News Stay informed about the latest enterprise technology news and product updates.

Microsoft plans emergency update for ASP.NET encryption flaw

Attackers are targeting a weakness in the ASP.NET Web application framework. A fix is expected today at 1 p.m. ET.

Microsoft said it would issue an emergency update, repairing a longstanding flaw in its .NET framework being targeted...

by attackers.

We have determined an out-of-band release is needed to protect customers as we have seen limited attacks and continued attempts to bypass current defenses and workarounds

Dave Forstrom,
directorMicrosoft Trustworthy Computing

The flaw alters the ASP.NET Web application framework, producing faulty AES encryption implementations. The issue has been longstanding in other development frameworks, but a hacking tool released earlier this month makes it much easier for less savvy hackers to target and exploit faulty encryption.The technique enables an attacker to view encrypted data on a Web server or in a Web application, including stored cookies.

Dave Forstrom, director of Microsoft's Trustworthy Computing, said the update would be issued today around 1 p.m. ET, well ahead of the next scheduled release from Microsoft on Oct. 12. Microsoft will also release the update through Windows Update and Windows Server Update Services over the next few days in a test to the distribution channels, Forstrom said.

"Based on our comprehensive monitoring of the threat landscape, we have determined an out-of-band release is needed to protect customers as we have seen limited attacks and continued attempts to bypass current defenses and workarounds," Forstrom wrote on the Microsoft Security Response Center Blog.

Microsoft is rating the update "important" for all versions of the .NET framework running on Windows Server. Windows desktop systems are affected, but fewer users run the framework on a Web server from their computer.

The attack works by tricking the Web server behind the applications into giving up sensitive information in error messages. The error data returned by the Web server can be used to break the AES encryption. Two researchers, Juliano Rizzo and Thai Duong, who developed the Padding Oracle Exploit Tool (POET), wrote about the padding attack technique in a research paper.

In the ASP.NET flaw security advisory, Microsoft outlined a workaround blocking the Web server from sending out detailed error messages, which can be deployed to make the attack more difficult to carry out.

Dig Deeper on Microsoft Windows security



Find more PRO+ content and other member only offers, here.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.







  • CIO Trends #6: Nordics

    In this e-guide, read how the High North and Baltic Sea collaboration is about to undergo a serious and redefining makeover to ...

  • CIO Trends #6: Middle East

    In this e-guide we look at the role of information technology as the Arabian Gulf commits billions of dollars to building more ...

  • CIO Trends #6: Benelux

    In this e-guide, read about the Netherlands' coalition government's four year plan which includes the term 'cyber' no fewer than ...