Microsoft to Patch ASP.NET Flaw Tomorrow

In a post on the official Security Response Center Blog, Microsoft has announced that it intends to release an out-of-band patch for the ASP.NET security vulnerability that has been getting a lot of attention recently.   The vulnerability affects all versions of the .NET framework on Windows servers; clients are also theoretically vulnerable, but in practice are not at risk if they are not providing Web services.  Microsoft says that the unscheduled update is justified by the level of attack attempts they are seeing:

Based on our comprehensive monitoring of the threat landscape, we have determined an out-of-band release is needed to protect customers as we have seen limited attacks and continued attempts to bypass current defenses and workarounds.

The announcement says that the initial release of this patch will be via the Download Center, at approximately 10:00 AM PDT tomorrow.  (The link for this specific update will be in the Security Bulletin that Microsoft will release at the same time; I will post a link to it here as soon as I get it.)  The patch will be released through Windows Update and Windows Server Update “within the next few days”.

Microsoft has also updated their suggested workaround for this problem, for those who cannot install the patch right away.  The details are explained in a post on Scott Guthrie’s blog, and in the updated version of the original Security Advisory [2416728].

Update Tuesday, 28 September, 11:15 EDT

Microsoft has now released a Security Bulletin Advanced Notification for this patch; this will be replaced with the actual Security Bulletin (with links to the updates) when the patch is released later today.

Analyzing Malicious PDF Files

Using PDF files as an attack vector has become increasingly popular with malware developers in the last few years.  This is a slightly ironic but predictable result of urging users to be very careful of executable (e.g., .EXE) attachments.  PDF files are attractive to the Bad Guys because the vast majority of users have Adobe’s Reader, or some other PDF viewer, installed, and because, unlike overtly executable files, PDF files are not generally blocked by filtering systems.

Didier Stevens, a Belgian security researcher, has published a paper on the analysis of malicious PDF files.  (The downloadable file from the previous link is a ZIP’ed copy of the original PDF document.)  Mr. Stevens wrote this as a chapter for a proposed book project, since abandoned by the promoter.  It is a bit dated if you are looking for information on the very latest malware techniques, but it’s full of useful information for anyone who has to deal with PDFs.