Lately I’ve been reporting on several malware attacks that have hit various businesses. Twitter was hit over the weekend, and Microsoft disclosed a vulnerability on its ASP programming environment last week. Now Microsoft has announced that the security flaw on its ASP .NET is so serious that they are releasing a patch on September 28th.
The vulnerability, which exposes ASP.net applications to information disclosure attacks, was publicly discussed at this year’s ekoparty security conference in Argentina. Microsoft says there are ongoing attempts to bypass existing workarounds.
What does the attack do?
An attacker can decrypt cookies, view states, form authentication tickets, identify membership passwords, see user data, and anything else encrypted using the ASP.NET framework’s API. These issues are significant because the vulnerabilities exploited affect the .NET framework, which is used by 25 percent of Web sites on the Internet.
What is Microsoft Doing About it?
The Microsoft Security Response Center says it will ship an emergency update with a severity rating of “important” for all versions of the .NET Framework when used on Windows Server operating systems. According to Microsoft the security update is fully tested and ready for release, however, it will be made available initially only on the Microsoft Download Center. Microsoft hopes that this way, they are able to get the update out as quickly as possible. Furthermore, it will allow administrators with enterprise installations, or end users working with the .NET framework environment, and who want to install this security update manually, the ability to test and update their systems as quickly as possible. After a few days, Microsoft intends to make the release available through the Windows Update and Windows Server Update Services to make sure distribution will be successful through these other channels. This dual approach will allow Microsoft to release the update patch sooner to customers who may choose to deploy it manually without delaying for broader distribution.