Microsoft confirms zero-day vulnerability in ASP.NET

Exploiting this vulnerability could allow attackers to view data, such as the View State, which was encrypted by the target server, or read data from files on the target server, such as web.config, Microsoft said.

This would allow the attacker to tamper with the contents of the data, and by sending back the altered contents to an affected server, the attacker could observe the error codes returned by the server, the advisory said.

Microsoft said it is aware of limited, active attacks that exploit a flaw in the way the ASP.NET web application development framework implements AES encryption.

The vulnerability was disclosed last week by security researchers at the ekoparty hacking conference in Buenos Aires.

The impact of the vulnerability could be far reaching because applications built on the ASP.NET framework are widespread, said security experts.

Microsoft has updated its initial security advisory to include questions and answers on the vulnerability, said Dave Forstrom, director, Trustworthy Computing at Microsoft in a blog post.

"We have also added additional technical questions and answers to the Security and Defense blog, which has previously discussed the issue", he wrote.

Microsoft is working on a security update to fix the vulnerability, but has published a workaround in the security advisory.

Microsoft suggests enabling the customErrors feature of ASP.NET to configure applications to always return the same error page, regardless of the error encountered on the server.

This can make it more difficult for an attacker using the current exploit to distinguish between the different types of errors that occur on a server, the company said.

Microsoft says it may provide a security update through its monthly Patch Tuesday process or release an out-of-cycle security update, depending on customer needs.

This story was first published by Computer Weekly

What’s hot on Infosecurity Magazine?