Microsoft has issued a security advisory for a recently disclosed vulnerability in the ASP.NET that could leave millions of Web pages vulnerable to attack.
The company on Friday released Security Advisory 2416728 addressing the ASP.NET security hole, which was first disclosed by researchers at the annual ekoparty hacking conference in Buenos Aires, Argentina on Friday. Microsoft said the company is not aware of any attacks leveraging the hole, which concerns ASP.NET implementation of the AES encryption algorithm to protect the integrity of Web session cookies that can store sensitive information. However, it provided steps to safeguard vulnerable ASP.Net applications from attacks.
Microsoft said it is continuing to investigate the issue and is working with other security companies in the Microsoft Active Protections Program (MAPP) to build protections against attacks that try to leverage the ASP.NET vulnerability. Microsoft also chided researchers for revealing the hole at a public hacking conference rather than working with the company to develop a patch first.
“We believe public disclosure before a comprehensive update can be produced only leads to customer risk through criminal activity,” Microsoft said in its advisory.
On Friday, researchers Juliano Rizzo and Thai Duong demonstrated the technique they developed for stealing cryptographic keys for ASP.NET Web applications using a tool called the Padding Oracle Exploit Tool.
In a blog post accompanying the advisory, Microsoft said the impact of the vulnerability will vary depending on the ASP.Net application that is being targeted, but that applications using ASP.Net 3.5 SP1 or above could be made to divulge the contents of “an arbitrary file” using the Padding Oracle attack, exposing passwords, database connection strings or other sensitive data, Microsoft said..
A workaround provided by the company suggests using ASP.NET’s customErrors feature to return the same error page regardless of the error encountered on the server, thus denying attackers the information needed to deduce the cipher text. Some ASP.NET may be configured to return the same message for all errors. Microsoft provided a script to detect ASP.NET applications that were not configured to do so.
The company promised to release more information as it became available and as it worked towards a permanent fix for the ASP.NET hole.