Microsoft confirms ASP.Net vulnerability

Microsoft confirms ASP.Net vulnerability

Summary: The company has warned that the framework's encryption system leaks cryptographic information through its error codes, although it says no actual exploit has been observed

SHARE:
TOPICS: Security
0

Microsoft has disclosed a major security vulnerability within ASP.Net, which affects all versions of the web-application framework.

On Friday Microsoft issued a security advisory saying that a vulnerability had been discovered in ASP.Net that could allow attackers to gain encrypted information and details of servers running the software.

"We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time," Microsoft wrote.

Read this

Know the enemy: today's top 10 security threats

The more you know about the likely avenues of cybercrime attack, the better you can protect yourself against them, says Alan Calder

Read more

However, Microsoft recommends "that all customers immediately apply a workaround to prevent attackers from using this vulnerability against... ASP.Net applications", Scott Guthrie, a corporate vice president in Microsoft's developer division, wrote on his blog. Guthrie's blog details the workaround that customers can implement.

The vulnerability exploits certain aspects of how ASP.Net encrypts its information. Attackers can repeatedly send encyphered text to a web server and analyse the error codes returned, eventually piecing together enough information to decypher the text. Once an attacker achieves this, they can request and download files within the ASP.Net application and decrypt information sent through the application.

One example of an application that relies on ASP.Net and is affected by this exploit is enterprise collaboration platform SharePoint, according to Guthrie, who has been responding to queries on his blog.

Microsoft is working with its Microsoft Active Protections Program partners to gather information on the exploit, and will correct the root cause of the issue.

Topic: Security

Jack Clark

About Jack Clark

Currently a reporter for ZDNet UK, I previously worked as a technology researcher and reporter for a London-based news agency.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

0 comments
Log in or register to start the discussion