Microsoft is rushing to block a serious hole in its implementation of the Advanced Encryption Standard (AES) that leaves Windows Server open to attacks that could cause users' server systems to provide hints to hackers on to how to break the systems' encryption.

The hole was disclosed late Friday by researchers Thai Duong and Juliano Rizzo at the Ekoparty Conference in Buenos Aires, Argentina.

Microsoft issued a Security Advisory on Friday and several blog posts, acknowledging the company is working on a patch for ASP.Net, a part of the .NET Framework.


"ASP.Net uses encryption to hide sensitive data and protect it from tampering by the client. However, a vulnerability in the ASP.Net encryption implementation can allow an attacker to decrypt and tamper with this data," Kevin Brown of Microsoft Security Response Center (MSRC) engineering, said in a post to the Security Research and Defense blog Saturday.

The issue has to do with an attacker sending an ASP.Net application an encrypted message. If the decryption fails, a function called a "cryptographic oracle" (which has nothing to do with the database software vendor) sends "hints" back to the source of the original message. From examining the hints, an attacker may be able to suss out enough information to decrypt the rest.

"An attacker using this vulnerability can request and download files within an ASP.NET Application like the web.config file (which often contains sensitive data). An attacker exploiting this vulnerability can also decrypt data sent to the client in an encrypted state," Scott Guthrie, corporate vice president of the .NET developer platform, said in a post to his personal blog.

"This would allow the attacker to tamper with the contents of the data. By sending back the altered contents to an affected server, the attacker could observe the error codes returned by the server," according to Microsoft's Security Advisory.

While Microsoft works on a patch for the hole, it has posted workarounds for various versions of the .NET Framework. The company rarely predicts when a patch will be finished and fully tested, and this case is no different.

Additionally, even though the exploit has been made public, Microsoft officials said there have been no attacks using it as yet.

This is the second time in recent weeks when researchers published the details of working security exploits before Microsoft had a patch ready -- a practice that the company tries to discourage. The usual response from researchers, however, is that Microsoft is slow to fix holes they report to the company.

Stuart J. Johnston is a contributing writer at InternetNews.com, the news service of Internet.com, the network for technology professionals. Follow him on Twitter @stuartj1000.

Follow eSecurityPlanet on Twitter @eSecurityP.