Out-of-band security patch coming for Padding Oracle ASP.NET attack

Microsoft have announced an out-of-band security update to fix the so-called “Padding Oracle Attack” that exploits all versions of ASP.NET that we wrote about in-depth last week. The patch will be made available at 6pm BST (10am PDT) today, and then later on through Windows Update and the Windows Server Update Service.

While detailed information has been given on the way the attack works, it has not been made clear how the fix addresses this vulnerability. As the issue has affected all versions of ASP.NET, there will be a long list of downloads available for each version; this is also the reason why it has taken so long to test everything and make sure there are no breaking changes in all of the fixed versions.

“Applying the update addresses the ASP.NET Security vulnerability, and once the update is applied to your system the workarounds we have previously blogged about will no longer be required,” writes Scott Guthrie of the Microsoft team heading up the development of this fix. “Until you have installed the update, though, please do make sure to continue using the workarounds.”

Microsoft have announced a webcast today at 9pm BST (1pm PDT) to discuss the fix and take questions, which you can register for here. There is also a post on the Microsoft Security Response Center Blog, and the Advance Notification Bulletin for the release.

You might also like...



Why not write for us? Or you could submit an event or a user group in your area. Alternatively just tell us what you think!

Our tools

We've got automatic conversion tools to convert C# to VB.NET, VB.NET to C#. Also you can compress javascript and compress css and generate sql connection strings.

“PHP is a minor evil perpetrated and created by incompetent amateurs, whereas Perl is a great and insidious evil perpetrated by skilled but perverted professionals.” - Jon Ribbens