Microsoft has announced that it is to release an out-of-band patch for the ASP.NET vulnerability.
The issue is classified as ‘important' and affects all supported releases of Microsoft Windows. The vulnerability allows a remote attacker to extract information from web applications programmed under ASP.NET and in certain circumstances, can be used to take control over the affected server.
Microsoft confirmed that Windows desktop systems are listed as affected, but consumers are not vulnerable unless they are running a web server from their computer.
Wolfgang Kandek, CTO at Qualys, said: “The current advisory provides a workaround for the problem. It minimises information leakage through the error reporting system and should be considered a best practice for web applications even without the current attack. We recommend installing the patch immediately, once it becomes available. IT administrators should first focus on web servers that do not have the workarounds implemented.”
Andrew Storms, director of security operations at nCircle, said: “Microsoft delivered today's zero-day patch release in just eleven days. It's not the fastest turn-around time in Microsoft patch history, but it's pretty close to the seven day turn-around we saw in January.
“We now know that in the January update Microsoft knew about the bug before the exploit, so the seven day quick turnaround is a not entirely accurate measurement. This leaves me wondering if Microsoft already knew about today's bug. But the bigger question in my mind is the potential effect of this short turn-around on quality.
“It's a bit odd that today's patch release won't be immediately available on Windows Update. Administrators and consumers will both be required to manually download the patch and install it manually. Since the major risk of this bug is with network administrators running IIS websites, manual downloads are probably a reasonable compromise between convenience and getting the patch out as quickly as possible.”