Microsoft warns of in-the-wild attacks on web app flaw

Microsoft warns of in-the-wild attacks on web app flaw
Microsoft warns of in-the-wild attacks on web app flaw

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

Content-Transfer-Encoding: QUOTED-PRINTABLE

By Dan Goodin in San Francisco
The Register
21st September 2010 

Attackers have begun exploiting a recently disclosed vulnerability in 
Microsoft web-development applications that opens password files and 
other sensitive data to interception and tampering.

The vulnerability in the way ASP.Net apps encrypt data was disclosed 
last week at the Ekoparty Conference in Argentina. Microsoft on Friday 
issued a temporary fix for the so-called =E2=80=9Ccryptographic padding attack,=E2=80=9D 
which allows attackers to decrypt protected files by sending vulnerable 
systems large numbers of corrupted requests.

Now, Microsoft security pros say they are seeing =E2=80=9Climited attacks=E2=80=9D in 
the wild and warned that they can be used to read and tamper with a 
system's most sensitive configuration files.

=E2=80=9CThere is a combination of attacks that was publicly demonstrated that 
can leak the contents of your web.config file, including any sensitive, 
unencrypted, information in the file,=E2=80=9D Microsoft's Scott Guthrie wrote 
on Monday night. =E2=80=9CYou should apply the workaround to block the padding 
oracle attack in its initial stage of the attack.=E2=80=9D (He went on to say 
sensitive data within web.config files should also be encrypted.)


Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Subscribe to InfoSec News - 


Site design & layout copyright © 1986-2015 CodeGods