Tech Support Websites

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Sunday, 19 September 2010

Using ASP.NET? You MUST read this

Posted on 00:09 by Unknown
A security vulnerability (dubbed as 'Padding Oracle' Crypto Attack) has been identified in ASP.NET.

Scott Guthrie has a detailed blog post that you must read & implement the advice in it to keep your ASP.NET applications safe. Excerpts -


This vulnerability exists in all versions of ASP.NET

...all versions of ASP.NET are affected, including ASP.NET MVC.

An attacker using this vulnerability can request and download files within an ASP.NET Application like the web.config file (which often contains sensitive data).

At attacker exploiting this vulnerability can also decrypt data sent to the client in an encrypted state (like ViewState data within a page).

..it also impacts Sharepoint.

This vulnerability impacts ASP.NET resources (not just ASPX pages).  You shouldn't need to make any changes to the custom error pages of IIS.

When we issue a patch the workaround won't be required.  The workaround right now is a temporary one that can be used until the patch is available to prevent the attack that has been publicly demonstrated. 
There are lots of different platform matrixes and localization languages to build/test/verify which is why producing a patch with high confidence enough to deploy automatically across millions of machines takes a bit of time to get right.


Wikipedia definitions of computer security jargon being used in discussions -

Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw.

An exploit (from the same word in the French language, meaning "achievement", or "accomplishment") is a piece of software, a chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerised). This frequently includes such things as gaining control of a computer system or allowing privilege escalation or a denial of service attack.

A zero-day (or zero-hour or day zero) attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others or undisclosed to the software developer.

Related links:
* StackOverflow: How serious is this new ASP.NET security vulnerability and how can I workaround it?
* Forum discussing this security vulnerability on the official ASP.NET website
* 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps
* Discussion on Y Combinator Hacker News
Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in ASP.NET, Security | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • 10 ways to make laptop battery last longer
    Paraphrased from a Right Choice magazine article with my own opinions: Keep the brightness of the screen as low as possible. If portability ...
  • Free JavaScript & jQuery learning resources
    There is a nice compilation of JavaScript & jQuery learning resources in this community wiki on StackOverflow.com . I picked those which...
  • A new JavaScript Reference to bookmark
    For years, the JavaScript section at W3Schools.com has been a indispensable source of reference for me . It will now not be my only source. ...
  • Words that leave Google Instant speechless
    2600 Magazine has compiled a list of objectionable words that Google Instant has blacklisted. Several volunteers have submitted blackliste...
  • Manipulate PDF files for free with PDFRider
    PDFRider (currently in version 0.5) is an open source project on Codeplex. This utility provides a GUI for the command-line program  Pdftk ...
  • Look what Google Goggles visual search can do
    Google Goggles is a visual search application available currently for Android powered phones. It may possibly be available for phones of oth...
  • HOW TO read long text messages on the Samsung Omnia 652
    Samsung Omnia 652 clumps text messages from a single recepient together. Scrolling through a message doesn't reveal the entire message ...
  • India ranks fourth in Internet usage
    Deepak Shenoy informs that as per Telecom Regulatory Authority of India (TRAI) data, India has nearly 10 million Broadband connections in ...
  • What is the difference between Browser Mode & Document Mode in IE
    If you're a web developer and your job actively involves building web pages that work the same in all browsers including the last three ...
  • "Open With Google Docs Viewer" IE8 Accelerator
    Accelerators in IE8 work on text within a web page & let you access popular web services from the context menu. For instance, to transla...

Categories

  • AJAX
  • Android
  • APIs
  • App
  • ASP
  • ASP.NET
  • ASP.NET-MVC
  • Azure
  • Azure SQL Database
  • AzureInPictures
  • Bing
  • Book Review
  • Bookmarklet
  • Browsers
  • C#
  • chart
  • Chrome
  • Cloud
  • CSS
  • CSS3
  • DidYouKnow
  • E-Commerce
  • Excel
  • FB
  • Fiddler
  • Firefox
  • Gadgets
  • GeoLocation
  • GMail
  • Google
  • Google Docs
  • Google Reader
  • Health
  • Hotmail
  • HOWTO
  • HTML
  • HTML/CSS
  • HTML5
  • Humor
  • Hyderabad
  • IE
  • IIS
  • India
  • Internet
  • IT
  • Javascript
  • jQuery
  • JSON
  • JSONP
  • Laptop
  • Learning Resources
  • Lists
  • Map
  • Metrics
  • Microsoft
  • miscellaneous
  • Mobile
  • NAPA
  • Office365
  • Opera
  • PDF
  • Performance
  • Personal
  • PHP
  • PM
  • PowerShell
  • Privacy
  • Programming
  • Rant
  • Safari
  • Science
  • Search Engines
  • SearchEngines
  • Security
  • SEO
  • Sharepoint
  • SharePoint2013
  • Silverlight
  • Software Engineering
  • Solutions
  • SQL Azure
  • SQL Server
  • TFS
  • Tip
  • Tips
  • Tools
  • Tools/Utilities
  • Trivia
  • TWIL
  • Twitter
  • UX
  • VM
  • VS.NET
  • VS2010
  • VS2012
  • WCF
  • WebApps
  • Websites
  • WF
  • Windows Phone
  • Windows7
  • Windows8
  • Word
  • WP7
  • WPF

Blog Archive

  • ►  2013 (112)
    • ►  October (16)
    • ►  September (14)
    • ►  August (8)
    • ►  July (8)
    • ►  June (13)
    • ►  May (12)
    • ►  April (12)
    • ►  March (8)
    • ►  February (15)
    • ►  January (6)
  • ►  2012 (127)
    • ►  December (11)
    • ►  November (14)
    • ►  October (13)
    • ►  September (14)
    • ►  August (16)
    • ►  July (16)
    • ►  June (6)
    • ►  May (5)
    • ►  April (11)
    • ►  March (12)
    • ►  February (7)
    • ►  January (2)
  • ►  2011 (98)
    • ►  December (5)
    • ►  November (2)
    • ►  October (5)
    • ►  September (7)
    • ►  August (7)
    • ►  July (15)
    • ►  June (10)
    • ►  May (7)
    • ►  April (8)
    • ►  March (10)
    • ►  February (11)
    • ►  January (11)
  • ▼  2010 (163)
    • ►  December (14)
    • ►  November (19)
    • ►  October (19)
    • ▼  September (15)
      • HOW TO monitor performance and availability status...
      • India ranks fourth in Internet usage
      • Discover patterns with Wordle
      • jQuery on CDN - Usage Stats
      • Your digital camera can land you in trouble
      • Using ASP.NET? You MUST read this
      • Job ad in HTML source code
      • AJAX is like steriods for web apps
      • Think Mobile First
      • See what Google is suggesting - II
      • HOW TO prevent 3rd-party browser extensions from b...
      • 15 years of Internet Explorer
      • Microsoft SharedView - free document & screen shar...
      • HOW TO perform mouse actions with the keyboard
      • HOW TO dynamically generate a Word document with c...
    • ►  August (18)
    • ►  July (17)
    • ►  June (20)
    • ►  May (17)
    • ►  April (19)
    • ►  March (5)
Powered by Blogger.

About Me

Unknown
View my complete profile