Microsoft is warning users that a critical bug in ASP.Net could be exploited by attackers to hijack encrypted Web sessions to steal usernames and passwords from Web sites.
According to Microsoft’s advisory, the flaw exists in all versions of ASP.Net, a Web application framework used to craft millions of sites and applications. Microsoft will have to patch every supported version of Windows, including XP, Server 2003, Windows 7, and Server 2008 R2. Other products, including IIS and SharePoint server software are also affected.
Hackers can exploit the vulnerability by forcing cipher text into an ASP.Net application and noting the error messages it returns. By repeating the process and analyzing the errors, criminals can learn enough to correctly guess the encryption key and decrypt the entire cipher text.
No ETA is provided for patch release, however workarounds are provided.