Microsoft to issue emergency patch for ASP.Net vuln

Microsoft to issue emergency patch for ASP.Net vuln
Microsoft to issue emergency patch for ASP.Net vuln

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

Content-Transfer-Encoding: QUOTED-PRINTABLE

By Dan Goodin in San Francisco 
The Register
27th September 2010 

Microsoft will release an emergency patch on Tuesday that plugs a 
security hole in a variety of its web developer tools that has been 
under active attack for more than a week.

The vulnerability in ASP.Net applications allows attackers to decrypt 
password files, cookies, and other sensitive data that is supposed to 
remain encrypted as they pass from the server to a web browser. It works 
by flooding a server with thousands of corrupted web requests and then 
analyzing the error messages and other responses that result. The series 
of responses are known as a =E2=80=9Ccryptographic padding oracle=E2=80=9D that over 
time deliver information that an attacker can deduce the secret key used 
to scramble the communications.

The vulnerability was disclosed two weeks ago at the Ekoparty conference 
in Argentina. Microsoft soon responded with an advisory that warned that 
the vulnerability was under =E2=80=9Climited attack.=E2=80=9D It recommended that users 
implement several temporary measures to make the exploits harder to 
carry out.

The workaround involves reconfiguring a webserver so that all error 
messages are mapped to a single error page that prevents the attacker 
from distinguishing among different types of errors, effectively 
muzzling the oracle. Thai Duong, one of the researchers who disclosed 
the vulnerability, has said turning off customized error messages isn't 
enough to prevent exploits, because attackers can still glean important 
clues by measuring the different amounts of time required for certain 
errors to be returned.


Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Subscribe to InfoSec News - 


Site design & layout copyright © 1986-2014 CodeGods