Microsoft Warns of ASP.NET Attacks
Cybersecurity
SHARE
Facebook X Pinterest WhatsApp

Microsoft Warns of ASP.NET Attacks

Written By
Brian Prince
Brian Prince
Sep 21, 2010
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Microsoft is warning users it has seen “limited attacks” targeting an ASP.NET vulnerability that could potentially affect many Web applications.

The issue, which was demonstrated by security researchers Juliano Rizzo and Thai Duong, is due to ASP.NET’s use of encryption padding, which provides information in error messages that can be used by an attacker to potentially read and alter encrypted data. Duong and Rizzo designed a tool to exploit the vulnerability, which they presented at the Ekoparty security conference in Buenos Aires, Argentina, last week.

“An attacker who successfully exploited this vulnerability would be able to read data, such as the View State, which was encrypted by the server,” Microsoft warned in an advisory. “This data may also be tampered with by the attacker…[who] could send this data back to the server and observe the error codes returned by the server. By observing these error codes, an attacker could gain enough information to decrypt and tamper with the encrypted data.”

“An attacker who successfully exploited this vulnerability could also read data from files on the target server, such as web.config, which the worker process identity already has access to,” Microsoft added.

Microsoft said it is working on a fix. In the meantime, enabling ASP.NET custom errors and mapping all error codes to the same error page can serve as a workaround. Instructions on how to do that are contained within the Microsoft advisory. The company’s SharePoint team warned that the issue affects SharePoint 2010 and SharePoint Foundation 2010, which require a slightly different workaround detailed here.

The publicly disclosed exploit can be used against all types of ASP.NET Applications, including both Web Forms and MVC, blogged Scott Guthrie, corporate vice president of the Microsoft Developer division. Configuring a custom 404 error page response and a default redirect for all other errors still lets an attacker distinguish between a 404 and other errors, he noted. Likewise, a custom logging module is only effective as a mitigation if the responses it sends out do not let an attacker draw a distinction between error messages through either their content or the “time that it takes to serve out.”

“It is always a best practice to encrypt sensitive configuration data within web.config files,” he added. “That way if your web.config file is ever exposed, attackers cannot use its contents maliciously.”
Brian Prince
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

facebook
linkedin
youtube
rss
x

Company

About us Contact us Advertise with us

Categories

Latest News Resources Artificial Intelligence Video Big Data & Analytics Cloud Networking

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information