Malware attacks force MS to ship emergency ASP.net patch

Microsoft plans to ship an out-of-band security update tomorrow (September 28, 2010) to fix a serious ASP.net vulnerability that's being exploited in the wild.

The vulnerability, which exposes ASP.net applications to information disclosure attacks, was publicly discussed at this year's ekoparty security conference in Argentina and Microsoft says there are "limited attacks" and ongoing attempts to bypass existing workarounds.

According to Juliano Rizzo, the researcher who disclosed this vulnerability, an attacker can easily decrypt cookies, view states, form authentication tickets, membership password, user data, and anything else encrypted using the ASP.NET framework’s API.

[ Microsoft confirms unpatched ASP.NET data leakage security flaw ]

Rizzo said the vulnerabilities exploited affect the framework used by 25 percent of Web sites on the Internet. “The impact of the attack depends on the applications installed on the server, from information disclosure to total system compromise,” he added.

Less than a week after Rizzo's disclosure, Microsoft says it will ship an emergency update with a severity rating of "important" for all versions of the .NET Framework when used on Windows Server operating systems.

Windows desktop systems are listed as affected, but consumers are not vulnerable unless they are running a Web server from their computer.

Based on our comprehensive monitoring of the threat landscape, we have determined an out-of-band release is needed to protect customers as we have seen limited attacks and continued attempts to bypass current defenses and workarounds.

Microsoft says the patch will only be available tomorrow at the Microsoft Download Center

It will also be released through Windows Update and Windows Server Update Services within the next few days.