Microsoft (NASDAQ: MSFT) has confirmed the existence of a critical flaw in ASP .NET. This could result in attackers hijacking encrypted web sessions to steal usernames and passwords which are used to undermine the integrity of a specific web application or even the web server. The vulnerability is made all the more serious since it appears to be pervasive across every supported version of the Windows operating system. The fact that an estimated 25 percent of the Internet's websites use ASP.NET only makes the issue worse.

The security flaw was first demonstrated by a pair of researchers at the Ekoparty Security Conference in Buenos Aires last Friday. On the same day, Microsoft issued an advisory and outlined a workaround to temporarily protect against the attack vector.

Dubbed a "padding oracle attack," an attack involves sending cipher text to the target server and observing its response. Examining the error code returned by the server and making a large number of requests leverages the flaw for the hacker to determine the correct encryption key used by the server.

Depending on how a particular application was created, data sent from the server to client machines could be successfully decrypted and spied on. With ASP.NET 3.5 SP1 or above, the attacker could essentially use this vulnerability to request the contents of an arbitrary file within the ASP.NET application, such as the vital web.config configuration file.

For now, the Redmond-based software giant says a patch will eventually be released, though it won't commit to a timetable for it.

For more on this story:
- check out this article at Computerworld
- check out this article at RedmondMag.com
- check out this article at SC Magazine
- check out this article at Security Research & Defense Blog

Related Articles:
Large Patch Tuesday from Microsoft this month
Microsoft issues warning of new browser-specific scareware
Microsoft to issue record number of security bulletins next Tuesday
Microsoft releases temporary workaround for Windows Shell flaw