Microsoft Fixes ASP.NET Zero-Day Flaw

by Tony Bradley, Yahoo News

Microsoft released Safety Bulletin MS10-070 out-of-band today–a couple weeks ahead of the often scheduled Patch Tuesday for October. The update resolves a zero-day situation with ASP.NET that could let an attacker to compromise data on all supported versions of Windows.

The particulars from the Microsoft security bulletin describe the zero-day vunerability. “An details disclosure vulnerability exists in ASP.NET due to improper error handling in the course of encryption padding verification. An attacker who effectively exploited this vulnerability could read information, such as the view state, which was encrypted by the server. This vulnerability can also be utilized for data tampering, which, if successfully exploited, could be employed to decrypt and tamper with the information encrypted by the server.”

A website post from Microsoft’s Scott Guthrie offers a detailed explanation of the vulnerability. “To comprehend how this vulnerability functions, you want to know about cryptographic oracles. An oracle in the context of cryptography is a program which supplies hints as you ask it queries. In this case, there is a vulnerability in ASP.NET which acts as a padding oracle. This allows an attacker to send cipher text to the web server and learn if it was decrypted effectively by examining which error code was returned by the internet server. By making a lot of such requests (and watching what errors are returned) the attacker can discover sufficient to successfully decrypt the rest of the cipher text.”

Andrew Storms, director of safety operations for nCircle commented via e mail to say, “Microsoft delivered today’s zero-day patch release in just eleven days.

It is not the fastest turn-around time in Microsoft patch history, but it is pretty close to the seven day turnaround we saw in January. We now know that in the January update Microsoft knew about the bug before the exploit, so the seven day speedy turnaround is a not totally accurate measurement. This leaves me questioning if Microsoft already knew about today’s bug. But the bigger question in my thoughts is the prospective effect of this brief turn-around on top quality.”

Interestingly, the update will not be immediately pushed by means of Automatic Updates. A blog post from the Microsoft Safety Response Center explains, “The update will be made obtainable initially only by means of the Microsoft Download Center and then released through Windows Update and Windows Server Update Services within the next couple of days. This allows consumers the choice to deploy it manually now without having delaying for broader distribution.”

nCircle’s Storms notes, “It really is a bit odd that today’s patch release won’t be right away obtainable on Windows Update. Administrators and consumers will both be necessary to manually download the patch and install it manually,” but Storms adds, “Considering that the main threat of this bug is with network administrators running IIS websites, manual downloads are almost certainly a reasonable compromise amongst convenience and receiving the patch out as speedily as attainable.”

 

[Supply] Computer software Outsourcing Blog Section: http://www.techomechina.com

Senior Software program Developer, working in RayooTech software program outsourcing organization, web site: http://www.techomechina.com

Microsoft Fixes ASP.NET Zero-Day Flaw