September 27, 2010

Microsoft to issue ASP.net patch out of cycle on Tuesday

Microsoft plans to release an emergency patch on Tuesday to plug a major vulnerability in the ASP.net  framework, used by millions of developers to build web applications, the software giant announced Monday.

Limited, public exploits began shortly after Microsoft released an advisory on Friday that acknowledged the flaw.

The bug involves a weakness in the way the ASP.net technology implements encryption that could allow an attacker to tamper with and potentially steal sensitive data, Kevin Brown, a Microsoft engineer, wrote in a blog post Friday. Attackers can send a flood of encrypted messages, known as cipher text, to a targeted server and analyze the error messages they receive to decrypt the rest of the data.

"An attacker who exploited this vulnerability could view data, such as the View State, which was encrypted by the target server, or read data from files on the target server, such as web.config," the Microsoft advisory said. "This would allow the attacker to tamper with the contents of the data. By sending back the altered contents to an affected server, the attacker could observe the error codes returned by the server." 

The vulnerability was disclosed the prior week by security researchers at a hacking conference in Buenos Aires, Argentina. The researchers demonstrated the ability to exploit the flaw using a tool they released called a Padding Oracle Exploit Tool (POET).

Microsoft on Friday updated a workaround for the issue. But the permanent, out-of-band patch, labeled "important," is coming due to active attacks and continued attempts to evade defenses, according to Microsoft.

"The security update is fully tested and ready for release, but will be made available initially only on the Microsoft Download Center," Dave Forstrom, director of Trustworthy Computing at Microsoft, wrote in a blog post. "This enables us to get the update out as quickly as possible, allowing administrators with enterprise installations, or end-users who want to install this security update manually, the ability to test and update their systems immediately."

Related Articles
Related Topics

More in News

Privacy-bolstering "Apps Act" introduced in House

The bill would provide consumers nationwide with similar protections already enforced by a California law.

Microsoft readies permanent fix for Internet Explorer bug used in energy attacks

Microsoft is prepping a whopper of a security update that will close 33 vulnerabilities, likely including an Internet Explorer (IE) flaw that has been used in targeted website attacks against the U.S. government.

Weakness in Adobe ColdFusion allowed court hackers access to 160K SSNs

Up to 160,000 Social Security numbers and one million driver's license numbers may have been accessed by intruders.