Limited attacks exploiting the hole and attempts to bypass workarounds are prompting the out-of-band security update, Microsoft says.
Microsoft said today it will issue an emergency patch tomorrow to fix an important hole in the ASP.Net framework used to create Web sites.
The vulnerability was disclosed by Microsoft just over a week ago and later found to be used in limited attacks. It affects all versions of the .Net framework when used on Windows Server operating systems, according to the advisory.
Windows desktop systems are affected but not vulnerable unless they are being used to run a Web server, Microsoft said.
"Based on our comprehensive monitoring of the threat landscape, we have determined an out-of-band release is needed to protect customers as we have seen limited attacks and continued attempts to bypass current defenses and workarounds," Dave Forstrom, director of Microsoft's Trustworthy Computing division, wrote in a blog post.
The update, due out around 10 a.m. PDT tomorrow, will be made available initially only on the Microsoft Download Center and through Windows Update and Windows Server Update Services in coming days, Forstrom said.
More details about the vulnerability are in this security advisory.