Microsoft plans to release an emergency patch to plug a major vulnerability in the ASP.net framework, used by millions of developers to build web applications, the software giant announced.Limited public exploits began shortly after Microsoft released an advisory last week that acknowledged the flaw.The bug involves a weakness in the way the ASP.net technology implements encryption that could allow an attacker to tamper with and potentially steal sensitive data, Kevin Brown, a Microsoft engineer, wrote in a blog post. Attackers can send a flood of encrypted messages, known as cipher text, to a targeted server and analyse the error messages they receive to decrypt the rest of the data."An attacker who exploited this vulnerability could view data, such as the View State, which was encrypted by the target server, or read data from files on the target server, such as web.config," the Microsoft advisory said. "This would allow the attacker to tamper with the contents of the data. By sending back the altered contents to an affected server, the attacker could observe the error codes returned by the server." The vulnerability was disclosed the prior week by security researchers at a hacking conference in Buenos Aires. The researchers demonstrated the ability to exploit the flaw using a tool they released called a Padding Oracle Exploit Tool (POET).Microsoft then updated a workaround for the issue. But the permanent, out-of-band patch, labeled "important", is coming due to active attacks and continued attempts to evade defences, according to Microsoft."The security update is fully tested and ready for release, but will be made available initially only on the Microsoft Download Center," Dave Forstrom, director of Trustworthy Computing at Microsoft, wrote in a blog post. "This enables us to get the update out as quickly as possible, allowing administrators with enterprise installations, or end-users who want to install this security update manually, the ability to test and update their systems immediately."See original article on scmagazineus.com
Copyright © SC Magazine, US edition
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED GOES EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @itnews.com.au to your white-listed senders.