Microsoft issues emergency out-of-band patch for ASP.Net

Microsoft has responded to news of a serious security vulnerability in the way that ASP.Net web applications are secured by issuing an emergency patch.

And you know that if a problem is serious enough for Microsoft decides to release a fix outside of its normal “Patch Tuesday” monthly schedule that it’s definitely an important vulnerability.

And rightly so – ASP.Net is a very popular framework for building applications on the web, with many online banking and ecommerce sites relying upon the technology.

The security issue was discovered by researchers Thai Duong and Juliano Rizzo, who discovered a way of exploiting the way that ASP.net web applications handle encrypted session cookies, and demonstrated their findings at a security conference in Argentina earlier this month.

If left unfixed, the security hole could give malicious hackers the ability to read any file on a web application server.

Chillingly, Duoung said:

“It’s worth noting that the attack is 100%…

Read more in my article on the Naked Security website.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.

Graham Cluley •   @gcluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, on Mastodon at @[email protected], or drop him an email.