Microsoft to issue ASP.net patch out of cycle on Tuesday

Share this article:

Microsoft plans to release an emergency patch on Tuesday to plug a major vulnerability in the ASP.net  framework, used by millions of developers to build web applications, the software giant announced Monday.

Limited, public exploits began shortly after Microsoft released an advisory on Friday that acknowledged the flaw.

The bug involves a weakness in the way the ASP.net technology implements encryption that could allow an attacker to tamper with and potentially steal sensitive data, Kevin Brown, a Microsoft engineer, wrote in a blog post Friday. Attackers can send a flood of encrypted messages, known as cipher text, to a targeted server and analyze the error messages they receive to decrypt the rest of the data.

"An attacker who exploited this vulnerability could view data, such as the View State, which was encrypted by the target server, or read data from files on the target server, such as web.config," the Microsoft advisory said. "This would allow the attacker to tamper with the contents of the data. By sending back the altered contents to an affected server, the attacker could observe the error codes returned by the server." 

The vulnerability was disclosed the prior week by security researchers at a hacking conference in Buenos Aires, Argentina. The researchers demonstrated the ability to exploit the flaw using a tool they released called a Padding Oracle Exploit Tool (POET).

Microsoft on Friday updated a workaround for the issue. But the permanent, out-of-band patch, labeled "important," is coming due to active attacks and continued attempts to evade defenses, according to Microsoft.

"The security update is fully tested and ready for release, but will be made available initially only on the Microsoft Download Center," Dave Forstrom, director of Trustworthy Computing at Microsoft, wrote in a blog post. "This enables us to get the update out as quickly as possible, allowing administrators with enterprise installations, or end-users who want to install this security update manually, the ability to test and update their systems immediately."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

ISSA tackles workforce gap with career lifecycle program

ISSA tackles workforce gap with career lifecycle program ...

On Thursday, the group launched its Cybersecurity Career Lifecycle (CSCL) program.

Amplification DDoS attacks most popular, according to Symantec

Amplification DDoS attacks most popular, according to Symantec

The company noted in a whitepaper released on Tuesday that Domain Name Server amplification attacks have increased 183 percent between January and August.

Court shutters NY co. selling security software with "no value"

A federal court shut down Pairsys at the request of the Federal Trade Commission.