Microsoft Issues Out-of-Band Fix for .NET Zero-Day Bug

Pulkit Chandna

Microsoft today issued an out-of-band security update to tackle a bug in ASP.NET that is being exploited in the wild. Following a public report of the vulnerability, the Redmond outfit confirmed the bug in a Security Advisory ( 2416728 ) on September 17. MS, in its advisory, had expressed concerns that hackers could use the Windows Web server flaw to “view data, such as the View State, which was encrypted by the target server, or read data from files on the target server, such as web.config.”

"Based on our comprehensive monitoring of the threat landscape, we have determined an out-of-band release is needed to protect customers, as we have seen limited attacks and continued attempts to bypass current defenses and workarounds," the company told the IDG News Service.

The fix covers all supported Windows versions. The update is currently only available through the company's download center, and not through Windows Update, meaning that it can only be installed manually.

"This is the first time we've released [an] update this way, but due to the nature of the active attacks and the severity of the potential loss of data, we are releasing the security update to the Microsoft Download Center first so customers (specifically large enterprises, hosting providers and ISVs) can begin updating their systems.”

Around the web