Microsoft issues emergency out-of-band patch for ASP.Net

Filed Under: Data loss, Microsoft, Vulnerability

ASP.NET logo
Microsoft has responded to news of a serious security vulnerability in the way that ASP.Net web applications are secured by issuing an emergency patch.

And you know that if a problem is serious enough for Microsoft decides to release a fix outside of its normal "Patch Tuesday" monthly schedule that it's definitely an important vulnerability.

And rightly so - ASP.Net is a very popular framework for building applications on the web, with many online banking and ecommerce sites relying upon the technology.

The security issue was discovered by researchers Thai Duong and Juliano Rizzo, who discovered a way of exploiting the way that ASP.net web applications handle encrypted session cookies, and demonstrated their findings at a security conference in Argentina earlier this month.

POET extract

If left unfixed, the security hole could give malicious hackers the ability to read any file on a web application server.

Chillingly, Duoung said:

"It's worth noting that the attack is 100% reliable, i.e. one can be sure that once they run the attack, they can exploit the target. It's just a matter of time. If the attacker is lucky, then he can own any ASP.NET website in seconds. The average time for the attack to complete is 30 minutes. The longest time it ever takes is less than 50 minutes."

Worryingly, the security flaw has been exploited in some attacks already raising the spectre of unauthorised information disclosure.

You can't imagine that Microsoft enjoys finding out about security vulnerabilities in its code this way. Nevertheless, it now says that it has a fix for the problem.

Microsoft's security bulletin MS10-070 rates the security update as "important" for all supported editions of ASP.Net except Microsoft .NET Framework 1.0 Service Pack 3.

Consumers shouldn't need to do anything unless they are running a web server from their computer. This is probably the reason why Microsoft isn't initially making the update available through the normal Windows Update services, and instead directing affected customers to manually download it from the Microsoft Download Center instead.

, , , , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley is an award-winning security blogger, and veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.