Microsoft sounds alert on massive Web bug

Microsoft on Friday warned users that a critical bug in ASP.Net could be exploited by attackers to hijack encrypted Web sessions and pilfer usernames and passwords from Web sites.

Microsoft on Friday warned users that a critical bug in ASP.Net could be exploited by attackers to hijack encrypted Web sessions and pilfer usernames and passwords from Web sites.

The vulnerability went public that same day when a pair of researchers outlined the bug and attack techniques at the Ekoparty security conference in Buenos Aires, Argentina.

According to Microsoft's advisory, the flaw exists in all versions of its ASP.Net, the company's Web application framework used to craft millions of sites and applications. Microsoft will have to patch every supported version of Windows, from XP Service Pack 3 (SP3) and Server 2003 to Windows 7 and Server 2008 R2, as well as other products, including its IIS and SharePoint server software.

At Ekoparty, Juliano Rizzo and Thai Duong demonstrated how a flaw in ASP.Net's encryption can be exploited to decrypt session cookies or other encrypted data on a remote server, and access and snatch files from a site or Web application that relies on the framework.

According to Rizzo and Duong, their attack is able to access Web applications with full administrator rights, resulting in everything from "information disclosure to total system compromise."

They estimated that 25 per cent of the Internet's Web sites use ASP.Net.

Hackers can exploit the vulnerability by force-feeding cipher text to an ASP.Net application and noting the error messages it returns. By repeating the process numerous times and analyzing the errors, criminals can learn enough to correctly guess the encryption key and thus decrypt the entire cipher text.

Although Microsoft said it would produce a patch, it has not set a timetable for its release. In the meantime, the company suggested site and application developers tweak their code.

"[You can] prevent this vulnerability [by enabling] the customErrors feature of ASP.Net, and explicitly configure your applications to always return the same error page -- regardless of the error encountered on the server," said Scott Guthrie, who runs several development teams at Microsoft, including the group responsible for ASP.Net. "By mapping all error pages to a single error page, you prevent a hacker from distinguishing between the different types of errors that occur on a server."

Microsoft included details on the same workaround in its security advisory.

The workaround protects users against the attack Rizzo and Duong outlined, but doesn't address the underlying problem. "We will obviously release a patch for this," Guthrie said in a comment added Saturday to his blog post. "Until then, the above workaround closes the attack vector."

Rizzo and Duong dubbed the attack "oracle padding" after the cryptographic term that describes a system which provides hints when queried.

The two released a tool dubbed POET (Padding Oracle Exploit Tool) three months ago that lets researchers sniff out frameworks vulnerable to attack. A month before that they presented their findings at Black Hat Europe and published a paper (download PDF).

Andrew Storms, director of security operations at nCircle Security, called the vulnerability "worrisome."

"For public services, people are going to be concerned about attackers getting access to any file [on the server] -- for example 'web.config' files with login/password information in them," Storms said in an instant message.

Attackers could also decrypt data sent from a server to client machines, added Guthrie.

Microsoft has published a Visual Basic script that detects vulnerable ASP.Net applications (download .vbs script) and has set up a dedicated support forum to handle questions from site and application developers.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at Twitter @gkeizer or subscribe to Gregg's RSS feed Keizer RSS. His e-mail address is gkeizer@ix.netcom.com.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityMicrosoft

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?