Microsoft Adds to ASP.NET Vulnerability Advisory
Microsoft added information Sept. 24 to the workaround section of the advisory on the ASP.NET vulnerability that has come under attack.
The company updated its advisory to include a step in the workaround requiring the blocking of requests that specify the application error path on the querystring.
"This can be done using URLScan, a free tool for Internet Information Services (IIS) that can selectively block requests based on rules defined by the administrator," blogged Dave Forstrom, director of Trustworthy Computing at Microsoft. "If your system is running Internet Information Services ... on Windows Vista Service Pack 2, Windows Server 2008 Service Pack 2, Windows 7 or Windows Server 2008 R2, you can alternatively use the Request Filtering feature."
The problem involves ASP.NET's use of encryption padding, which provides information in error messages that can be used by an attacker to potentially read and alter encrypted data. Security researchers Juliano Rizzo and Thai Duong designed a tool to exploit the vulnerability, which they presented at the Ekoparty security conference in Buenos Aires, Argentina, earlier in September.
Microsoft is working on a fix to address the issue. You can read more about the situation here.