Attacks launched using ASP.Net zero-day flaw

Attacks launched using ASP.Net zero-day flaw

Summary: Microsoft has warned that a flaw in ASP.Net cryptography, which also affects SharePoint software, is being actively used in attacks

SHARE:
TOPICS: Security
1

Attackers are taking advantage of a zero-day flaw in Microsoft's ASP.Net web application framework — a vulnerability that also affects SharePoint software.

Microsoft has sent out a warning to inform people about the attempts on ASP.Net servers, the company's director of trustworthy computing Dave Forstrom said in a blog post on Tuesday.

"We've just updated Microsoft Security Advisory 2416728 as we've begun to see limited attacks with the ASP.Net vulnerability," said Forstrom. "We have added questions and answers, and encourage customers to review this information and evaluate it for their environment."

ZDNet UK blogs

Sentry Posts Blog

Insights and information on data threats, risks, privacy, fixes and network security.

Read more+

The flaw lies in how ASP.Net encrypts information. An attacker can send cipher text to an ASP.Net web server, and learn if the text was decrypted properly by examining which error code was returned by the web server, according to Scott Guthrie, a corporate vice president in Microsoft's developer division.

Attackers can use this information to work out how to request and download sensitive files within an ASP.Net application, such as the web.config file, said Guthrie. They can also decrypt data sent to the client in an encrypted form.

Microsoft's SharePoint software platform is also vulnerable to the ASP.Net encryption flaw, Guthrie said in an FAQ published on Monday.

In an advisory, Microsoft's SharePoint team said the vulnerability affects SharePoint 2010 and SharePoint Foundation 2010. The company has provided a workaround for the flaw.

The software maker is working on a patch for the ASP.Net flaw, which it will release via Windows Update once the fix has been tested, according to Guthrie.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • I am sorry please forgive my ignorance, but i am having a malicious error message on my website which is built by DNN dot net nuke, could this be happened because of something related to this issue??
    y_teilab