News

Microsoft sounds alert on massive Web bug

Microsoft has warned users that a critical bug in ASP.Net could be exploited by attackers to hijack encrypted Web sessions and pilfer usernames and passwords from Web sites.

Hackers can exploit the vulnerability by force-feeding cipher text to an ASP.Net application and noting the error messages it returns. By repeating the process numerous times and analyzing the errors, criminals can learn enough to correctly guess the encryption key and thus decrypt the entire cipher text. ASP.Net's encryption can be exploited to decrypt session cookies or other encrypted data on a remote server, and access and snatch files from a site or Web application that relies on the framework.

Although Microsoft said it would produce a patch, it has not set a timetable for its release. In the meantime, site and application developers should tweak their code. "[You can] prevent this vulnerability [by enabling] the customErrors feature of ASP.Net and explicitly configure your applications to always return the same error page -- regardless of the error encountered on the server," said Scott Guthrie, who runs several development teams at Microsoft, including the group responsible for ASP.Net. "By mapping all error pages to a single error page, you prevent a hacker from distinguishing between the different types of errors that occur on a server."

Microsoft included details on the same work-around in its security advisory.