Feeds

Microsoft gives temporary fix for info leak in ASP.Net

'Padding oracle' muzzled

Providing a secure and efficient Helpdesk

Microsoft has issued a temporary fix for a cryptographic weakness in widely used web development software that allows attackers to read password files and other sensitive data.

The workaround issued late Friday addresses what is known as a “cryptographic padding oracle” in ASP.Net, a series of web development programs that run on top of Microsoft's Internet Information Services, or IIS. The weakness, which was demonstrated last week at the Ekoparty conference in Argentina, makes it possible for outsiders to read or tamper with sensitive data that is supposed to remain encrypted.

In cryptography parlance, an oracle is something that unintentionally reveals subtle clues about the encrypted contents. The vulnerability in ASP.Net can be exploited by sending a server huge numbers of queries and then analyzing the differing error messages that result. By repeating the process over and over, attackers can read the ASP.Net View State, which is used to keep track of changes made to web forms. The View State page, which can be used to store passwords, database connection strings and other sensitive data, is supposed to remain unreadable.

By tricking ASP.Net into revealing hints about the padding used to encrypt the data, attackers can eventually read or tamper with encrypted data sitting on a server running the web applications.

Microsoft on Friday acknowledged the vulnerability and said its security team was working on a patch that would plug the information disclosure hole.

In the meantime, ASP.Net users should run a script that will identify whether their systems are vulnerable. Systems that test positive should be reconfigured so that all error messages are mapped to a single error page that prevents the attacker from distinguishing among different types of errors, effectively muzzling the oracle.

Researchers Thai Duong and Juliano Rizzo last week demonstrated a point-and-click tool called POET, short for Padding Oracle Exploitation Tool, that has been updated to decrypt cookies, view states, form authentication tickets, and other sensitive data encrypted by ASP.Net. The video below provides a demonstration of the attack. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.