Quick note for today: Microsoft has released another out-of-band patch for a vulnerability in ASP.NET (MS10-070). ASP.NET is a framework that’s used as the foundation for many web applications and services. According to Microsoft’s bulletin, “this vulnerability can also be used by an attacker to retrieve the contents of any file within the ASP.NET application”, which could be serious for some applications. In general, though, this is an information-disclosure vulnerability only; it cannot be used to execute code on an exploited machine.
MS first disclosed this issue on Sep 17th. Since then, the attack has been incorporated into a public toolkit, and MS reports limited, targeted attacks in the wild. This is the 4th out-of-band patch this year (twice the highest number we’ve seen in any previous year).