Microsoft have announced an out-of-band security update to fix the so-called “Padding Oracle Attack” that exploits all versions of ASP.NET that we wrote about in-depth last week. The patch will be made available at 6pm BST (10am PDT) today, and then later on through Windows Update and the Windows Server Update Service.
While detailed information has been given on the way the attack works, it has not been made clear how the fix addresses this vulnerability. As the issue has affected all versions of ASP.NET, there will be a long list of downloads available for each version; this is also the reason why it has taken so long to test everything and make sure there are no breaking changes in all of the fixed versions.
“Applying the update addresses the ASP.NET Security vulnerability, and once the update is applied to your system the workarounds we have previously blogged about will no longer be required,” writes Scott Guthrie of the Microsoft team heading up the development of this fix. “Until you have installed the update, though, please do make sure to continue using the workarounds.”
Microsoft have announced a webcast today at 9pm BST (1pm PDT) to discuss the fix and take questions, which you can register for here. There is also a post on the Microsoft Security Response Center Blog, and the Advance Notification Bulletin for the release.
Comments