Attacks launched using ASP.Net zero-day flaw

Summary:Microsoft has warned that a flaw in ASP.Net cryptography, which also affects SharePoint software, is being actively used in attacks

Attackers are taking advantage of a zero-day flaw in Microsoft's ASP.Net web application framework — a vulnerability that also affects SharePoint software.

Microsoft has sent out a warning to inform people about the attempts on ASP.Net servers, the company's director of trustworthy computing Dave Forstrom said in a blog post on Tuesday.

"We've just updated Microsoft Security Advisory 2416728 as we've begun to see limited attacks with the ASP.Net vulnerability," said Forstrom. "We have added questions and answers, and encourage customers to review this information and evaluate it for their environment."

The flaw lies in how ASP.Net encrypts information. An attacker can send cipher text to an ASP.Net web server, and learn if the text was decrypted properly by examining which error code was returned by the web server, according to Scott Guthrie, a corporate vice president in Microsoft's developer division.

Attackers can use this information to work out how to request and download sensitive files within an ASP.Net application, such as the web.config file, said Guthrie. They can also decrypt data sent to the client in an encrypted form.

Microsoft's SharePoint software platform is also vulnerable to the ASP.Net encryption flaw, Guthrie said in an FAQ published on Monday.

In an advisory, Microsoft's SharePoint team said the vulnerability affects SharePoint 2010 and SharePoint Foundation 2010. The company has provided a workaround for the flaw.

The software maker is working on a patch for the ASP.Net flaw, which it will release via Windows Update once the fix has been tested, according to Guthrie.

Topics: Security

About

Tom is a technology reporter for ZDNet.com, writing about all manner of security and open-source issues.Tom had various jobs after leaving university, including working for a company that hired out computers as props for films and television, and a role turning the entire back catalogue of a publisher into e-books.Tom eventually found tha... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.