tamper with data encrypted by the server, the company warned.

“MS10-070 updates the widely installed .NET Framework for all supported Windows platforms, from XP SP3 to Windows 7,” noted Wolfgang Kandek, CTO of Qualys. “This makes this update applicable to many machines, desktops and servers alike. However, the current known attack is applicable only machines that run a Web server with ASP.NET installed, so IT administrators should prioritize these machines. Desktops and servers that do not run a Web server can be updated at a later date, when convenient.”

The impact of the attack is dependent on the Web application running on the server, he added. In the worst-case scenario, attackers can gain complete control of the server.

“The exact impact will have to be determined by the server and application engineers, we recommend patching this vulnerability on all Windows machine that run ASP.NET applications,” he said.

Microsoft first warned Sept. 20 that it had seen limited attacks targeting the vulnerability. While desktop systems are listed as affected, consumers are not vulnerable unless they are running a Web server from their computer, blogged David Forstrom, director of Trustworthy Computing at Microsoft.

“The update will be made available initially only through the Microsoft Download Center and then released through Windows Update and Windows Server Update Services within the next few days,” Forstrom wrote. “This allows customers the option to deploy it manually now without delaying for broader distribution.”
Brian Prince
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

facebook
linkedin
youtube
rss
x

Company

About us Contact us Advertise with us

Categories

Latest News Resources Artificial Intelligence Video Big Data & Analytics Cloud Networking

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information