Microsoft Warns Of ASP.Net Vulnerability
encryption vulnerability application framework database hacker
Attackers could then tamper with the data once they had access to privileged files and databases from the Web server. They could also observe error codes, if altered contents were sent back to an affected server.
Johnathan Norman, director of security research for Alert Logic, said that Microsoft should eventually designate the error with a "critical" rating, reserved for vulnerabilities with the highest severity level, while adding that Microsoft seemed to be "downplaying it a bit."
"It's definitely critical. By and large it will give an attacker the ability to grab any file off the Web server, such as configuration files that have usernames and passwords," Norman said.
Thus far, there are no known attacks in the wild that have exploited the error. However Norman contended that could quickly change now that the vulnerability has been disclosed publicly.
"It's a trivial attack to recreate. It's not very hard. I'd imagine that any other organization that has other [malicious] intentions would have no problem," he said. "I expect it to be in the wild tonight."
Microsoft has yet to release a patch repairing the issue, which will be provided in either a regular monthly security bulletin or as an out-of-band update, depending on the severity of the flaw. Until a patch can be developed, the company has issued temporary workaround instructing users how to change the default error message handling, designed to mitigate the chance of attack.
Microsoft's Jerry Bryant, group manager for response communications, said in a blog post that the company was currently investigating the issue.
Meanwhile, the public ASP.Net flaw disclosure prompted a sharp response from Microsoft, while further escalating the heated debate around vulnerability disclosure policies.
"We continue to encourage security researchers to coordinate vulnerability disclosure with software vendors," Bryant wrote. "We believe public disclosure before a comprehensive update can be produced only leads to customer risk through criminal activity."