In a post on the official Security Response Center Blog, Microsoft has announced that it intends to release an out-of-band patch for the ASP.NET security vulnerability that has been getting a lot of attention recently. The vulnerability affects all versions of the .NET framework on Windows servers; clients are also theoretically vulnerable, but in practice are not at risk if they are not providing Web services. Microsoft says that the unscheduled update is justified by the level of attack attempts they are seeing:
Based on our comprehensive monitoring of the threat landscape, we have determined an out-of-band release is needed to protect customers as we have seen limited attacks and continued attempts to bypass current defenses and workarounds.
The announcement says that the initial release of this patch will be via the Download Center, at approximately 10:00 AM PDT tomorrow. (The link for this specific update will be in the Security Bulletin that Microsoft will release at the same time; I will post a link to it here as soon as I get it.) The patch will be released through Windows Update and Windows Server Update “within the next few days”.
Microsoft has also updated their suggested workaround for this problem, for those who cannot install the patch right away. The details are explained in a post on Scott Guthrie’s blog, and in the updated version of the original Security Advisory [2416728].
Update Tuesday, 28 September, 11:15 EDT
Microsoft has now released a Security Bulletin Advanced Notification for this patch; this will be replaced with the actual Security Bulletin (with links to the updates) when the patch is released later today.