Workarounds Not Enough to Protect Against ASP.NET Attacks

Microsoft has released updated workaround guidance for the ASP.NET padding oracle vulnerability, suggesting that customers use a technique to block requests that specify an application error. However, the researchers who developed the attack on ASP.NET have said that the workaround is not sufficient to prevent the attack.

Microsoft on Friday updated their original security advisory about the ASP.NET flaw, saying that customers could use a tool called URLScan for the company's IIS Web server software to automatically block those requests that do specify an application error on the querystring.

"On systems using the .NET Framework version 3.5 Service Pack 1 or 4.0, the workaround provides further protection by also helping to protect against the timing attack portion of the current exploit. The workaround uses the redirectMode="ResponseRewrite" option in the customErrors feature, and introduces a random delay in the error page. These approaches work together to make it more difficult for an attacker to deduce the type of error that occurred on the server by measuring the time it took to receive the error," the company said.

"Additionally, this workaround requires blocking requests that specify the application error path on the querystring. This can be done using URLScan, a free tool for Internet Information Services (IIS) that can selectively block requests based on rules defined by the administrator. If your system is running Internet Information Services (IIS) on Windows Vista Service Pack 2, Windows Server 2008 Service Pack 2, Windows 7, or Windows Server 2008 R2, you can alternatively use the Request Filtering feature."

However, Juliano Rizzo and Thai Duong, the researchers who developed the attack against ASP.NET, have said that their technique doesn't require the error messages, they simply make the attack easier. Of course, easy is always better than hard, but the researchers say that customers will not be fully protected until Microsoft releases a patch for the flaw.

"Another video may prove it all, but I'm tired. So believe it or not, Microsoft workarounds can't prevent the attack. Ask them for the patch!," Duong said in a message on Twitter Sunday night. Duong and Rizzo said that even without the error messages from a target application, they can HTTP statuses or timing differences to execute their attack.

"Microsoft remains committed to taking the appropriate action to help protect our customers. Through our comprehensive monitoring, we continue to see limited active attacks. We want to assure you that we have teams working around the clock worldwide to develop a security update of appropriate quality for distribution to address this vulnerability," Microsoft's Dave Forstrom said in a blog post about the updated guidance.

The next scheduled patch release from Microsoft is Oct. 12, but the company may push out an emergency fix for the ASP.NET flaw before then, given the seriousness of the problem and the huge base of vulnerable Web applications.

Commenting on this Article is closed.