Update – September 28 – Microsoft to release an Out of Band update for ASP.Net applications. See http://blogs.technet.com/b/msrc/archive/2010/09/27/out-of-band-release-to-address-microsoft-security-advisory-2416728.aspx for additional details.
On September 17, a major vulnerability was identified in all ASP.Net applications. The condition has been recognized by Microsoft and efforts are underway to develop a patch. The URLs provided below include most of the information currently available. It is recommended that all web administrators that have ASP.Net applications implement a work around (see customErrors below) that would limit the details provided on web server error messages.
Microsoft Issues Workaround for ASP.NET Vulnerability
Microsoft has published a workaround for a security vulnerability in its ASP.NET software which was exposed last week.
The company admitted to the problem in a security advisory published on Friday. “A few hours ago we released a Microsoft security advisory about a vulnerability in ASP.NET. This vulnerability exists in all versions of ASP.NET 2,” wrote Windows developer Scott Guthrie in a blog post. “This vulnerability was publicly disclosed late Friday at a security conference. We recommend that all customers immediately apply a workaround to prevent attackers using this vulnerability against your ASP.NET applications.”
The flaw allows attackers to request and download files from within an ASP.NET application, which could include the web.config file.
Another option for attackers is the ability to decrypt any data sent to a client machine in an encrypted state.
Guthrie explained that the vulnerability requires many access attempts before an attacker could ascertain that it exists. “By making many such requests (and watching what errors are returned) the attacker can learn enough to successfully decrypt the rest of the cipher text,” he said.
Administrators should enable the <customErrors> feature of ASP.NET and configure the system to always return the same error message. This will prevent hackers from “distinguishing between the different types of errors that occur on a server”, according to Guthrie.
Microsoft has also released a small code patch for ASP.NET. Affected software includes Windows XP, including SP3 and Professional, Windows Server 2003 and 2008, Windows Vista and Windows 7.
Update to Security Advisory 2416728 – http://www.microsoft.com/technet/security/advisory/2416728.mspx
Microsoft Security Advisory (2416728)
Vulnerability in ASP.NET Could Allow Information Disclosure
Additional Information about the ASP.NET Vulnerability
Update – Additional information on the symptoms of a successful exploitation of the vulnerability