Microsoft issues emergency out-of-band patch for ASP.Net

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Microsoft has responded to news of a serious security vulnerability in the way that ASP.Net web applications are secured by issuing an emergency patch.

And you know that if a problem is serious enough for Microsoft decides to release a fix outside of its normal “Patch Tuesday” monthly schedule that it’s definitely an important vulnerability.

And rightly so – ASP.Net is a very popular framework for building applications on the web, with many online banking and ecommerce sites relying upon the technology.

The security issue was discovered by researchers Thai Duong and Juliano Rizzo, who found a way of exploiting the way that ASP.net web applications handle encrypted session cookies, and demonstrated their findings at a security conference in Argentina earlier this month.

Sign up to our free newsletter.
Security news, advice, and tips.

The pair created POET (Padding Oracle Exploitation Tool), which finds and exploits the vulnerability automatically.

If left unfixed, the security hole could give malicious hackers the ability to read any file on a web application server.

Chillingly, Duoung said:

“It’s worth noting that the attack is 100% reliable, i.e. one can be sure that once they run the attack, they can exploit the target. It’s just a matter of time. If the attacker is lucky, then he can own any ASP.NET website in seconds. The average time for the attack to complete is 30 minutes. The longest time it ever takes is less than 50 minutes.”

Worryingly, the security flaw has been exploited in some attacks already raising the spectre of unauthorised information disclosure.

You can’t imagine that Microsoft enjoys finding out about security vulnerabilities in its code this way. Nevertheless, it now says that it has a fix for the problem.

Microsoft’s security bulletin MS10-070 rates the security update as “important” for all supported editions of ASP.Net except Microsoft .NET Framework 1.0 Service Pack 3.

Consumers shouldn’t need to do anything unless they are running a web server from their computer. This is probably the reason why Microsoft isn’t initially making the update available through the normal Windows Update services, and instead directing affected customers to manually download it from the Microsoft Download Center instead.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.