Microsoft has issued a security advisory warning users of a flaw in the way its ASP.NET Web application framework implements AES encryption.
The vulnerability affects the .NET framework running on all versions of Windows. The issue has been known since 2002, but two researchers created a
"At this time we are not aware of any attacks using this vulnerability and we encourage customers to review the advisory for mitigations and workarounds," said Jerry Bryant, group manager of Microsoft Response Communications. Bryant added that Microsoft was unaware of any active attacks targeting the vulnerability.
The vulnerability poses a serious threat because many websites use ASP.NET for Web applications. Microsoft estimates that its framework is used by 25% of the Internet's websites.
According to the ASP.NET security advisory, the padding vulnerability can enable an attacker to view data that was encrypted by the Web server and tamper with the content of the data. "By sending back the altered contents to an affected server, the attacker could observe the error codes returned by the server," Microsoft said.
In addition, Microsoft developed a workaround that thwarts attacks by enabling ASP.NET applications to return the same error page regardless of the error encountered by the server. Microsoft also issued a script developers can use to determine if any ASP.NET applications are deployed with vulnerable configurations.
Researchers Juliano Rizzo and Thai Duong demonstrated their Padding Oracle Exploit Tool (POET), last week, at the ekoparty Security Conference in Argentina. The new tool automatically finds and exploits cookie encryption padding vulnerabilities in ASP.NET Web applications. Similar faulty encryption implementations that can be exploited via the padding attack technique can be found in other popular Web frameworks, including Ruby on Rails, and the OWASP Enterprise Security API Toolkits.