Feeds

Microsoft to issue emergency patch for ASP.Net vuln

Muzzling 'padding oracle' for good

Internet Security Threat Report 2014

Microsoft will release an emergency patch on Tuesday that plugs a security hole in a variety of its web developer tools that has been under active attack for more than a week.

The vulnerability in ASP.Net applications allows attackers to decrypt password files, cookies, and other sensitive data that is supposed to remain encrypted as they pass from the server to a web browser. It works by flooding a server with thousands of corrupted web requests and then analyzing the error messages and other responses that result. The series of responses are known as a “cryptographic padding oracle” that over time deliver information that an attacker can deduce the secret key used to scramble the communications.

The vulnerability was disclosed two weeks ago at the Ekoparty conference in Argentina. Microsoft soon responded with an advisory that warned that the vulnerability was under “limited attack.” It recommended that users implement several temporary measures to make the exploits harder to carry out.

The workaround involves reconfiguring a webserver so that all error messages are mapped to a single error page that prevents the attacker from distinguishing among different types of errors, effectively muzzling the oracle. Thai Duong, one of the researchers who disclosed the vulnerability, has said turning off customized error messages isn't enough to prevent exploits, because attackers can still glean important clues by measuring the different amounts of time required for certain errors to be returned.

Tuesday's out-of-schedule update will be available at about 10 am Pacific time and initially will be available only on the Microsoft Download Center. It will eventually be released through the Windows Update and Windows Server Update services.

Microsoft's next regularly scheduled patch release is October 12. Curiously, the vulnerability being patched by the out-of-band release is rated “important” the second-highest rating on Microsoft's four-tier severity scale. Emergency patches are usually reserved for "critical" flaws.

More from Microsoft is here. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.