Microsoft to issue ASP.net patch out of cycle on Tuesday
Microsoft plans to release an emergency patch on Tuesday to plug a major vulnerability in the ASP.net framework, used by millions of developers to build web applications, the software giant announced Monday.
Limited, public exploits began shortly after Microsoft released an advisory on Friday that acknowledged the flaw.
The bug involves a weakness in the way the ASP.net technology implements encryption that could allow an attacker to tamper with and potentially steal sensitive data, Kevin Brown, a Microsoft engineer, wrote in a blog post Friday. Attackers can send a flood of encrypted messages, known as cipher text, to a targeted server and analyze the error messages they receive to decrypt the rest of the data.
"An attacker who exploited this vulnerability could view data, such as the View State, which was encrypted by the target server, or read data from files on the target server, such as web.config," the Microsoft advisory said. "This would allow the attacker to tamper with the contents of the data. By sending back the altered contents to an affected server, the attacker could observe the error codes returned by the server."
The vulnerability was disclosed the prior week by security researchers at a hacking conference in Buenos Aires, Argentina. The researchers demonstrated the ability to exploit the flaw using a tool they released called a Padding Oracle Exploit Tool (POET).
Microsoft on Friday updated a workaround for the issue. But the permanent, out-of-band patch, labeled "important," is coming due to active attacks and continued attempts to evade defenses, according to Microsoft.
"The security update is fully tested and ready for release, but will be made available initially only on the Microsoft Download Center," Dave Forstrom, director of Trustworthy Computing at Microsoft, wrote in a blog post. "This enables us to get the update out as quickly as possible, allowing administrators with enterprise installations, or end-users who want to install this security update manually, the ability to test and update their systems immediately."