Microsoft readies out-of-cycle ASP.NET patch

Microsoft is preparing to release an out-of-band security fix for the ASP.NET flaw reported earlier this month.

The company admitted to the problem in a security advisory on 17 September, in which it suggested a workaround that companies should apply "immediately".

Microsoft will now post an out-of-cycle patch for the vulnerability, given its critical nature.

The flaw exists in all versions of ASP.NET 2, and Microsoft recommends that customers apply the patch to prevent attackers compromising ASP.NET applications.

Wolfgang Kandek, chief technology officer at Qualys, echoed this advice, urging companies to install the patch as soon as it becomes available.

"IT administrators should first focus on web servers that do not have the workarounds implemented," he added.

The flaw gives attackers access to information found in the web.config file, which could be sensitive, and allows for the interception of other material sent to any client machine.

Microsoft updated its reference pages about the flaw at the end of last week, and said that it is aware of a number of "limited, active attacks".

Affected software includes Windows XP, including SP3 and Professional, Windows Server 2003 and 2008, Windows Vista and Windows 7.

Microsoft's Security Bulletin Advance Notification for September 2010 warned that the ASP.NET flaw can lead to information disclosure.