Microsoft confirms ASP.Net vulnerability

Summary:The company has warned that the framework's encryption system leaks cryptographic information through its error codes, although it says no actual exploit has been observed

Microsoft has disclosed a major security vulnerability within ASP.Net, which affects all versions of the web-application framework.

On Friday Microsoft issued a security advisory saying that a vulnerability had been discovered in ASP.Net that could allow attackers to gain encrypted information and details of servers running the software.

"We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time," Microsoft wrote.

However, Microsoft recommends "that all customers immediately apply a workaround to prevent attackers from using this vulnerability against... ASP.Net applications", Scott Guthrie, a corporate vice president in Microsoft's developer division, wrote on his blog. Guthrie's blog details the workaround that customers can implement.

The vulnerability exploits certain aspects of how ASP.Net encrypts its information. Attackers can repeatedly send encyphered text to a web server and analyse the error codes returned, eventually piecing together enough information to decypher the text. Once an attacker achieves this, they can request and download files within the ASP.Net application and decrypt information sent through the application.

One example of an application that relies on ASP.Net and is affected by this exploit is enterprise collaboration platform SharePoint, according to Guthrie, who has been responding to queries on his blog.

Microsoft is working with its Microsoft Active Protections Program partners to gather information on the exploit, and will correct the root cause of the issue.

Topics: Security

About

Jack Clark has spent the past three years writing about the technical and economic principles that are driving the shift to cloud computing. He's visited data centers on two continents, quizzed senior engineers from Google, Intel and Facebook on the technologies they work on and read more technical papers than you care to name on topics f... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.