Microsoft has published a workaround for a security vulnerability in its ASP.NET software which was exposed last week.
The company owned up to the problem in a security advisory published on Friday after it was announced elsewhere.
"A few hours ago we released a Microsoft security advisory about a vulnerability in ASP.NET. This vulnerability exists in all versions of ASP.NET 2," wrote Windows developer Scott Guthrie in a blog post.
"This vulnerability was publically disclosed late Friday at a security conference. We recommend that all customers immediately apply a workaround to prevent attackers using this vulnerability against your ASP.NET applications."
The flaw gives attackers the ability to request and download files from within an ASP.NET application, which could include the web.config file.
Another option available for attackers is the opportunity to decrypt any data sent to a client machine in an encrypted state, i.e. material that is likely to be sensitive.
Guthrie explained that the vulnerability entails many access attempts before an attacker could ascertain that it exists.
"By making many such requests (and watching what errors are returned) the attacker can learn enough to successfully decrypt the rest of the cipher text," he said.
Administrators are advised to enable the feature of ASP.NET and configure the system to always return the same error message.
This will prevent hackers from "distinguishing between the different types of errors that occur on a server", according to Guthrie.
Microsoft has also released a small code patch for ASP.NET. Affected software includes Windows XP, including SP3 and Professional, Windows Server 2003 and 2008, Windows Vista and Windows 7.