Microsoft issued a warning late Monday, saying it has seen active attacks targeting ASP.NET Web applications with flawed encryption implementations.
It's conceivable that many other types of environments are susceptible to this kind of attack, so people should be aware of that.
chair of the OWASP Foundation and CEOAspect Security
The vulnerability affects Microsoft's .NET framework running on nearly all versions of Windows. The attacks started only days after two researchers released the Padding Oracle Exploit Tool, which automatically finds and exploits encryption padding Oracle vulnerabilities in ASP.NET Web applications.
The attack works by tricking the Web server behind the applications into giving up sensitive information in error messages. The error data returned by the Web server can be used to break the AES encryption.
In the Microsoft Security Response Center Blog, Jerry Bryant, group manager of Microsoft Response Communications, said Microsoft determined that some of its customers were experiencing attacks against their systems. Attacks would have been less likely if the researchers disclosed the vulnerability privately, he wrote.
"As always, we continue to advocate for community-based defense through coordinated vulnerability disclosure," Bryant wrote. "We fundamentally believe, and history has shown, that once vulnerability details are released publicly, the probability of exploitation rises significantly. Without coordination in place to provide a security update or proper guidance, risk to customers is greatly amplified."
The vulnerability is serious, but many developers and security teams have had time to fix vulnerable applications, said Jeff Williams, chair of the OWASP Foundation and CEO of Web application testing vendor Aspect Security. ASP.NET applications make up 25% to 30% of Web applications on the Internet, but today many enterprises develop Web applications in Java or PHP, Williams said.
"It's conceivable that many other types of environments are susceptible to this kind of attack, so people should be aware of that" Williams said. "This issue isn't something particularly hard to fix."
Padding oracle vulnerabilities affecting encryption implementations have been known in the researcher community since 2002. The Ruby on Rails, and the OWASP Enterprise Security API Toolkits could also be affected by the issue, according to Juliano Rizzo and Thai Duong, the researchers behind the POET tool. Rizzo wrote about the padding attack technique in a research paper.
Microsoft security engineers outlined the ASP.NET vulnerability at the Security Research and Defense blog. Also included in the blog item is a script that can be used to detect vulnerable ASP.NET applications. The ASP.NET security advisory recommends a workaround to configure Web applications to return the same error message, making it more difficult for an attacker to use the hacking technique.