UPDATE: Scott Guthrie just announced that the patch for this issue will be released tomorrow (Tuesday, Sep. 28th) at approximately 10:00am PDT. The patch will appear first on the Microsoft Download Center, and will be released to Windows Update and the Windows Server Update Service over the next few days. Check back here or at Scott’s blog for the links once they’re available.
Late last week, Scott Guthrie posted a notice of a vulnerability that was discovered in ASP.NET that can lead to any ASP.NET-based application being compromised. The vulnerability in question is a form of padded oracle relating to cryptographic implementation. Attackers may be able to use the vulnerability to decrypt encrypted data sent to the client (such as encrypted ViewState), and may also enable the attacker to download files within the scope of the application, including web.config.
Scott’s post details the recommended workaround until a fully-tested official patch is available (once the patch has been released, the workaround will no longer be necessary), so I recommend that anyone supporting an ASP.NET application go read Scott’s post and implement the workaround as soon as possible.
Essentially, the workaround involves enabling Custom Errors, and ensuring that all errors return exactly the same error page (examples of both static and dynamic pages are offered…dynamic is preferable if possible). In addition to the details in the original post, Scott has posted an FAQ with additional information on the vulnerability and workaround.
Some additional resources:
- Microsoft Security Advisory on the issue
- ASP.NET Forum for questions/discussion of the vulnerability
As you can imagine, we’re taking this issue very seriously, and we ask all our customers to do the same. While we understand that implementing the workaround may restrict functionality that your application relies on, we want to minimize the impact on customers while the patch is being worked on.