Workaround for ASP.NET server's encryption vulnerability
In a security advisory Microsoft has confirmed the vulnerability in the process used by ASP.NET applications to encrypt cookies and other session information. In the announcement for the security advisory, Microsoft said it was not, so far, aware of any attacks. However, the security group do encourage users to "review the advisory for mitigations and workarounds". A blog entry describes how to implement the workarounds and offers a script to help administrator determine whether their ASP.NET applications are vulnerable.
The cause of the problem was highlighted last week by security researchers Juliano Rizzo and Thai Dong who established that there was an issue with how the ASP.NET framework encrypted data. Usually, this uses the Advanced Encryption Standard (AES) in Cipher Block Chaining mode (CBC), but this mode is vulnerable to what are called Padding Oracle Attacks which can allow encrypted data, such as cookies, to be decrypted without the key.