Today we provided advance notification to customers that we will release an out-of-band security update to address the vulnerability discussed in Security Advisory 2416728. The update is scheduled for release tomorrow, Tuesday, September 28, 2010 at approximately 10:00 AM PDT. The bulletin has a severity rating of Important and addresses a publicly disclosed vulnerability in ASP.NET that affects all versions of the .NET Framework when used on Windows Server operating systems. Windows desktop systems are listed as affected, but consumers are not vulnerable unless they are running a Web server from their computer.
Based on our comprehensive monitoring of the threat landscape, we have determined an out-of-band release is needed to protect customers as we have seen limited attacks and continued attempts to bypass current defenses and workarounds.
The security update is fully tested and ready for release, but will be made available initially only on the Microsoft Download Center. This enables us to get the update out as quickly as possible, allowing administrators with enterprise installations, or end users who want to install this security update manually, the ability to test and update their systems immediately. We strongly encourage these customers to visit the Download Center, download the update, test it in their environment and deploy it as soon as possible.
The update will also be released through Windows Update and Windows Server Update Services within the next few days as we test to make sure distribution will be successful through these channels. This approach allows us to release sooner to customers who may choose to deploy it manually without delaying for broader distribution.
For customers using Automatic Update, this Security Update will automatically be applied once it is released broadly. Once the Security Update is applied, customers are protected against known attacks related to Security Advisory 2416728.
We will also hold a special edition webcast for the bulletin release on Tuesday, September 28, 2010 at 1:00 PM PDT, where we will present information on the bulletin and take customer questions. If you are interested in attending the webcast, click here to sign up.
Director, Trustworthy Computing