Attacks starting on newly announced Windows vulnerability

Flaw in ASP.NET makes web servers vulnerable

Note: This story was updated at 2:10 p.m. to include additional information from Microsoft.

Attackers are already beginning to exploit a flaw potentially affecting ASP.NET web applications, according to an alert Microsoft issued late on Sept. 20 about the flaw.

The vulnerability, which involves methods used with the Public Key Cryptography Standard #7 encryption system, could allow hackers to steal passwords and other encrypted information from remote servers. It could enable an attacker to get password information from forms used with ASP.NET Web applications. Using that information, the attacker could discover information from the target server itself.

Every supported Windows operating system is affected, and so are some unsupported ones, such as Windows XP Professional x64 Edition Service Pack 2, according to Microsoft's security advisory 2416728. A Microsoft security and defense blog post states the vulnerability applies to Web applications using ASP.NET 3.5 Service Pack 1 or newer releases.

Microsoft clarified on Monday in a new Q&A that the vulnerability can be found in all ASP.NET Applications, such as Web Forms and MVC. Also, Microsoft appears to have different workarounds, depending on the ASP.NET version used, as this blog by Scott Guthrie, corporate vice president of Microsoft's .NET Developer Platform, explains. Other applications that work with ASP.NET, such as SharePoint 2010, also are affected. The SharePoint team provided a workaround here. Guthrie's blog post also points to a new Microsoft forum to get answers on the topic.

The workaround Guthrie recommends is to configure web applications to always return a custom error page. "By mapping all error pages to a single error page, you prevent a hacker from distinguishing between the different types of errors that occur on a server," he wrote.

Microsoft provides a script in its security and defense blog post that allows IT pros to test if their ASP.NET applications return this single error page or not. They can use the script to help determine which ASP.NET applications require the workaround.

The flaw allows a hacker to gain information from a hidden form field called __VIEWSTATE, which is sent encrypted to the client user. This file could contain password information that can be used to gain information from the server, but systems are vulnerable even if no important data are contained in the view state file.

Microsoft's security advisory 2416728 describes the vulnerability as a "padding oracle attack." It has nothing to do with Oracle products. Instead, the oracle in this case is located on the target server and encrypts the view state file. The exploit could be used to alter the view state file and send the altered version back to the server. Error messages returned from the server's oracle could then be used to read data from the target server. An attacker could gain enough information to access data in the WEB.CONFIG file used on the server for ASP.NET applications.


About the Author

Kurt Mackie is the online news editor for the 1105 Enterprise Computing Group sites, including, and


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.