Microsoft Fixes ASP.NET Flaw With Out-Of-Band Release
The ASP.NET flaw, which was given the slightly less severe ranking of "important," affects all versions of the .NET framework used on Windows Server operating systems, including Windows XP, Windows Vista, Windows 7, Windows Server 2003 and 2008 and Windows Server 2008 R2. However, versions of the .NET Framework prior to 3.5 Service Pack 1 are not affected by the portion of the vulnerability that enable disclosure of file contents, Microsoft said.
Reports indicate that the flaw is already being exploited in 'limited and targeted" attacks in the wild.
Microsoft said that Windows desktops systems are also affected, "but consumers are not vulnerable unless they are running a Web server from their computer," said Dave Forstrom, director of Microsoft's Trustworthy Computing group, in a blog post Monday.
Specifically, the ASP.NET framework encrypts sensitive data to protect it from unauthorized access. The bug opened up a security hole, enabling attackers to grab any file from the Web server to view encrypted data, such as the View State, or read files stored on a Web server, such as Web.config.
Once they had access, attackers could then alter or delete the encrypted data and change or steal passwords, database connection strings or other sensitive information stored in the ViewState object, which is encrypted by the target server. In addition, attackers would also have the ability to observe error codes returned to the server by sending back the altered contents to an affected server.
Some security researchers said that Microsoft might have downplayed the importance of the ASP.NET security flaw.
"Translated, this means that the vulnerability undermines basic Web application security. I suspect that online shops and such might rate the risk that 'an attacker can read any file' on their Web application server a bit higher than just 'important,'" said Daniel Wesemann, SANS Institute researcher, in a blog post Tuesday.
Other researchers contend that while the ASP.NET Framework has the potential to affect a wide swath of customers, the vulnerability could not lead to a wormable attack or drive-by download exploit, which would perhaps warrant the highest severity ranking of "critical."
"There's always going to be a worst case scenario. It's entirely possible that you have instances where it's not nearly as severe," said Tyler Reguly, technical manager of security research and development at nCircle. "It's not exactly at the same level of severity as [Conficker]. It's is obviously much lower on the charts than that one."
Microsoft said that initially the ASP.NET patch will only available at the Microsoft Download Center, and then released through Windows Update and Windows Server Update Services within the next few days "as we test to make sure distribution will be successful through these channels. This approach allows us to release sooner to customers who may choose to deploy it manually without delaying for broader distribution," Forstrom said.
Microsoft released a security advisory Sept. 20 warning users of the ASP.NET vulnerability after it was publicly disclosed. The software giant then rapidly turned around a patch in almost record time a week later to repair the error.
However Andrew Storms, director of security operations at nCircle, questioned the impact that the speedy turnaround time would have on patch quality, comparing this out-of-band patch to a seven-day turnaround for a bug Microsoft fixed in January.
"We now know that in the January update, Microsoft knew about the bug before the exploit," he said in an e-mail. "This leaves me wondering if Microsoft already knew about today's bug. But the bigger question in my mind is the potential effect of this short turn-around on quality."
However, Reguly said that given the limited nature of the attacks that Microsoft could have launched an "all hands on deck" effort to push a strong patch through in a short amount of time.
"Microsoft has a lot of resources available. It they want to throw the manpower at it, they can. You're not dealing with something that's as widespread as a flaw in IE or Office. "I'm impressed by how fast they turned it around."