Microsoft has released updated workaround guidance for the ASP.NET padding oracle vulnerability, suggesting that customers use a technique to block requests that specify an application error. However, the researchers who developed the attack on ASP.NET have said that the workaround is not sufficient to prevent the attack.
Microsoft on Friday updated their original security advisory about the ASP.NET flaw, saying that customers could use a tool called URLScan for the company’s IIS Web server software to automatically block those requests that do specify an application error on the querystring.
“On systems using the .NET Framework version 3.5 Service Pack 1 or
4.0, the workaround provides further protection by also helping to
protect against the timing attack portion of the current exploit. The
workaround uses the redirectMode=”ResponseRewrite” option in the
customErrors feature, and introduces a random delay in the error page.
These approaches work together to make it more difficult for an attacker
to deduce the type of error that occurred on the server by measuring
the time it took to receive the error,” the company said.
“Additionally, this
workaround requires blocking requests that specify the application error
path on the querystring. This can be done using URLScan, a free tool
for Internet Information Services (IIS) that can selectively block
requests based on rules defined by the administrator. If your system is
running Internet Information Services (IIS) on Windows Vista Service
Pack 2, Windows Server 2008 Service Pack 2, Windows 7, or Windows Server
2008 R2, you can alternatively use the Request Filtering feature.”
However, Juliano Rizzo and Thai Duong, the researchers who developed the attack against ASP.NET, have said that their technique doesn’t require the error messages, they simply make the attack easier. Of course, easy is always better than hard, but the researchers say that customers will not be fully protected until Microsoft releases a patch for the flaw.
“Another video may
prove it all, but I’m tired. So believe it or not, Microsoft workarounds
can’t prevent the attack. Ask them for the patch!,” Duong said in a message on Twitter Sunday night. Duong and Rizzo said that even without the error messages from a target application, they can HTTP statuses or timing differences to execute their attack.
“Microsoft remains committed to taking the appropriate action to help
protect our customers. Through our comprehensive monitoring, we continue
to see limited active attacks. We want to assure you that we have teams
working around the clock worldwide to develop a security update of
appropriate quality for distribution to address this vulnerability,” Microsoft’s Dave Forstrom said in a blog post about the updated guidance.
The next scheduled patch release from Microsoft is Oct. 12, but the company may push out an emergency fix for the ASP.NET flaw before then, given the seriousness of the problem and the huge base of vulnerable Web applications.