Malware attacks force MS to ship emergency ASP.net patch

Malware attacks force MS to ship emergency ASP.net patch

Summary: Microsoft plans to ship an out-of-band security update tomorrow (September 28, 2010) to fix a serious ASP.net vulnerability that's being exploited in the wild.

SHARE:

Microsoft plans to ship an out-of-band security update tomorrow (September 28, 2010) to fix a serious ASP.net vulnerability that's being exploited in the wild.

The vulnerability, which exposes ASP.net applications to information disclosure attacks, was publicly discussed at this year's ekoparty security conference in Argentina and Microsoft says there are "limited attacks" and ongoing attempts to bypass existing workarounds.

According to Juliano Rizzo, the researcher who disclosed this vulnerability, an attacker can easily decrypt cookies, view states, form authentication tickets, membership password, user data, and anything else encrypted using the ASP.NET framework’s API.

Microsoft confirms unpatched ASP.NET data leakage security flaw ]

follow Ryan Naraine on twitter

Rizzo said the vulnerabilities exploited affect the framework used by 25 percent of Web sites on the Internet. “The impact of the attack depends on the applications installed on the server, from information disclosure to total system compromise,” he added.

Less than a week after Rizzo's disclosure, Microsoft says it will ship an emergency update with a severity rating of "important" for all versions of the .NET Framework when used on Windows Server operating systems.

Windows desktop systems are listed as affected, but consumers are not vulnerable unless they are running a Web server from their computer.

Based on our comprehensive monitoring of the threat landscape, we have determined an out-of-band release is needed to protect customers as we have seen limited attacks and continued attempts to bypass current defenses and workarounds.

Microsoft says the patch will only be available tomorrow at the Microsoft Download Center

It will also be released through Windows Update and Windows Server Update Services within the next few days.

Topics: Enterprise Software, Microsoft, Security, Software, Software Development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

11 comments
Log in or register to join the discussion
  • An out-of-band patch rated *important* and not *critical*?

    Doesn't compute. Why out-of-band then?

    But this is a bad one. If a site inadvertently discloses the http error code when an attacker fiddles with an encrypted cipher, the attacker can learn the machine key. <br><br>A site may even reveal such information just based on <i>how quickly</i> it fails - even if it uses a generic error page with doesn't reveal information about the error otherwise.<br><br>Note: This bug is found in JSF and Ruby-on-Rails (and probably many other frameworks) as well. These will not be patched by Microsoft <img border="0" src="http://www.cnet.com/i/mb/emoticons/wink.gif" alt="wink">
    honeymonster
    • However...

      With ASP.net (moreso than the others) if you've got hold of the machine key via this flaw then all it takes is a special request to the server using that key to download any file within the application directory. This could be such as the web.config file, which could contain sensitive information like database connection strings and passwords.

      That's probably why Microsoft's rushing faster than the others. Microsoft systems are more likely to be totally boinked by successful use of this flaw.
      zkiwi
    • Critical vs Important

      @honeymonster <br><br>In MS terminology, "Critical" refers specifically to flaws that worms could use to propagate throughout the Internet without human input. "Important" is "everything other kind of flaw that's really serious."<br><br>Not saying it makes sense, just explaining how it is =)
      npiaseck
    • RE: Malware attacks force MS to ship emergency ASP.net patch

      @honeymonster

      This makes perfect sense:
      ?Critical: A vulnerability whose exploitation could allow the propagation of an Internet worm without user action.


      ?Important: A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users data, or of the integrity or availability of processing resources.
      ryanstrassburg
  • Here we go again

    Danke for the head's up.
    klumper
    • I agree. No matter what web sever operating system we use

      it appears we spend too much time patching vulnerabilities.
      Tim Cook
  • Not a problem with Plone CMS

    fyi,
    http://plone.org/products/plone/security/overview

    Security overview:
    Problem A3: Broken Authentication and Session Management
    How Plone handles this: Plone authenticates users in its own database using a SHA-1 hash of their password. Using its modular authentication system Plone can also authenticate users against common authentication systems such as LDAP and SQL as well as any other system for which a plugin is available (Gmail, OpenID, etc.). After authentication, Plone creates a session using a SHA-1 hash of a secret stored on the server and the userid (HMAC-SHA-1). Secrets can be refreshed on a regular basis to add extra security where needed.
    Dietrich T. Schmitz, ~ Your Linux Advocate
    • RE: Malware attacks force MS to ship emergency ASP.net patch

      @Dietrich T. Schmitz, Your Linux Advocate


      I know nothing about Plone CMS,
      Isn't SHA-1 outdated ?


      Hooah!
      daikon
      • RE: Malware attacks force MS to ship emergency ASP.net patch

        @Linux Rocks
        It is published that SHA-1 can be hacked in 2^69 hash operations.
        So, if you have 100,000 computers at your disposal and each computer can do 4,000,000 operations/second, you can hack a key in 1,475,739 seconds, or, 17 days.

        Anybody have 100,000 computers handy?
        Enuf said.
        Dietrich T. Schmitz, ~ Your Linux Advocate
    • Plone creates a session using a SHA-1 hash

      @Dietrich T. Schmitz, Your Linux Advocate

      "Plone creates a session using a SHA-1 hash"

      You really should read up on the topics before commenting. <i>This is the exact</i> problem. Plone is probable vulnerable as well.
      honeymonster
      • Theoretically yes. In practical terms, no.

        @honeymonster
        See my reply above:
        http://www.zdnet.com/tb/1-88371-1676015
        Dietrich T. Schmitz, ~ Your Linux Advocate