Attacks starting on newly announced Windows vulnerability

Flaw in ASP.NET makes web servers vulnerable

Note: This story was updated at 2:10 p.m. to include additional information from Microsoft.

Attackers are already beginning to exploit a flaw potentially affecting ASP.NET web applications, according to an alert Microsoft issued late on Sept. 20 about the flaw.

The vulnerability, which involves methods used with the Public Key Cryptography Standard #7 encryption system, could allow hackers to steal passwords and other encrypted information from remote servers. It could enable an attacker to get password information from forms used with ASP.NET Web applications. Using that information, the attacker could discover information from the target server itself.

Every supported Windows operating system is affected, and so are some unsupported ones, such as Windows XP Professional x64 Edition Service Pack 2, according to Microsoft's security advisory 2416728. A Microsoft security and defense blog post states the vulnerability applies to Web applications using ASP.NET 3.5 Service Pack 1 or newer releases.

Microsoft clarified on Monday in a new Q&A that the vulnerability can be found in all ASP.NET Applications, such as Web Forms and MVC. Also, Microsoft appears to have different workarounds, depending on the ASP.NET version used, as this blog by Scott Guthrie, corporate vice president of Microsoft's .NET Developer Platform, explains. Other applications that work with ASP.NET, such as SharePoint 2010, also are affected. The SharePoint team provided a workaround here. Guthrie's blog post also points to a new Microsoft forum to get answers on the topic.

The workaround Guthrie recommends is to configure web applications to always return a custom error page. "By mapping all error pages to a single error page, you prevent a hacker from distinguishing between the different types of errors that occur on a server," he wrote.

Microsoft provides a script in its security and defense blog post that allows IT pros to test if their ASP.NET applications return this single error page or not. They can use the script to help determine which ASP.NET applications require the workaround.

The flaw allows a hacker to gain information from a hidden form field called __VIEWSTATE, which is sent encrypted to the client user. This file could contain password information that can be used to gain information from the server, but systems are vulnerable even if no important data are contained in the view state file.

Microsoft's security advisory 2416728 describes the vulnerability as a "padding oracle attack." It has nothing to do with Oracle products. Instead, the oracle in this case is located on the target server and encrypts the view state file. The exploit could be used to alter the view state file and send the altered version back to the server. Error messages returned from the server's oracle could then be used to read data from the target server. An attacker could gain enough information to access data in the WEB.CONFIG file used on the server for ASP.NET applications.


About the Author

Kurt Mackie is the online news editor for the 1105 Enterprise Computing Group sites, including, and


  • Cybersecurity
    Shutterstock photo id 669226093 By Gorodenkoff

    The disinformation game

    The federal government is poised to bring new tools and strategies to bear in the fight against foreign-backed online disinformation campaigns, but how and when they choose to act could have ramifications on the U.S. political ecosystem.

    sensor network (agsandrew/

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.