Attacks launched using ASP.Net zero-day flaw

Attackers are taking advantage of a zero-day flaw in Microsoft's ASP.Net web application framework — a vulnerability that also affects SharePoint software.

Microsoft has sent out a warning to inform people about the attempts on ASP.Net servers, the company's director of trustworthy computing Dave Forstrom said in a blog post on Tuesday.

"We've just updated Microsoft Security Advisory 2416728 as we've begun to see limited attacks with the ASP.Net vulnerability," said Forstrom. "We have added questions and answers, and encourage customers to review this information and evaluate it for their environment."

The flaw lies in how ASP.Net encrypts information. An attacker can send cipher text to an ASP.Net web server, and learn if the text was decrypted properly by examining which error code was returned by the web server, according to Scott Guthrie, a corporate vice president in Microsoft's developer division.

Attackers can use this information to work out how to request and download sensitive files within an ASP.Net application, such as the web.config file, said Guthrie. They can also decrypt data sent to the client in an encrypted form.

Microsoft's SharePoint software platform is also vulnerable to the ASP.Net encryption flaw, Guthrie said in an FAQ published on Monday.

In an advisory, Microsoft's SharePoint team said the vulnerability affects SharePoint 2010 and SharePoint Foundation 2010. The company has provided a workaround for the flaw.

The software maker is working on a patch for the ASP.Net flaw, which it will release via Windows Update once the fix has been tested, according to Guthrie.