infosec-news September 2010 archive
Main Archive Page > Month Archives  > infosec-news archives
infosec-news: [ISN] Microsoft to issue emergency patch for ASP.N

[ISN] Microsoft to issue emergency patch for ASP.Net vuln

From: InfoSec News <alerts_at_nospam>
Date: Thu Sep 30 2010 - 07:05:24 GMT

By Dan Goodin in San Francisco
The Register
27th September 2010

Microsoft will release an emergency patch on Tuesday that plugs a
security hole in a variety of its web developer tools that has been
under active attack for more than a week.

The vulnerability in ASP.Net applications allows attackers to decrypt
password files, cookies, and other sensitive data that is supposed to
remain encrypted as they pass from the server to a web browser. It works
by flooding a server with thousands of corrupted web requests and then
analyzing the error messages and other responses that result. The series
of responses are known as a “cryptographic padding oracle” that over
time deliver information that an attacker can deduce the secret key used
to scramble the communications.

The vulnerability was disclosed two weeks ago at the Ekoparty conference
in Argentina. Microsoft soon responded with an advisory that warned that
the vulnerability was under “limited attack.” It recommended that users
implement several temporary measures to make the exploits harder to
carry out.

The workaround involves reconfiguring a webserver so that all error
messages are mapped to a single error page that prevents the attacker
from distinguishing among different types of errors, effectively
muzzling the oracle. Thai Duong, one of the researchers who disclosed
the vulnerability, has said turning off customized error messages isn't
enough to prevent exploits, because attackers can still glean important
clues by measuring the different amounts of time required for certain
errors to be returned.


Subscribe to InfoSec News -