Microsoft has issued an out-of-band security update, blocking ongoing attacks against a flaw in the ASP.NET web application framework that can cause poor encryption implementations.
The emergency bulletin, MS-10-070 blocks ongoing attacks that could enable an attacker to read data on an encrypted Web server. The hole can also be used to decrypt any data, including session cookies, that was encrypted by the server.
The patch is rated important for the .NET framework running on all supported versions of Windows, including Windows Server 2003 and 2008.
Microsoft issued an advisory earlier this month when two researchers demonstrated a The padding oracle attack works by tricking the Web server behind the applications into giving up sensitive information in error messages. Earlier workarounds suggested by Microsoft made the attack more difficult to carry out, but didn't block it completely.
Web application security experts said the use of .NET for Web applications was popular a few years ago. Today, about 25% of Internet facing applications made with the ASP.NET framework. But many enterprises have been turning to other programming languages, such as Java or PHP.
Padding oracle vulnerabilities affecting encryption implementations have been known in the researcher community since 2002. The Ruby on Rails, and the OWASP Enterprise Security API Toolkits could also be affected by the issue,