Microsoft is warning customers that it has seen ongoing attacks against the recently disclosed padding oracle vulnerability in ASP.NET and is encouraging them to implement a workaround that will help protect against the publicly disclosed exploit for the bug.
The workaround that Microsoft has developed causes ASP.NET applications to return the same error message, regardless of what the actual error it encounters is. This prevents the server from sending error messages to the attacker that might give him important information about what error was caused on the application.
“A workaround you can use to prevent this
vulnerability is to enable the <customErrors> feature of ASP.NET,
and explicitly configure your applications to always return the same error page
– regardless of the error encountered on the server. By mapping all
error pages to a single error page, you prevent a hacker from
distinguishing between the different types of errors that occur on a
server,” Microsoft’s Scott Guthrie said in a blog post explaining the wrokaround. “Important: It is not enough to
simply turn on CustomErrors or have it set to RemoteOnly. You also need
to make sure that all errors are configured to return the same error
page. This requires you to explicitly set the “defaultRedirect” attribute on the <customErrors> section and ensure that no per-status codes are set.”
However, the researcher who demonstrated the ASP.NET attack at the Ekoparty conference last week, Juliano Rizzo and Thai Duong, said that the attack will work even without error messages from the target application.
Microsoft security officials said that they plan to release a patch for the ASP.NET flaw, although they have not specified any time frame for the release.