Microsoft to use ASP.Net fix to call for responsible disclosure?

Microsoft today will deliver an out-of-band security update to plug an Important vulnerability that renders all ASP.Net-based Web apps susceptible to hacking. The company will almost certainly use the opportunity to berate security researchers who expose such critical vulnerabilities to the public, rather than working quietly with Microsoft to fix them.

Though the vulnerability, made public by security researchers Juliano Rizzo and Thai Duong, was reported more than two weeks ago, Microsoft only acknowledged its existence on Sept. 20 and soon after disclosed a workaround. In the meantime, in-the-wild attacks exploiting the vulnerability have been reported. The official update will be available for download at 1 p.m. PT today via the Microsoft Download Center.

[ InfoWorld’s Woody Leonhard exposes what’s wrong with mainstream coverage of the Stuxnet worm. | Master your security with InfoWorld’s interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. ]

Along the release o the update, Microsoft will host 90-minute Webcast featuring Microsoft Response Communications Director Dave Forstrom and Senior Security Manager Dustin Childs, who will be addressing customer questions.

Forstrom and Childs will almost certainly use their podium to criticize security researchers such as Rizzo and Duong for putting users’ and organizations’ sensitive data at risk by publicizing a critical bug, rather than quietly reporting it to Microsoft to fix before attacks commenced. The company has recently found itself in a similarly difficult spots of having to crank out zero-day fixes to vulnerability made public by security researchers, including a group called Goatse Security and a Google security engineer Tavis Ormandy.

In response to those incidents — and to associated criticism that the company moves to slowly to fix critical bugs — the company in late July unveiled a coordinated response initiative, encouraging security researchers to work with Microsoft to plug security holes.

The out-of-band update affects all versions of the .Net Framework when used on Windows Server OSes, according to Microsoft. Windows desktop systems are listed as affected, but users are not vulnerable unless they are running a Web server from their computer.

More information about the vulnerability is available at Microsoft TechNet and on at Microsoft vice president of the .Net developer platform Scot Guthrie’s blog.

This article, “Microsoft to use ASP.Net fix to call for responsible disclosure?,” was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.