As expected, Microsoft has released an out-of-band security patch for the ASP.NET vulnerability. Details of the patch, and download links, are given in the Security Bulletin MS10-070. (This information is also in the updated Security Bulletin Summary for September 2010, but that page is slightly harder to work with, since it also contains information about all the vulnerabilities patched earlier this month.) Microsoft rates this update as Important; it affects all versions of the .NET framework, on all supported versions of Windows, except Microsoft .NET Framework 1.0 Service Pack 3.
According to a report in the ThreatPost blog from Kaspersky Labs, the researchers who developed the original attack say that the workaround provided earlier by Microsoft does not give complete protection against the attack. Especially for server machines, I recommend that you apply this update as soon as you can.
Update Tuesday, 28 September, 17:35 EDT
Upon re-reading this post, I realized I had not been sufficiently clear about one point: to get this patch, you must download it from Microsoft’s Download Center (or use the links in the MS10-070 Bulletin). It has not yet been made available via Windows Update or other automatic update mechanisms, although Microsoft has said it will be available “within the next few days”.
Update Wednesday, 29 September, 10:55 EDT
Microsoft VP Scott Guthrie, a/k/a ScottGu, who manages ASP.NET development, has a blog post that provides some additional information n this patch, some of which may be of particular interest if you have a large installation.
Random Walks 