New security flaw discovered in Microsoft's ASP.Net technology
September 14, 2010
A new security vulnerability has been discovered in the way some Internet applications handle encrypted session cookies and that could leave online banking accounts open to multiple attacks from hackers.
The security flaw stems from cryptographic weaknesses in some Internet apps developed using Microsoft's ASP.Net technology.
Overall, Microsoft's ASP.Net framework uses the U.S. government approved AES encryption algorithm to secure the browser session cookies generated by applications during online banking tasks performed from remote users.
It simply works like this: implementation security holes in how ASP.Net handles various errors when the encrypted data in a browser cookie has been modified can offer strong clues to a potential attacker that would allow him to narrow down the possible range of the security keys used in an online banking session.
Additionally, such similar attacks based on this security vulnerability might allow an attacker to decrypt 'sniffed' cookies or forge session authentications tickets, among various other attacks similar in nature.
Internet security researchers Thai Duong and Juliano Rizzo have developed a "Padding Oracle Exploit Tool" to basically demonstrate the feasibility of such an attack, an extension of their previous research on similar security vulnerabilities in Java Server Faces and other Web frameworks.
"The most significant new discovery is a universal Padding Oracle affecting every ASP.Net web application. In short, you can decrypt browser session cookies, view states, form authentication tickets, view membership passwords, user data and just about anything else encrypted using the framework's API," said Rizzo.
Additional details of this critical security flaw are due to be outlined at a presentation during the Ekoparty conference in Argentina later this week, Rizzo added.
Rizzo also said that the attack might be exploited to allow a moderately skilled attacker to break into a website in just 30 to 40 minutes, probably even less.
"The security vulnerabilities exploited affect the framework used by about twenty-five to thirty percent of all Internet web sites. The impact of these attacks depend on the applications installed on the server, from information disclosure to total system compromise," said Duong.
"At the beginning, the first few stages of the attacks take a few thousand requests, but once it succeeds and the attacker gets the secret keys, it accelerates very fast," said Rizzo.
"What's worse, is that the cryptographic knowledge required in these attacks is very basic," Rizzo added.
Source: Juliano Rizzo.
You can link to the Internet Security web site as much as you like.