Microsoft to issue ASP.net patch out of cycle

By

Attackers could steal data.

Microsoft plans to release an emergency patch to plug a major vulnerability in the ASP.net  framework, used by millions of developers to build web applications, the software giant announced.

Limited public exploits began shortly after Microsoft released an advisory last week that acknowledged the flaw.

The bug involves a weakness in the way the ASP.net technology implements encryption that could allow an attacker to tamper with and potentially steal sensitive data, Kevin Brown, a Microsoft engineer, wrote in a blog post. Attackers can send a flood of encrypted messages, known as cipher text, to a targeted server and analyse the error messages they receive to decrypt the rest of the data.

"An attacker who exploited this vulnerability could view data, such as the View State, which was encrypted by the target server, or read data from files on the target server, such as web.config," the Microsoft advisory said. "This would allow the attacker to tamper with the contents of the data. By sending back the altered contents to an affected server, the attacker could observe the error codes returned by the server." 

The vulnerability was disclosed the prior week by security researchers at a hacking conference in Buenos Aires. The researchers demonstrated the ability to exploit the flaw using a tool they released called a Padding Oracle Exploit Tool (POET).

Microsoft then updated a workaround for the issue. But the permanent, out-of-band patch, labeled "important", is coming due to active attacks and continued attempts to evade defences, according to Microsoft.

"The security update is fully tested and ready for release, but will be made available initially only on the Microsoft Download Center," Dave Forstrom, director of Trustworthy Computing at Microsoft, wrote in a blog post. "This enables us to get the update out as quickly as possible, allowing administrators with enterprise installations, or end-users who want to install this security update manually, the ability to test and update their systems immediately."

See original article on scmagazineus.com

Microsoft to issue ASP.net patch out of cycle
Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers

Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies

Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames

Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound

Log In

  |  Forgot your password?