The vulnerability in ASP.NET was reported on September 17 when an attacker used it to view encrypted files on a server and meddle with the data before sending it back.
Now the company is releasing an unscheduled bulletin, rated as important, to fix the issue.
“Based on our comprehensive monitoring of the threat landscape, we have determined an out-of-band release is needed to protect customers as we have seen limited attacks and continued attempts to bypass current defences and workarounds,” wrote Dave Forstrom, director of Trustworthy Computing at Microsoft, in a blog post.
He also said, whilst Windows desktops were listed as affected, they were only at risk if people used them as web servers as well.
Initially the update will only be available through the Microsoft Download Centre.
“This enables us to get the update out as quickly as possible, allowing administrators with enterprise installations, or end users who want to install this security update manually, the ability to test and update their systems immediately,” added Forstrom.
It will then go out through the usual Microsoft updates route over the next few days.