Microsoft is investigating reports that have circulated on various Web sites of a vulnerability an attacker could...
use to bypass authentication on a Web site running ASP.NET applications on Windows 2000 or Windows XP.
"We have not been made aware of any active exploits of the reported vulnerabilities or customer impact at this time, but we are aggressively investigating the situation," a spokeswoman for the software company said Monday. "Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a fix through our monthly release process or an out-of-cycle security update, depending on customer needs."
She said the reports indicate that the vulnerability could allow an attacker to bypass authentication on a Web site running ASP.NET applications on Windows 2000 or Windows XP. "This could allow the attacker to make changes to the content of the site or its presentation, but would not allow the attacker to control the computer or run software on it," she added.
The NT Bugtraq security mailing list initially posted a message from researcher Toby Beaumont regarding the possible security hole Sept. 14. Since then, several Web logs have been buzzing about it.
One blog, kept by Lorenzo Barbieri via Weblogs.Asp.Net, said potential workarounds are to use Windows 2003 or use URLScan. Another suggestion, he said, is to "rewrite the URL in the global.asax or in an HTTPModule."
The Microsoft spokeswoman urged customers who believe they may have been affected to contact security support services.
This article originally appeared on SearchSecurity.com.