Microsoft issues emergency patch for Windows Web bug

Experts applaud move to deliver fix via manual download, not Windows Update

As promised, Microsoft today delivered an emergency patch for a Windows Web server flaw that is being actively exploited by hackers.

The fix addresses a vulnerability in ASP.Net's encryption that attackers could abuse to access Web applications with full administrator rights; decrypt session cookies or other encrypted data on a remote server; and access and snatch files from sites or Web applications.

ASP.Net is the Microsoft-designed Web application framework used to craft millions of sites and applications.

Microsoft first sounded the alert Sept. 17 after a pair of researchers demonstrated how attackers could pilfer browser session cookies, or steal passwords and usernames from Web sites.

Three days later, Microsoft warned users that it was seeing limited, active attacks , and urged Web server administrators to apply the workarounds spelled out in an updated advisory.

Today's MS10-070 update patches ASP.Net in all supported versions of Windows, ranging from Windows XP Service Pack 3 (SP3) and Windows Server 2003 to Windows 7 and Windows Server 2008 R2.

Microsoft pegged the single bug addressed Tuesday as "important," the second-highest ranking in its four-step system. "Based on our comprehensive monitoring of the threat landscape, we have determined an out-of-band release is needed to protect customers, as we have seen limited attacks and continued attempts to bypass current defenses and workarounds," the company said yesterday.

But not everyone will receive the patch today.

Microsoft took the unprecedented step of releasing the update only to its download center, where customers must retrieve and install it manually. It won't push the patch to Windows Update until later.

"This is the first time we've released [an] update this way, but due to the nature of the active attacks and the severity of the potential loss of data, we are releasing the security update to the Microsoft Download Center first so customers (specifically large enterprises, hosting providers and ISVs) can begin updating their systems," Microsoft said in an e-mailed statement to the IDG News Service yesterday.

Security experts agreed that it was a smart move on Microsoft's part.

"It's strange, but I don't think it means anything is amiss," said Andrew Storms, director of security operations at nCircle Security today. "The affected audience -- large companies, ISPs -- probably don't use Windows Update anyway. They likely have a much more stringent testing protocol."

Wolfgang Kandek, CTO of Qualys, a California-based security risk and compliance management provider, agreed that getting the patch out this way was acceptable. End users, he said, are not typically vulnerable to attack since few run a Web server.

"They may have been looking at another week or so of testing," Kandek said, referring to the process Microsoft goes through to make sure patches deploy properly via Windows Update. "And with attacks happening, this lets them get it into the hands of administrators who need it now."

Both Storms and Kandek remarked on Microsoft's patch pace in this case: Just 11 days from disclosure to update.

"The next closest was January of this year, when Microsoft patched the Google [Aurora] vulnerability," said Storms, speaking of the vulnerability in Internet Explorer that attackers used to break into the corporate networks of Google and more than 30 other major companies. "That was just seven days [from disclosure to patch], but after the fact we found out that Microsoft had known of the bug months earlier, so it's not a fair comparison."

It's possible that Juliano Rizzo and Thai Duong, the researchers who revealed the flaw Sept. 17 at an Argentinean security conference, had notified Microsoft prior to their presentation, said Kandek. If so, that would have given Microsoft more than the 11 days to fix the flaw.

Storms, however, thought otherwise. "Based on the fact that there is no name or names [crediting the vulnerability find] in the advisory tells me that Microsoft didn't know about it prior to Sept. 17," he said.

Customers who apply today's patch do not need to remove the workarounds they have applied at Microsoft's direction, a company spokesman said today. "Once you apply the security update, however, the workarounds are no longer required and can be removed," Dave Forstrom, the director of communications with the Microsoft Security Response Center (MSRC), said in an e-mail reply to questions.

Tuesday's rush update, called an "out-of-band" patch to show that it wasn't released in Microsoft's normal monthly schedule, was the fourth emergency fix so far this year.

Microsoft will release its next collection of security updates on Oct. 12.

The MS10-070 update can be downloaded from Microsoft's Download Center . It will land on Windows Update and the Windows Server Update Services (WSUS) in "the next few days," Microsoft said.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com .

Read more about security in Computerworld's Security Topic Center.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags securityMicrosoftoperating systemssoftwareWindows

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?