Microsoft Issues Warning Over ASP.net Flaw

Microsoft has warned that a recently disclosed vulnerability on its ASP.Net applications is being actively exploited in the wild.

The company said that attackers were exploiting the critical vulnerability to intercept and modify password files and other sensitive data. The flaw was discovered in the way in which ASP.Net apps encrypt data.

The vulnerability, which has been termed by Microsoft as "cryptographic padding attack" was disclosed during the Ekoparty Conference in Argentina where another serious flaw was found in the AES security protocol.

Microsoft had responded by releasing a temporary patch for the problem but informs that the flaw was being exploited by attackers, which are using it to steal and tamper with sensitive system configuration files.

Microsoft wrote on a blog post that “An attacker using this vulnerability can request and download files within an ASP.NET Application like the web.config file (which often contains sensitive data).”

Users are being advised to configure the 'Custom Error' settings, which sends the same error page, as a temporary work around.