Microsoft today published an out-of-band security update (MS10-070) to fix a flaw in ASP.NET that is being exploited in the wild. The vulnerability could allow an attacker to compromise data on Windows machines ranging from XP and Server 2003 through Windows 7 and Server 2008 R2.
"An attacker who successfully exploited this vulnerability could read data, such as the view state, which was encrypted by the server," Redmond said today. Microsoft's Scott Guthrie provides an in-depth overview of the flaw on his blog.
Today's release comes only 11 days after Microsoft initially warned of the bug, making for one of the company's quickest turnarounds -- second to a seven-day release in January. Given the urgency, Microsoft issued the fix a couple weeks ahead of its usual monthly release cycle, though it won't be available through Windows Update for a few days. Until then, network admins and consumers can manually download the patch via the Microsoft Download Center without waiting for widespread distribution.