Microsoft Rushes Out ASP.NET Patch To Block Attacks

Microsoft has issued an emergency patch to address a vulnerability in the ASP.NET framework. ASP.NET is used by developers to build Web applications and XML Web services.

The fix was pushed out after reports of attacks began to surface. The bug was demonstrated earlier this month by researchers at the Ekoparty Security Conference in Buenos Aires, Argentina.

A Web Server Problem

The vulnerability is due to improper error handling during encryption padding verification. According to Microsoft, the issue affects Microsoft .NET Framework 3.5 Service Pack 1 and higher. If exploited, the bug could be used by an attacker to read or tamper with data encrypted by the server, the company warned.

“MS10-070 updates the widely installed .NET Framework for all supported Windows platforms, from XP SP3 to Windows 7,” noted Wolfgang Kandek, CTO of Qualys. “This makes this update applicable to many machines, desktops and servers alike. However, the current known attack is applicable only to machines that run a Web server with ASP.NET installed, so IT administrators should prioritise these machines. Desktops and servers that do not run a Web server can be updated at a later date, when convenient.”

The impact of the attack is dependent on the Web application running on the server, he added. In a worst-case scenario, attackers could gain complete control of the server.

“The exact impact will have to be determined by the server and application engineers, we recommend patching this vulnerability on all Windows machines that run ASP.NET applications,” he said.

Microsoft warned that it had seen limited attacks targeting the vulnerability. While desktop systems are listed as affected, consumers are not vulnerable unless they are running a Web server from their computer, blogged David Forstrom, director of Trustworthy Computing at Microsoft.

“The update will be made available initially only through the Microsoft Download Centre and then released through Windows Update and Windows Server Update Services within the next few days,” Forstrom wrote. “This allows customers the option to deploy it manually now without delaying for broader distribution.”