Feeds

Microsoft to issue emergency patch for ASP.Net vuln

Muzzling 'padding oracle' for good

Using blade systems to cut costs and sharpen efficiencies

Microsoft will release an emergency patch on Tuesday that plugs a security hole in a variety of its web developer tools that has been under active attack for more than a week.

The vulnerability in ASP.Net applications allows attackers to decrypt password files, cookies, and other sensitive data that is supposed to remain encrypted as they pass from the server to a web browser. It works by flooding a server with thousands of corrupted web requests and then analyzing the error messages and other responses that result. The series of responses are known as a “cryptographic padding oracle” that over time deliver information that an attacker can deduce the secret key used to scramble the communications.

The vulnerability was disclosed two weeks ago at the Ekoparty conference in Argentina. Microsoft soon responded with an advisory that warned that the vulnerability was under “limited attack.” It recommended that users implement several temporary measures to make the exploits harder to carry out.

The workaround involves reconfiguring a webserver so that all error messages are mapped to a single error page that prevents the attacker from distinguishing among different types of errors, effectively muzzling the oracle. Thai Duong, one of the researchers who disclosed the vulnerability, has said turning off customized error messages isn't enough to prevent exploits, because attackers can still glean important clues by measuring the different amounts of time required for certain errors to be returned.

Tuesday's out-of-schedule update will be available at about 10 am Pacific time and initially will be available only on the Microsoft Download Center. It will eventually be released through the Windows Update and Windows Server Update services.

Microsoft's next regularly scheduled patch release is October 12. Curiously, the vulnerability being patched by the out-of-band release is rated “important” the second-highest rating on Microsoft's four-tier severity scale. Emergency patches are usually reserved for "critical" flaws.

More from Microsoft is here. ®

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.