14 DAY TRIAL // Microsoft has released an out-of-band patch in order to address a serious information disclosure vulnerability affecting ASP.NET applications, which was being exploited in the wild since last week.
Identified as CVE-2010-3332 in the Common Vulnerabilities and Exposures (CVE) database, the flaw was disclosed as a zero-day two weeks ago at a security conference in Argentina.
It allows hackers to perform attacks known as oracle padding against ASP.NET applications in order to decrypt sensitive data stored in the ViewState object.
"This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server," Microsoft warns in its newly published security bulletin (MS10-070).
All versions of Microsoft .NET Framework running on all supported version of Windows are affected and the vulnerability is rated as "Important."
However, it's worth pointing out that due to the nature of the flaw and the attacks it facilitates, server environments are more impacted than desktop ones.
Therefore, the security update does not have the same priority for home users as it has for server administrators, since people are unlikely to run Internet-facing ASP.NET applications from their desktop systems.
For the time being, the patches are only available for download from the Microsoft Download Center, at least until sufficient deployment testing is done on the other update channels.
Scott Guthrie, the head of development for ASP.NET at Microsoft, advises on his blog that while the update doesn't require a system reboot, the Web service is taken offline temporarily.
Furthermore, people who run applications spread across multiple Web servers are warned that the entire server farm must be updated, otherwise the encryption/signing behavior will be inconsistent.
"If you are using a web-farm topology, you might want to look at pulling half of the machines out of rotation, update them, and then swap the active and inactive machines (so that the updated machines are in rotation, and the non-updated ones are pulled from rotation and patched next) to avoid these mismatches," Guthrie writes.