Out-of-Band Security Update for ASP.NET Vulnerability to Be Released Today
On the 14th of September, Redmond-based software giant Microsoft rolled out a grand total of 9 security bulletins meant to address 11 vulnerabilities that plagued the Microsoft Windows operating system (all versions of Windows, including Windows 7 and Windows Server 2008), the web server application Internet Information Services (IIS), and the Microsoft Office productivity suite (Microsoft Office XP, Microsoft Office 2003 and Microsoft Office 2007).
Today, the 28th of September, Microsoft will roll out an out-of-band update to fix a publicly disclosed vulnerability in ASP.NET that affects all versions of the .NET Framework when used on Windows Server operating systems. The update will be rolled out at approximately 10:00 AM PDT.
Microsoft does not release out-of-band updates unless the vulnerability is actively exploited in the wild. That is precisely what’s going on with the ASP.NET vulnerability, which is detailed in Security Advisory 2416728. As Microsoft explained, limited attacks have been detected; attempts to bypass current defenses and workaround have also been detected in the wild.
Juliano Rizzo, the researcher who disclosed this vulnerability, explained that an attacker can easily decrypt cookies, view states, form authentication tickets, membership password, user data, and anything else encrypted using the ASP.NET framework’s API.
“The security update is fully tested and ready for release, but will be made available initially only on the Microsoft Download Center. This enables us to get the update out as quickly as possible, allowing administrators with enterprise installations, or end users who want to install this security update manually, the ability to test and update their systems immediately. We strongly encourage these customers to visit the Download Center, download the update, test it in their environment and deploy it as soon as possible,” explained Dave Forstrom on behalf of the Microsoft Security Response Center team.
The update will be released via Windows Update and Windows Server Update Services within the next few days, added Forstrom.
Today, the 28th of September, Microsoft will roll out an out-of-band update to fix a publicly disclosed vulnerability in ASP.NET that affects all versions of the .NET Framework when used on Windows Server operating systems. The update will be rolled out at approximately 10:00 AM PDT.
Microsoft does not release out-of-band updates unless the vulnerability is actively exploited in the wild. That is precisely what’s going on with the ASP.NET vulnerability, which is detailed in Security Advisory 2416728. As Microsoft explained, limited attacks have been detected; attempts to bypass current defenses and workaround have also been detected in the wild.
Juliano Rizzo, the researcher who disclosed this vulnerability, explained that an attacker can easily decrypt cookies, view states, form authentication tickets, membership password, user data, and anything else encrypted using the ASP.NET framework’s API.
“The security update is fully tested and ready for release, but will be made available initially only on the Microsoft Download Center. This enables us to get the update out as quickly as possible, allowing administrators with enterprise installations, or end users who want to install this security update manually, the ability to test and update their systems immediately. We strongly encourage these customers to visit the Download Center, download the update, test it in their environment and deploy it as soon as possible,” explained Dave Forstrom on behalf of the Microsoft Security Response Center team.
The update will be released via Windows Update and Windows Server Update Services within the next few days, added Forstrom.
