14 DAY TRIAL // Microsoft warns that active attacks are exploiting a recently disclosed vulnerability in all versions of .NET Framework, which affects the majority of ASP.NET applications.
"We've just updated Microsoft Security Advisory 2416728 as we've begun to see limited attacks with the ASP.NET vulnerability. "We have added questions and answers and encourage customers to review this information and evaluate it for their environment," the Redmond giant announced via its Microsoft Security Response Center (MSRC) blog.
The vulnerability and attack methods, known as "oracle padding," have been demonstrated last Friday at the ekoparty Security Conference in Argentina by security researchers Juliano Rizzo and Thai Duong.
Microsoft has provided an workaround via its security advisory, which involves configuring ASP.NET applications to serve the same custom page for all types of errors.
This prevents attackers from observing error differences when sending tampered encrypted data to the server, which would otherwise allow them to obtain the information required to decrypt it.
In this advisory update Microsoft also confirms that using a custom logging module which redirects to an error page, can be used an alternative solution to the problem, as long as it doesn't allow clients to distinguish between error responses or the time it takes to serve them.
It is also noted that the previously described workaround is most secure on .NET Framework 3.5 Service Pack 1 and 4.0.
These versions allow using the redirectMode="ResponseRewrite" option, which introduces a random delay when serving the custom error pages. This feature thwarts a part of the exploit, which relies on analyzing response times.
Clearly, Microsoft is not very happy that this information is out in the public domain, without a patch being available.
"As always, we continue to advocate for community-based defense through coordinated vulnerability disclosure.
"We fundamentally believe, and history has shown, that once vulnerability details are released publicly, the probability of exploitation rises significantly. "Without coordination in place to provide a security update or proper guidance, risk to customers is greatly amplified," Dave Forstrom, director of trustworthy computing at Microsoft, said.