Microsoft is warning users of a critical bug in ASP.Net that could be exploited by attackers to hijack encrypted Web sessions and steal usernames and passwords from websites, reports Computerworld. The article explains:
Hackers can exploit the vulnerability by force-feeding cipher text to an ASP.Net application and noting the error messages it returns. By repeating the process numerous times and analyzing the errors, criminals can learn enough to correctly guess the encryption key and thus decrypt the entire cipher text.
The flaw is present in all versions of ASP.Net, which is Microsoft's Web application framework used to create millions of sites and applications. In its security advisory, the company says it is aware of "limited, active attacks at this time." Microsoft's Scott Guthrie offers this workaround until a patch is ready:
[You can] prevent this vulnerability [by enabling] the customErrors feature of ASP.Net and explicitly configure your applications to always return the same error page -- regardless of the error encountered on the server ... By mapping all error pages to a single error page, you prevent a hacker from distinguishing between the different types of errors that occur on a server.