RESEARCHERS have managed to exploit the way in which AES encryption is implemented in Microsoft's ASP.NET software to leave web users' data up for grabs.
The exploit, to be shown off at the Ekoparty Conference later this week, could affect millions of websites that use AES encryption functions built into Microsoft's ASP.NET software to protect the integrity of cookies during user sessions. Since 'sessions' are used in web applications such as online banking, shopping and just about any website that requires a login, the exploit is particularly worrying.
For users there's little to be done, as the problem resides in ASP.NET and is not mitigated by changing the web browser or operating system.
Thai Duong and Juliano Rizzo, the two researchers who showcased the attack, told reporters, "We knew ASP.NET was vulnerable to our attack several months ago, but we didn't know how serious it is until a couple of weeks ago. It turns out that the vulnerability in ASP.NET is the most critical amongst other frameworks. In short, it totally destroys ASP.NET security."
Duong and Rizzo's last statement claiming that their attack "totally destroys" security is particularly chilling. Apparently the technique used in the exploit has been around since 2002 and it is surprising that not only has Microsoft missed this one but also security researchers and hackers who are usually adept at taking advantage of any seemingly minor weakness in code.
The exploit takes advantage of error messages generated by ASP.NET software when encrypted data within a cookie has been modified. The error message provides a small tidbit of information about how ASP.NET decrypts messages. With enough of these error messages it is possible to decrypt the message in its entirety.
Perhaps more chilling than the destruction of ASP.NET security is Duong's claims of efficiency. The researcher painted a very worrying picture of just how effective his Padding Oracle exploit software is.
Duong said, "It's worth noting that the attack is 100 [per cent] reliable, [that is], one can be sure that once they run the attack, they can exploit the target. It's just a matter of time. If the attacker is lucky, then he can own any ASP.NET website in seconds. The average time for the attack to complete is 30 minutes. The longest time it ever takes is less than 50 minutes."
The race is now on for Microsoft and those that use its ASP.NET software to protect themselves against an attack that requires only a "moderately skilled attacker". µ