Attacks starting on newly announced Windows vulnerability

Flaw in ASP.NET makes web servers vulnerable

Note: This story was updated at 2:10 p.m. to include additional information from Microsoft.

Attackers are already beginning to exploit a flaw potentially affecting ASP.NET web applications, according to an alert Microsoft issued late on Sept. 20 about the flaw.

The vulnerability, which involves methods used with the Public Key Cryptography Standard #7 encryption system, could allow hackers to steal passwords and other encrypted information from remote servers. It could enable an attacker to get password information from forms used with ASP.NET Web applications. Using that information, the attacker could discover information from the target server itself.

Every supported Windows operating system is affected, and so are some unsupported ones, such as Windows XP Professional x64 Edition Service Pack 2, according to Microsoft's security advisory 2416728. A Microsoft security and defense blog post states the vulnerability applies to Web applications using ASP.NET 3.5 Service Pack 1 or newer releases.

Microsoft clarified on Monday in a new Q&A that the vulnerability can be found in all ASP.NET Applications, such as Web Forms and MVC. Also, Microsoft appears to have different workarounds, depending on the ASP.NET version used, as this blog by Scott Guthrie, corporate vice president of Microsoft's .NET Developer Platform, explains. Other applications that work with ASP.NET, such as SharePoint 2010, also are affected. The SharePoint team provided a workaround here. Guthrie's blog post also points to a new Microsoft forum to get answers on the topic.

The workaround Guthrie recommends is to configure web applications to always return a custom error page. "By mapping all error pages to a single error page, you prevent a hacker from distinguishing between the different types of errors that occur on a server," he wrote.

Microsoft provides a script in its security and defense blog post that allows IT pros to test if their ASP.NET applications return this single error page or not. They can use the script to help determine which ASP.NET applications require the workaround.

The flaw allows a hacker to gain information from a hidden form field called __VIEWSTATE, which is sent encrypted to the client user. This file could contain password information that can be used to gain information from the server, but systems are vulnerable even if no important data are contained in the view state file.

Microsoft's security advisory 2416728 describes the vulnerability as a "padding oracle attack." It has nothing to do with Oracle products. Instead, the oracle in this case is located on the target server and encrypts the view state file. The exploit could be used to alter the view state file and send the altered version back to the server. Error messages returned from the server's oracle could then be used to read data from the target server. An attacker could gain enough information to access data in the WEB.CONFIG file used on the server for ASP.NET applications.


About the Author

Kurt Mackie is the online news editor for the 1105 Enterprise Computing Group sites, including, and


  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.