Microsoft today issued an emergency patch for a vulnerability in its ASP.Net framework that could be used to read or tamper with data on a Web site.
The hole, rated "important," affects all versions of the .Net framework when used on Windows Server operating systems, but Windows desktop systems are not vulnerable unless they are being used to run a Web server, according to the advisory.
The vulnerability was disclosed by Microsoft just over a week ago and later found to be used in limited attacks.
The update is available initially only on the Microsoft Download Center and through Windows Update and Windows Server Update Services in coming days. More details about the vulnerability are in this security advisory.
The problem was the software was providing too much information in error messages and this enabled attackers to refine their brute-force efforts on the cryptography protecting the data, Paul Henry, a threat vector security and forensics analyst at Lumension, told CNET.
"The methodology being used in these ASP.Net attacks is pretty old," he said. "The workaround was to provide a common error page for any error. The patch is supposed to automatically handle that, thus negating the need for a workaround."
Andrew Storms, director of security operations for nCircle, said, "It's a bit odd that today's patch release won't be immediately available on Windows Update. Administrators and consumers will both be required to manually download the patch and install it manually. Since the major risk of this bug is with network administrators running IIS websites, manual downloads are probably a reasonable compromise between convenience and getting the patch out as quickly as possible."