Out-of-Band Patch
Microsoft just published an out-of-band patch for its <a href="http://en.wikipedia.org/wiki/Active_Server_Pages">ASP</a> .NET vulnerability. The vulnerability allows for remote cracking of some encryption keys via an oracle vulnerability. Any system telling an attacker some fact about a piece of encrypted data is dubbed an "oracle."
Microsoft just published an out-of-band patch for its ASP .NET vulnerability. The vulnerability allows for remote cracking of some encryption keys via an oracle vulnerability. Any system telling an attacker some fact about a piece of encrypted data is dubbed an "oracle."
"This particular vulnerability affects cyrpto systems that do not validate if the data was changed," said Johannes Ullrich, SANS Institute's chief of research, "so essentially what was missing here was some kind of cryptographic hash that could be used by the recipient to verify whether or not the data was modified."
The vulnerability appears to be quite serious for users operating .net applications on a windows server, however, Microsoft did not make its patch available via automatic update channels. The company may with next month's patch Tuesday, but for now, you will have to download and apply the patch manually.