Microsoft has responded to news of a serious security vulnerability in the way that ASP.Net web applications are secured by issuing an emergency patch.
And you know that if a problem is serious enough for Microsoft decides to release a fix outside of its normal “Patch Tuesday” monthly schedule that it’s definitely an important vulnerability.
And rightly so – ASP.Net is a very popular framework for building applications on the web, with many online banking and ecommerce sites relying upon the technology.
The security issue was discovered by researchers Thai Duong and Juliano Rizzo, who found a way of exploiting the way that ASP.net web applications handle encrypted session cookies, and demonstrated their findings at a security conference in Argentina earlier this month.
The pair created POET (Padding Oracle Exploitation Tool), which finds and exploits the vulnerability automatically.
If left unfixed, the security hole could give malicious hackers the ability to read any file on a web application server.
Chillingly, Duoung said:
“It’s worth noting that the attack is 100% reliable, i.e. one can be sure that once they run the attack, they can exploit the target. It’s just a matter of time. If the attacker is lucky, then he can own any ASP.NET website in seconds. The average time for the attack to complete is 30 minutes. The longest time it ever takes is less than 50 minutes.”
Worryingly, the security flaw has been exploited in some attacks already raising the spectre of unauthorised information disclosure.
You can’t imagine that Microsoft enjoys finding out about security vulnerabilities in its code this way. Nevertheless, it now says that it has a fix for the problem.
Microsoft’s security bulletin MS10-070 rates the security update as “important” for all supported editions of ASP.Net except Microsoft .NET Framework 1.0 Service Pack 3.
Consumers shouldn’t need to do anything unless they are running a web server from their computer. This is probably the reason why Microsoft isn’t initially making the update available through the normal Windows Update services, and instead directing affected customers to manually download it from the Microsoft Download Center instead.