Microsoft pushes Windows Web bug patch to everyone

Offers ASP.Net fixes to all customers through Windows Update

Microsoft today released its latest emergency patch to its Windows Update distribution service, making good on a promise earlier this week.

On Tuesday, Microsoft shipped a fix for a flaw in the ASP.Net Web site and application framework that let attackers steal important data from Web servers, including account usernames and passwords.

At the time, the fix was only available from Microsoft's download site , which forced server administrators to manually retrieve and install the update. That caused some confusion among IT professionals and prompted them to bombard the company with questions.

Starting today, the MS10-070 update can be downloaded and installed through the usual Windows Update service, and the business-oriented Windows Server Update Services (WSUS) tool.

Microsoft acknowledged that its decision to offer the update manually before it had wrapped up Windows Update distribution testing was unprecedented, but argued that it was the best way to get the fix into administrators' hands as quickly as possible.

The Microsoft Security Response Center (MSRC) reported that attacks exploiting the ASP.Net encryption bug had been seen in the wild, one of the reasons why it pushed the patch to Microsoft's download center on Tuesday.

Other security experts applauded Microsoft for releasing the patch before it was ready to ship via Windows Update, noting that end users, who rely on Windows automatic update mechanism to keep their PCs current, weren't at risk from attack.

Some of the administrators trying to patch their Web servers might have disagreed.

After Scott Guthrie, the Microsoft executive who runs the ASP.Net development team, listed the array of updates -- up to six separate downloads for some server configurations -- scores of customers asked which updates they needed to download or reported patch errors.

Many of the questions were answered within hours by Jamshed Damkewala, identified as a lead program manager with the .Net framework engineering team.

Andrew Storms, manager of security operations at nCircle Security, argued that Microsoft's unique delivery technique earlier this week put pressure on administrators to keep to their usual patching practices.

"This is more than a 'download and install' kind of patch," Storms acknowledged in an instant message exchange. "But in similar fashion to, say, an Exchange or SQL server patch, the operational installation method here is still in the hands of the installer. This is why, despite Microsoft's fantastic patch quality, the enterprise still needs to follow prudent patch testing procedures."

Microsoft first sounded the alert about the ASP.Net bug on Sept. 17, after a pair of researchers demonstrated how attackers could pilfer browser session cookies, or steal passwords and usernames from Web sites. Three days later, Microsoft warned users that it was seeing limited, active attacks , and urged Web server administrators to apply complex workarounds it listed in an updated advisory.

The patch released today via Windows Update makes those workarounds unnecessary, Microsoft has said.

Join the CSO newsletter!

Error: Please check your email address.

Tags MicrosoftsecurityWindowssoftwareoperating systems

More about Andrew Corporation (Australia)MicrosoftnCircle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place