Microsoft today will deliver an out-of-band security update to plug an Important vulnerability that renders all ASP.Net-based Web apps susceptible to hacking. The company will almost certainly use the opportunity to berate security researchers who expose such critical vulnerabilities to the public, rather than working quietly with Microsoft to fix them.
Though the vulnerability, made public by security researchers Juliano Rizzo and Thai Duong, was reported more than two weeks ago, Microsoft only acknowledged its existence on Sept. 20 and soon after disclosed a workaround. In the meantime, in-the-wild attacks exploiting the vulnerability have been reported. The official update will be available for download at 1 p.m. PT today via the Microsoft Download Center.
[ InfoWorld's Woody Leonhard exposes what's wrong with mainstream coverage of the Stuxnet worm. | Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
Along the release o the update, Microsoft will host 90-minute Webcast featuring Microsoft Response Communications Director Dave Forstrom and Senior Security Manager Dustin Childs, who will be addressing customer questions.
Forstrom and Childs will almost certainly use their podium to criticize security researchers such as Rizzo and Duong for putting users' and organizations' sensitive data at risk by publicizing a critical bug, rather than quietly reporting it to Microsoft to fix before attacks commenced. The company has recently found itself in a similarly difficult spots of having to crank out zero-day fixes to vulnerability made public by security researchers, including a group called Goatse Security and a Google security engineer Tavis Ormandy.