Microsoft issues emergency patch for Windows Web bug
Experts applaud move to deliver fix via manual download, not Windows Update
Computerworld - As promised, Microsoft today delivered an emergency patch for a Windows Web server flaw that is being actively exploited by hackers.
The fix addresses a vulnerability in ASP.Net's encryption that attackers could abuse to access Web applications with full administrator rights; decrypt session cookies or other encrypted data on a remote server; and access and snatch files from sites or Web applications.
ASP.Net is the Microsoft-designed Web application framework used to craft millions of sites and applications.
Microsoft first sounded the alert Sept. 17 after a pair of researchers demonstrated how attackers could pilfer browser session cookies, or steal passwords and usernames from Web sites.
Three days later, Microsoft warned users that it was seeing limited, active attacks, and urged Web server administrators to apply the workarounds spelled out in an updated advisory.
Microsoft pegged the single bug addressed Tuesday as "important," the second-highest ranking in its four-step system. "Based on our comprehensive monitoring of the threat landscape, we have determined an out-of-band release is needed to protect customers, as we have seen limited attacks and continued attempts to bypass current defenses and workarounds," the company said yesterday.
But not everyone will receive the patch today.
Microsoft took the unprecedented step of releasing the update only to its download center, where customers must retrieve and install it manually. It won't push the patch to Windows Update until later.
"This is the first time we've released [an] update this way, but due to the nature of the active attacks and the severity of the potential loss of data, we are releasing the security update to the Microsoft Download Center first so customers (specifically large enterprises, hosting providers and ISVs) can begin updating their systems," Microsoft said in an e-mailed statement to the IDG News Service yesterday.
Security experts agreed that it was a smart move on Microsoft's part.
"While strange, it's not something that people should be worried about," said Andrew Storms, director of security operations at nCircle Security today. "The affected audience -- large companies, ISPs -- probably don't use Windows Update anyway. They likely have a much more stringent testing protocol."
Wolfgang Kandek, CTO of Qualys, a California-based security risk and compliance management provider, agreed that getting the patch out this way was acceptable. End users, he said, are not typically vulnerable to attack since few run a Web server.
"They may have been looking at another week or so of testing," Kandek said, referring to the process Microsoft goes through to make sure patches deploy properly via Windows Update. "And with attacks happening, this lets them get it into the hands of administrators who need it now."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Taking Windows Mobile on Any Device Taking Windows applications mobile has many advantages, but the process of identifying a solution is complex. Learn how to solve this complex problem...
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Simplify and Consolidate Data Protection for Better Business Results Learn about IBM® Tivoli® Storage Manager Operations Center, which provides advanced visualization, built-in analytics and integrated workflow automation features that leapfrog traditional backup...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Windows White Papers | Webcasts