Attacks starting on newly announced Windows vulnerability

Note: This story was updated at 2:10 p.m. to include additional information from Microsoft.

Attackers are already beginning to exploit a flaw potentially affecting ASP.NET web applications, according to an alert Microsoft issued late on Sept. 20 about the flaw.

The vulnerability, which involves methods used with the Public Key Cryptography Standard #7 encryption system, could allow hackers to steal passwords and other encrypted information from remote servers. It could enable an attacker to get password information from forms used with ASP.NET Web applications. Using that information, the attacker could discover information from the target server itself.

Every supported Windows operating system is affected, and so are some unsupported ones, such as Windows XP Professional x64 Edition Service Pack 2, according to Microsoft's security advisory 2416728. A Microsoft security and defense blog post states the vulnerability applies to Web applications using ASP.NET 3.5 Service Pack 1 or newer releases.

Microsoft clarified on Monday in a new Q&A that the vulnerability can be found in all ASP.NET Applications, such as Web Forms and MVC. Also, Microsoft appears to have different workarounds, depending on the ASP.NET version used, as this blog by Scott Guthrie, corporate vice president of Microsoft's .NET Developer Platform, explains. Other applications that work with ASP.NET, such as SharePoint 2010, also are affected. The SharePoint team provided a workaround here. Guthrie's blog post also points to a new Microsoft forum to get answers on the topic.

The workaround Guthrie recommends is to configure web applications to always return a custom error page. "By mapping all error pages to a single error page, you prevent a hacker from distinguishing between the different types of errors that occur on a server," he wrote.

Microsoft provides a script in its security and defense blog post that allows IT pros to test if their ASP.NET applications return this single error page or not. They can use the script to help determine which ASP.NET applications require the workaround.

The flaw allows a hacker to gain information from a hidden form field called __VIEWSTATE, which is sent encrypted to the client user. This file could contain password information that can be used to gain information from the server, but systems are vulnerable even if no important data are contained in the view state file.

Microsoft's security advisory 2416728 describes the vulnerability as a "padding oracle attack." It has nothing to do with Oracle products. Instead, the oracle in this case is located on the target server and encrypts the view state file. The exploit could be used to alter the view state file and send the altered version back to the server. Error messages returned from the server's oracle could then be used to read data from the target server. An attacker could gain enough information to access data in the WEB.CONFIG file used on the server for ASP.NET applications.