Micorosoft published an out-of-band patch MS10-070 for the ASP.NET issue made public 2 weeks ago the ekoparty conference in Buenos Aires.
MS10-070 updates the widely installed .NET Framework for all supported Windows platforms, from XP SP3 to Windows 7. This makes this update applicable to many machines, desktops and servers alike. However, the current known attack is applicable only machines that run a webserver with ASP.NET installed, so IT administrators should prioritize these machines. Desktops and servers that do not run a webserver can be updated at a later date, when convenient.
Microsoft rates the vulnerability as "important" as it only causes information leakage, but the effect of the attack is highly dependent on the web application running on the server. In the worst case scenario attackers can gain complete control of the server in question. The exact impact will have to be determined by the server and application engineers, we recommend patching this vulnerability on all Windows machine that run ASP.NET applications.
For a demo of the worst-case scenario take a look the video of Juliano and Thai running their POET tool against a updated "DotNetNuke" installation. They are able to gain full control over the server in under 10 minutes.
For a great explanation of padding attacks take a look at Gotham Digital Security blog.
The previously recommended workarounds in the advisory continue to be valid and do not need to be backed out for the patch. The are best practice recommendations that minimize information leakage through side channels and should be considered for any web application in production.
- Exploit tool and Whitepaper from Netifera
- Demo video on Youtube for the 3rd party ASP.NET application DotNetNuke
- DotNetNuke blog post on how to fix the issue
- Technical details on the suggested workarounds
- Initial advisory from Microsoft