Microsoft said it would issue an emergency update, repairing a longstanding flaw in its .NET framework being targeted
We have determined an out-of-band release is needed to protect customers as we have seen limited attacks and continued attempts to bypass current defenses and workarounds
directorMicrosoft Trustworthy Computing
The flaw alters the ASP.NET Web application framework, producing faulty AES encryption implementations. The issue has been longstanding in other development frameworks, but a hacking tool released earlier this month makes it much easier for less savvy hackers to target and exploit faulty encryption.The technique enables an attacker to view encrypted data on a Web server or in a Web application, including stored cookies.
Dave Forstrom, director of Microsoft's Trustworthy Computing, said the update would be issued today around 1 p.m. ET, well ahead of the next scheduled release from Microsoft on Oct. 12. Microsoft will also release the update through Windows Update and Windows Server Update Services over the next few days in a test to the distribution channels, Forstrom said.
"Based on our comprehensive monitoring of the threat landscape, we have determined an out-of-band release is needed to protect customers as we have seen limited attacks and continued attempts to bypass current defenses and workarounds," Forstrom wrote on the Microsoft Security Response Center Blog.
Microsoft is rating the update "important" for all versions of the .NET framework running on Windows Server. Windows desktop systems are affected, but fewer users run the framework on a Web server from their computer.
The attack works by tricking the Web server behind the applications into giving up sensitive information in error messages. The error data returned by the Web server can be used to break the AES encryption. Two researchers, Juliano Rizzo and Thai Duong, who developed the Padding Oracle Exploit Tool (POET), wrote about the padding attack technique in a research paper.
In the ASP.NET flaw security advisory, Microsoft outlined a workaround blocking the Web server from sending out detailed error messages, which can be deployed to make the attack more difficult to carry out.