Microsoft released Security Bulletin MS10-070 out-of-band today--a couple weeks ahead of the regularly scheduled Patch Tuesday for October. The update resolves a zero-day issue with ASP.NET that could allow an attacker to compromise information on all supported versions of Windows.
The details from the Microsoft security bulletin describe the zero-day vunerability. "An information disclosure vulnerability exists in ASP.NET due to improper error handling during encryption padding verification. An attacker who successfully exploited this vulnerability could read data, such as the view state, which was encrypted by the server. This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server."
A blog post from Microsoft's Scott Guthrie provides a detailed explanation of the vulnerability. "To understand how this vulnerability works, you need to know about cryptographic oracles. An oracle in the context of cryptography is a system which provides hints as you ask it questions. In this case, there is a vulnerability in ASP.NET which acts as a padding oracle. This allows an attacker to send cipher text to the web server and learn if it was decrypted properly by examining which error code was returned by the web server. By making many such requests (and watching what errors are returned) the attacker can learn enough to successfully decrypt the rest of the cipher text."
Andrew Storms, director of security operations for nCircle commented via email to say, "Microsoft delivered today's zero-day patch release in just eleven days. It's not the fastest turn-around time in Microsoft patch history, but it's pretty close to the seven day turnaround we saw in January. We now know that in the January update Microsoft knew about the bug before the exploit, so the seven day quick turnaround is a not entirely accurate measurement. This leaves me wondering if Microsoft already knew about today's bug. But the bigger question in my mind is the potential effect of this short turn-around on quality."
Interestingly, the update will not be immediately pushed through Automatic Updates. A blog post from the Microsoft Security Response Center explains, "The update will be made available initially only through the Microsoft Download Center and then released through Windows Update and Windows Server Update Services within the next few days. This allows customers the option to deploy it manually now without delaying for broader distribution."
nCircle's Storms notes, "It's a bit odd that today's patch release won't be immediately available on Windows Update. Administrators and consumers will both be required to manually download the patch and install it manually," but Storms adds, "Since the major risk of this bug is with network administrators running IIS websites, manual downloads are probably a reasonable compromise between convenience and getting the patch out as quickly as possible."