Feeds

Microsoft gives temporary fix for info leak in ASP.Net

'Padding oracle' muzzled

Internet Security Threat Report 2014

Microsoft has issued a temporary fix for a cryptographic weakness in widely used web development software that allows attackers to read password files and other sensitive data.

The workaround issued late Friday addresses what is known as a “cryptographic padding oracle” in ASP.Net, a series of web development programs that run on top of Microsoft's Internet Information Services, or IIS. The weakness, which was demonstrated last week at the Ekoparty conference in Argentina, makes it possible for outsiders to read or tamper with sensitive data that is supposed to remain encrypted.

In cryptography parlance, an oracle is something that unintentionally reveals subtle clues about the encrypted contents. The vulnerability in ASP.Net can be exploited by sending a server huge numbers of queries and then analyzing the differing error messages that result. By repeating the process over and over, attackers can read the ASP.Net View State, which is used to keep track of changes made to web forms. The View State page, which can be used to store passwords, database connection strings and other sensitive data, is supposed to remain unreadable.

By tricking ASP.Net into revealing hints about the padding used to encrypt the data, attackers can eventually read or tamper with encrypted data sitting on a server running the web applications.

Microsoft on Friday acknowledged the vulnerability and said its security team was working on a patch that would plug the information disclosure hole.

In the meantime, ASP.Net users should run a script that will identify whether their systems are vulnerable. Systems that test positive should be reconfigured so that all error messages are mapped to a single error page that prevents the attacker from distinguishing among different types of errors, effectively muzzling the oracle.

Researchers Thai Duong and Juliano Rizzo last week demonstrated a point-and-click tool called POET, short for Padding Oracle Exploitation Tool, that has been updated to decrypt cookies, view states, form authentication tickets, and other sensitive data encrypted by ASP.Net. The video below provides a demonstration of the attack. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
Syrian Electronic Army in news site 'hack' POP-UP MAYHEM
Gigya redirect exploit blamed for pop-rageous ploy
prev story

Whitepapers

Go beyond APM with real-time IT operations analytics
How IT operations teams can harness the wealth of wire data already flowing through their environment for real-time operational intelligence.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Why CIOs should rethink endpoint data protection in the age of mobility
Assessing trends in data protection, specifically with respect to mobile devices, BYOD, and remote employees.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Seattle children’s accelerates Citrix login times by 500% with cross-tier insight
Seattle Children’s is a leading research hospital with a large and growing Citrix XenDesktop deployment. See how they used ExtraHop to accelerate launch times.