Microsoft issues rushed patch for ASP.NET encryption flaw

Emergency patch repairs a vulnerability in the ASP.NET framework that causes faulty AES encryption implementations.

Microsoft has issued an out-of-band security update, blocking ongoing attacks against a flaw in the ASP.NET web application framework that can cause poor encryption implementations.

The emergency bulletin, MS-10-070 blocks ongoing attacks that could enable an attacker to read data on an encrypted Web server. The hole can also be used to decrypt any data, including session cookies, that was encrypted by the server.

The patch is rated important for the .NET framework running on all supported versions of Windows, including Windows Server 2003 and 2008.

Microsoft issued an advisory earlier this month when two researchers demonstrated a The padding oracle attack works by tricking the Web server behind the applications into giving up sensitive information in error messages. Earlier workarounds suggested by Microsoft made the attack more difficult to carry out, but didn't block it completely.

Web application security experts said the use of .NET for Web applications was popular a few years ago. Today, about 25% of Internet facing applications made with the ASP.NET framework. But many enterprises have been turning to other programming languages, such as Java or PHP.

Padding oracle vulnerabilities affecting encryption implementations have been known in the researcher community since 2002. The Ruby on Rails, and the OWASP Enterprise Security API Toolkits could also be affected by the issue,

~Robert Westervelt

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close