Microsoft has published a Security Advisory (2416728) about a security vulnerability in ASP.NET on Saturday, September 18th. This vulnerability exists in all versions of ASP.NET and was publically disclosed late Friday at a security conference.
Scott Guthrie has provided information on workarounds (please see Important: ASP.NET Security Vulnerability and ASP.NET Security Vulnerability) to prevent attackers from using this vulnerability against their ASP.NET applications.
To help with Microsoft’s response to the new padding oracle vulnerability, a new forum was also set up: Security Vulnerability.
Microsoft has now announced the release of an out-of-band security update to address the ASP.NET Security Vulnerability.
Applying the update addresses the ASP.NET Security Vulnerability, and once the update is applied to your system the workarounds Scott has previously blogged about will no longer be required. But, until the update has been installed, those workarounds must be used.
You can learn more about this security update release from this reading the Microsoft Security Response Center Blog Post as well as the official Advance Notification Bulletin.
The report is publicly available at: www.microsoft.com/sir
- Microsoft Security Intelligence Report volume 5, XPS and PDF format, approx. 145 pages including data and analysis on:
- NEW – The threat ecosystem, narrative section
- Security vulnerability disclosures, industry-wide and Microsoft specific
- Vulnerability exploits, Microsoft specific
- NEW – Browser-based exploits, Microsoft and third-party
- Security and privacy breach reports
- Malicious and potentially unwanted software trends
- Focus on malware and signed code
- NEW – specific malware and potentially unwanted software data for 15 locations worldwide (United States, Canada, United Kingdom, Australia, Brazil, France, Germany, China, Hungary, Italy, Japan, Norway, Russia, South Africa, and the Gulf Cooperation Council)
- SIR Key Findings Summary, XPS and PDF format, approx. 15 pages, published in English, Chinese (Simplified and Traditional), French, German, Italian, Japanese, Korean, Portuguese (Brazilian), Russian and Spanish
- Executive Summary, XPS and PDF format, approx. 5 pages, English only
- “Bret and Vinny Show” video introduction to the report