You know a problem is serious if Microsoft decides to release a fix for a vulnerability outside of its normal "Patch Tuesday" monthly schedule.Microsoft has released an out-of-band patch for a serious flaw in its ASP.NET web application development toolkit, which -- if left unfixed -- could give malicious hackers the ability to read any file on a web application server.

Worryingly, the security flaw has been exploited in some attacks already raising the spectre of unauthorized information disclosure.

Microsoft's security bulletin MS10-070 rates the security update as "important" for all supported editions of ASP.NET except Microsoft .NET Framework 1.0 Service Pack 3.

Consumers shouldn't need to do anything unless they are running a Web server from their computer. This is probably the reason why Microsoft isn't initially making the update available through the normal Windows Update services, and instead directing affected customers to manually download it from the Microsoft Download Center instead.

Graham Cluley is senior technology consultant at Sophos, and has been working in the computer security field since the early 1990s. When he's not updating his award-winning other blog on the Sophos website, you can find him on Twitter at @gcluley. Special to Dark Reading.