Microsoft sounds alert on massive Web bug
'Padding oracle' vulnerability found in ASP.Net framework behind millions of Web sites, applications
Computerworld - Microsoft on Friday warned users that a critical bug in ASP.Net could be exploited by attackers to hijack encrypted Web sessions and pilfer usernames and passwords from Web sites.
The vulnerability went public that same day when a pair of researchers outlined the bug and attack techniques at the Ekoparty Security Conference in Buenos Aires.
According to Microsoft's advisory, the flaw exists in all versions of ASP.Net, the company's Web application framework used to craft millions of sites and applications. Microsoft will have to patch every supported version of Windows, from XP Service Pack 3 and Server 2003 to Windows 7 and Server 2008 R2, as well as other products, including its IIS and SharePoint server software.
At Ekoparty, Juliano Rizzo and Thai Duong demonstrated how a flaw in ASP.Net's encryption can be exploited to decrypt session cookies or other encrypted data on a remote server, and access and snatch files from a site or Web application that relies on the framework.
According to Rizzo and Duong, the bug enables them to access Web applications with full administrator rights, resulting in everything from "information disclosure to total system compromise."
They estimated that 25% of the Internet's Web sites use ASP.Net.
Hackers can exploit the vulnerability by force-feeding cipher text to an ASP.Net application and noting the error messages it returns. By repeating the process numerous times and analyzing the errors, criminals can learn enough to correctly guess the encryption key and thus decrypt the entire cipher text.
Although Microsoft said it would produce a patch, it has not set a timetable for its release. In the meantime, the company suggested that site and application developers tweak their code.
"[You can] prevent this vulnerability [by enabling] the customErrors feature of ASP.Net and explicitly configure your applications to always return the same error page -- regardless of the error encountered on the server," said Scott Guthrie, who runs several development teams at Microsoft, including the group responsible for ASP.Net. "By mapping all error pages to a single error page, you prevent a hacker from distinguishing between the different types of errors that occur on a server."
Microsoft included details on the same work-around in its security advisory.
The work-around protects users against the attack method Rizzo and Duong outlined, but doesn't address the underlying problem. "We will obviously release a patch for this," Guthrie said in a comment added Saturday to his blog post. "Until then, the above workaround closes the attack vector."
Rizzo and Duong dubbed the attack "oracle padding" after the cryptographic term that describes a system that provides hints when queried.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts