Microsoft Warns of Nasty ASP.Net Bug

Kara Reeder

Microsoft is warning users of a critical bug in ASP.Net that could be exploited by attackers to hijack encrypted Web sessions and steal usernames and passwords from websites, reports Computerworld. The article explains:

Hackers can exploit the vulnerability by force-feeding cipher text to an ASP.Net application and noting the error messages it returns. By repeating the process numerous times and analyzing the errors, criminals can learn enough to correctly guess the encryption key and thus decrypt the entire cipher text.

The flaw is present in all versions of ASP.Net, which is Microsoft's Web application framework used to create millions of sites and applications. In its security advisory, the company says it is aware of "limited, active attacks at this time." Microsoft's Scott Guthrie offers this workaround until a patch is ready:

[You can] prevent this vulnerability [by enabling] the customErrors feature of ASP.Net and explicitly configure your applications to always return the same error page -- regardless of the error encountered on the server ... By mapping all error pages to a single error page, you prevent a hacker from distinguishing between the different types of errors that occur on a server.

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


Resource centers

Business Intelligence

Business performance information for strategic and operational decision-making


SOA uses interoperable services grouped around business processes to ease data integration

Data Warehousing

Data warehousing helps companies make sense of their operational data