On the 17th of September, Microsoft released Microsoft Security Advisory (2416728) which detailed an information disclosure vulnerability in ASP.NET.
All versions of Microsoft Exchange since 2003 use ASP.NET in a way in which the vulnerability could exist and the MS Exchange Team told administrators to look out for warnings in the application log that looked similar to: -
Event code: 3005 Event message: An unhandled exception has occurred. Event time: 11/11/1111 11:11:11 AM Event time (UTC): 11/11/1111 11:11:11 AM Event ID: 1309 Event sequence: 133482 Event occurrence: 44273 Event detail code: 0 Application information: Application domain: c1db5830-1-129291000036654651 Trust level: Full Application Virtual Path: / Application Path: C:\foo\TargetWebApplication\ Machine name: FOO Process information: Process ID: 3784 Process name: WebDev.WebServer40.exe Account name: foo Exception information: Exception type: CryptographicException Exception message: Padding is invalid and cannot be removed.
Even this is not a clear indicator that a system was under attack as it could exist for many legitimate reasons. They simply asked that if you see inexplicable versions of this and increased quantities of it that you investigate a bit deeper.
Thankfully today Microsoft announced the release of a security patch that will fix this vulnerability!
The Exchange Team say:
“The Exchange Server team has completed validation of this fix against Microsoft Exchange Server 2010, 2007 and 2003 and we are pleased to report that we have not identified any issues related to the application of this patch on an Exchange Server.
We recommend that Exchange customers consider applying this fix to all of their Exchange Servers which have an affected version of ASP.NET installed on the underlying Operating System in a timely manner to help protect against any attempts to exploit this vulnerability within their environment.”
So if you are a company that applies hotfixes and security patches only after serious testing, you better get on with it as this vulnerability is fixable so you have no excuses if you get exploited through it.
Good one Microsoft. Turning around a vulnerability from announcement on the 17th to repair on the 28th. That is a record 11 days!