Microsoft will release an emergency out-of-band security update to address a vulnerability in ASP.NET that affects all versions of the .NET Framework running on Windows Server.
The vulnerability – dubbed the Padding Oracle Exploit – abuses the way ASP.NET web applications handle encrypted session cookies and could potentially be used to hijack users' online banking sessions or other web transactions.
According to Microsoft, the emergency patch is due out later today.
“An out-of-band release is needed to protect customers as we have seen limited attacks and continued attempts to bypass current defences and workarounds,” said Dave Forstrom, director of Trustworthy Computing on Microsoft's Security Response Center blog.
Windows desktop systems can also be hit by the exploit, but only if consumers are running a web server from their computer, Microsoft said.
Initially, the update will only be available from the Microsoft Download Centre, but will be made available through Windows Update and Windows Server Update after further testing.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
