"This issue affects applications developed using ASP.NET and using the new 'Full IIS' feature of SDK v1.3 that have a Web Role deployed," Microsoft said. "In the case of vulnerable Web Roles, it may be possible for clients to determine the contents of the state information (though the client could still not change it). If the Web site depended on the client not being able to see the contents, its security could be compromised."
Affected Azure customers should download the refresh of the SDK, redeploy their applications and verify that the fix is working. Instructions are available on the Windows Azure blog.
In addition to the Azure fix, Microsoft is scheduled to patch 22 bugs next week as part of the monthly Patch Tuesday. All versions of Windows will receive multiple critical patches, and Internet Explorer will also be fixed up.
Separately from these security announcements, Microsoft said that it is offering "extra small" compute instances in Windows Azure as part of a new public beta that will give developers a cheaper entrance into cloud computing.
Extra small Windows Azure compute instances cost 5 cents an hour, whereas the four larger sizes range from 12 cents to 96 cents. The new instance type offers 1GHz of CPU, 768MB of memory, 20GB storage, and lower I/O performance than the more robust instances.
Even the second-smallest instances offer 1.6GHz of CPU, 1.75GB memory and 225GB storage, and better I/O performance, but Microsoft said it has received "a lot of interest" in the extra small instances since opening a private beta last October.
"This smaller instance provides developers with a cost-effective training and development environment," Microsoft said. "Developers can also use the 'Extra Small' instance to prototype cloud solutions at a lower cost," and the new size is "more affordable for developers interested in running smaller applications on the platform."
With one year of production under its belt, Windows Azure has 31,000 active subscribers and is hosting 5,000 applications.
Read more about software in Network World's Software section.
This story, "Microsoft Fixes Cookie Security Bug in Windows Azure" was originally published by Network World.