Tech Support Websites

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Sunday, 19 September 2010

Using ASP.NET? You MUST read this

Posted on 00:09 by Unknown
A security vulnerability (dubbed as 'Padding Oracle' Crypto Attack) has been identified in ASP.NET.

Scott Guthrie has a detailed blog post that you must read & implement the advice in it to keep your ASP.NET applications safe. Excerpts -


This vulnerability exists in all versions of ASP.NET

...all versions of ASP.NET are affected, including ASP.NET MVC.

An attacker using this vulnerability can request and download files within an ASP.NET Application like the web.config file (which often contains sensitive data).

At attacker exploiting this vulnerability can also decrypt data sent to the client in an encrypted state (like ViewState data within a page).

..it also impacts Sharepoint.

This vulnerability impacts ASP.NET resources (not just ASPX pages).  You shouldn't need to make any changes to the custom error pages of IIS.

When we issue a patch the workaround won't be required.  The workaround right now is a temporary one that can be used until the patch is available to prevent the attack that has been publicly demonstrated. 
There are lots of different platform matrixes and localization languages to build/test/verify which is why producing a patch with high confidence enough to deploy automatically across millions of machines takes a bit of time to get right.


Wikipedia definitions of computer security jargon being used in discussions -

Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw.

An exploit (from the same word in the French language, meaning "achievement", or "accomplishment") is a piece of software, a chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerised). This frequently includes such things as gaining control of a computer system or allowing privilege escalation or a denial of service attack.

A zero-day (or zero-hour or day zero) attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others or undisclosed to the software developer.

Related links:
* StackOverflow: How serious is this new ASP.NET security vulnerability and how can I workaround it?
* Forum discussing this security vulnerability on the official ASP.NET website
* 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps
* Discussion on Y Combinator Hacker News
Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in ASP.NET, Security | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Windows 8 keyboard shortcuts
    Win + X   - context menu to access common features like Control Panel, Task Manager, File Explorer, Programs & Features, Run, Search etc...
  • Dashboard-like info with Browser tabs, Windows 7 Taskbar tabs
    Browser tabs & Windows 7 Taskbar tabs are turning self-aware.  This is how my browser looked the other day: I had the summary of all tha...
  • The State Of HTML5 Video
    Key points from the  The State Of HTML5 Video  report by LongTailVideo (last updated on April 19, 2012): 75% of the desktop & mobile bro...
  • Archive tweets & favorites with Google Reader
    There are numerous ways to archive tweets but rather than use yet another tool, I prefer using Google Reader to preserve the tweets I mark ...
  • TWIL - Week #3
    This Week I Learned: New Azure VM Image Templates include SQL Server, BizTalk Server, and SharePoint Server (2013?) images . This can be han...
  • What is the difference between Browser Mode & Document Mode in IE
    If you're a web developer and your job actively involves building web pages that work the same in all browsers including the last three ...
  • My 30-day personal project - watch 100 hours of Pluralsight videos
    Inspired by Matt Cutts' 30-day challenges , I plan to watch 100 hours of Pluralsight online videos to get up-to-date with current ...
  • Azure in Pictures - overview of Windows Azure Features, Services and Common Uses
    Download the Windows Azure Poster in PDF format (1.1MB)
  • Indian comparison shopping sites
    Did you know, India has 120 million Internet users & the Indian e-commerce market is worth $7 billion ?  Travel accounts for over 80 per...
  • HOW TO dynamically generate a Word document with custom header & footer
    Way back in 2004, a project I was working on required a web page to be exported as a Word document (.DOC). Without relying on any components...

Categories

  • AJAX
  • Android
  • APIs
  • App
  • ASP
  • ASP.NET
  • ASP.NET-MVC
  • Azure
  • Azure SQL Database
  • AzureInPictures
  • Bing
  • Book Review
  • Bookmarklet
  • Browsers
  • C#
  • chart
  • Chrome
  • Cloud
  • CSS
  • CSS3
  • DidYouKnow
  • E-Commerce
  • Excel
  • FB
  • Fiddler
  • Firefox
  • Gadgets
  • GeoLocation
  • GMail
  • Google
  • Google Docs
  • Google Reader
  • Health
  • Hotmail
  • HOWTO
  • HTML
  • HTML/CSS
  • HTML5
  • Humor
  • Hyderabad
  • IE
  • IIS
  • India
  • Internet
  • IT
  • Javascript
  • jQuery
  • JSON
  • JSONP
  • Laptop
  • Learning Resources
  • Lists
  • Map
  • Metrics
  • Microsoft
  • miscellaneous
  • Mobile
  • NAPA
  • Office365
  • Opera
  • PDF
  • Performance
  • Personal
  • PHP
  • PM
  • PowerShell
  • Privacy
  • Programming
  • Rant
  • Safari
  • Science
  • Search Engines
  • SearchEngines
  • Security
  • SEO
  • Sharepoint
  • SharePoint2013
  • Silverlight
  • Software Engineering
  • Solutions
  • SQL Azure
  • SQL Server
  • TFS
  • Tip
  • Tips
  • Tools
  • Tools/Utilities
  • Trivia
  • TWIL
  • Twitter
  • UX
  • VM
  • VS.NET
  • VS2010
  • VS2012
  • WCF
  • WebApps
  • Websites
  • WF
  • Windows Phone
  • Windows7
  • Windows8
  • Word
  • WP7
  • WPF

Blog Archive

  • ►  2013 (112)
    • ►  October (16)
    • ►  September (14)
    • ►  August (8)
    • ►  July (8)
    • ►  June (13)
    • ►  May (12)
    • ►  April (12)
    • ►  March (8)
    • ►  February (15)
    • ►  January (6)
  • ►  2012 (127)
    • ►  December (11)
    • ►  November (14)
    • ►  October (13)
    • ►  September (14)
    • ►  August (16)
    • ►  July (16)
    • ►  June (6)
    • ►  May (5)
    • ►  April (11)
    • ►  March (12)
    • ►  February (7)
    • ►  January (2)
  • ►  2011 (98)
    • ►  December (5)
    • ►  November (2)
    • ►  October (5)
    • ►  September (7)
    • ►  August (7)
    • ►  July (15)
    • ►  June (10)
    • ►  May (7)
    • ►  April (8)
    • ►  March (10)
    • ►  February (11)
    • ►  January (11)
  • ▼  2010 (163)
    • ►  December (14)
    • ►  November (19)
    • ►  October (19)
    • ▼  September (15)
      • HOW TO monitor performance and availability status...
      • India ranks fourth in Internet usage
      • Discover patterns with Wordle
      • jQuery on CDN - Usage Stats
      • Your digital camera can land you in trouble
      • Using ASP.NET? You MUST read this
      • Job ad in HTML source code
      • AJAX is like steriods for web apps
      • Think Mobile First
      • See what Google is suggesting - II
      • HOW TO prevent 3rd-party browser extensions from b...
      • 15 years of Internet Explorer
      • Microsoft SharedView - free document & screen shar...
      • HOW TO perform mouse actions with the keyboard
      • HOW TO dynamically generate a Word document with c...
    • ►  August (18)
    • ►  July (17)
    • ►  June (20)
    • ►  May (17)
    • ►  April (19)
    • ►  March (5)
Powered by Blogger.

About Me

Unknown
View my complete profile