Microsoft pushes Windows Web bug patch to everyone
Offers ASP.Net fixes to all customers through Windows Update
Computerworld - Microsoft today released its latest emergency patch to its Windows Update distribution service, making good on a promise earlier this week.
On Tuesday, Microsoft shipped a fix for a flaw in the ASP.Net Web site and application framework that let attackers steal important data from Web servers, including account usernames and passwords.
At the time, the fix was only available from Microsoft's download site, which forced server administrators to manually retrieve and install the update. That caused some confusion among IT professionals and prompted them to bombard the company with questions.
Starting today, the MS10-070 update can be downloaded and installed through the usual Windows Update service, and the business-oriented Windows Server Update Services (WSUS) tool.
Microsoft acknowledged that its decision to offer the update manually before it had wrapped up Windows Update distribution testing was unprecedented, but argued that it was the best way to get the fix into administrators' hands as quickly as possible.
The Microsoft Security Response Center (MSRC) reported that attacks exploiting the ASP.Net encryption bug had been seen in the wild, one of the reasons why it pushed the patch to Microsoft's download center on Tuesday.
Other security experts applauded Microsoft for releasing the patch before it was ready to ship via Windows Update, noting that end users, who rely on Windows automatic update mechanism to keep their PCs current, weren't at risk from attack.
Some of the administrators trying to patch their Web servers might have disagreed.
After Scott Guthrie, the Microsoft executive who runs the ASP.Net development team, listed the array of updates -- up to six separate downloads for some server configurations -- scores of customers asked which updates they needed to download or reported patch errors.
Many of the questions were answered within hours by Jamshed Damkewala, identified as a lead program manager with the .Net framework engineering team.
Andrew Storms, manager of security operations at nCircle Security, argued that Microsoft's unique delivery technique earlier this week put pressure on administrators to keep to their usual patching practices.
"This is more than a 'download and install' kind of patch," Storms acknowledged in an instant message exchange. "But in similar fashion to, say, an Exchange or SQL server patch, the operational installation method here is still in the hands of the installer. This is why, despite Microsoft's fantastic patch quality, the enterprise still needs to follow prudent patch testing procedures."
Microsoft first sounded the alert about the ASP.Net bug on Sept. 17, after a pair of researchers demonstrated how attackers could pilfer browser session cookies, or steal passwords and usernames from Web sites. Three days later, Microsoft warned users that it was seeing limited, active attacks, and urged Web server administrators to apply complex workarounds it listed in an updated advisory.
The patch released today via Windows Update makes those workarounds unnecessary, Microsoft has said.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts