Microsoft pushes Windows Web bug patch to everyone

Offers ASP.Net fixes to all customers through Windows Update

Microsoft today released its latest emergency patch to its Windows Update distribution service, making good on a promise earlier this week.

On Tuesday, Microsoft shipped a fix for a flaw in the ASP.Net Web site and application framework that let attackers steal important data from Web servers, including account usernames and passwords.

At the time, the fix was only available from Microsoft's download site , which forced server administrators to manually retrieve and install the update. That caused some confusion among IT professionals and prompted them to bombard the company with questions.

Starting today, the MS10-070 update can be downloaded and installed through the usual Windows Update service, and the business-oriented Windows Server Update Services (WSUS) tool.

Microsoft acknowledged that its decision to offer the update manually before it had wrapped up Windows Update distribution testing was unprecedented, but argued that it was the best way to get the fix into administrators' hands as quickly as possible.

The Microsoft Security Response Center (MSRC) reported that attacks exploiting the ASP.Net encryption bug had been seen in the wild, one of the reasons why it pushed the patch to Microsoft's download center on Tuesday.

Other security experts applauded Microsoft for releasing the patch before it was ready to ship via Windows Update, noting that end users, who rely on Windows automatic update mechanism to keep their PCs current, weren't at risk from attack.

Some of the administrators trying to patch their Web servers might have disagreed.

After Scott Guthrie, the Microsoft executive who runs the ASP.Net development team, listed the array of updates -- up to six separate downloads for some server configurations -- scores of customers asked which updates they needed to download or reported patch errors.

Many of the questions were answered within hours by Jamshed Damkewala, identified as a lead program manager with the .Net framework engineering team.

Andrew Storms, manager of security operations at nCircle Security, argued that Microsoft's unique delivery technique earlier this week put pressure on administrators to keep to their usual patching practices.

"This is more than a 'download and install' kind of patch," Storms acknowledged in an instant message exchange. "But in similar fashion to, say, an Exchange or SQL server patch, the operational installation method here is still in the hands of the installer. This is why, despite Microsoft's fantastic patch quality, the enterprise still needs to follow prudent patch testing procedures."

Microsoft first sounded the alert about the ASP.Net bug on Sept. 17, after a pair of researchers demonstrated how attackers could pilfer browser session cookies, or steal passwords and usernames from Web sites. Three days later, Microsoft warned users that it was seeing limited, active attacks , and urged Web server administrators to apply complex workarounds it listed in an updated advisory.

The patch released today via Windows Update makes those workarounds unnecessary, Microsoft has said.

Join the Good Gear Guide newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags MicrosoftsecurityWindowssoftwareoperating systems

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?