Tech Support Websites

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Sunday, 19 September 2010

Using ASP.NET? You MUST read this

Posted on 00:09 by Unknown
A security vulnerability (dubbed as 'Padding Oracle' Crypto Attack) has been identified in ASP.NET.

Scott Guthrie has a detailed blog post that you must read & implement the advice in it to keep your ASP.NET applications safe. Excerpts -


This vulnerability exists in all versions of ASP.NET

...all versions of ASP.NET are affected, including ASP.NET MVC.

An attacker using this vulnerability can request and download files within an ASP.NET Application like the web.config file (which often contains sensitive data).

At attacker exploiting this vulnerability can also decrypt data sent to the client in an encrypted state (like ViewState data within a page).

..it also impacts Sharepoint.

This vulnerability impacts ASP.NET resources (not just ASPX pages).  You shouldn't need to make any changes to the custom error pages of IIS.

When we issue a patch the workaround won't be required.  The workaround right now is a temporary one that can be used until the patch is available to prevent the attack that has been publicly demonstrated. 
There are lots of different platform matrixes and localization languages to build/test/verify which is why producing a patch with high confidence enough to deploy automatically across millions of machines takes a bit of time to get right.


Wikipedia definitions of computer security jargon being used in discussions -

Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw.

An exploit (from the same word in the French language, meaning "achievement", or "accomplishment") is a piece of software, a chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerised). This frequently includes such things as gaining control of a computer system or allowing privilege escalation or a denial of service attack.

A zero-day (or zero-hour or day zero) attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others or undisclosed to the software developer.

Related links:
* StackOverflow: How serious is this new ASP.NET security vulnerability and how can I workaround it?
* Forum discussing this security vulnerability on the official ASP.NET website
* 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps
* Discussion on Y Combinator Hacker News
Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in ASP.NET, Security | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Windows 8 keyboard shortcuts
    Win + X   - context menu to access common features like Control Panel, Task Manager, File Explorer, Programs & Features, Run, Search etc...
  • My 30-day personal project - watch 100 hours of Pluralsight videos
    Inspired by Matt Cutts' 30-day challenges , I plan to watch 100 hours of Pluralsight online videos to get up-to-date with current ...
  • Archive tweets & favorites with Google Reader
    There are numerous ways to archive tweets but rather than use yet another tool, I prefer using Google Reader to preserve the tweets I mark ...
  • Azure in Pictures - overview of Windows Azure Features, Services and Common Uses
    Download the Windows Azure Poster in PDF format (1.1MB)
  • Dashboard-like info with Browser tabs, Windows 7 Taskbar tabs
    Browser tabs & Windows 7 Taskbar tabs are turning self-aware.  This is how my browser looked the other day: I had the summary of all tha...
  • What is the difference between Browser Mode & Document Mode in IE
    If you're a web developer and your job actively involves building web pages that work the same in all browsers including the last three ...
  • 10 ways to make laptop battery last longer
    Paraphrased from a Right Choice magazine article with my own opinions: Keep the brightness of the screen as low as possible. If portability ...
  • India ranks fourth in Internet usage
    Deepak Shenoy informs that as per Telecom Regulatory Authority of India (TRAI) data, India has nearly 10 million Broadband connections in ...
  • HOW TO let Google watch over your web activity
    When we get onto the Internet, we trade our privacy for convenience. Everyone from marketers, ISPs to Governments can watch our activities o...
  • The Glorious History of Internet Explorer
    Love it or hate it, you will have to appreciate IE’s staying power. Having been around for 16 years, it is still the browser market leader ....

Categories

  • AJAX
  • Android
  • APIs
  • App
  • ASP
  • ASP.NET
  • ASP.NET-MVC
  • Azure
  • Azure SQL Database
  • AzureInPictures
  • Bing
  • Book Review
  • Bookmarklet
  • Browsers
  • C#
  • chart
  • Chrome
  • Cloud
  • CSS
  • CSS3
  • DidYouKnow
  • E-Commerce
  • Excel
  • FB
  • Fiddler
  • Firefox
  • Gadgets
  • GeoLocation
  • GMail
  • Google
  • Google Docs
  • Google Reader
  • Health
  • Hotmail
  • HOWTO
  • HTML
  • HTML/CSS
  • HTML5
  • Humor
  • Hyderabad
  • IE
  • IIS
  • India
  • Internet
  • IT
  • Javascript
  • jQuery
  • JSON
  • JSONP
  • Laptop
  • Learning Resources
  • Lists
  • Map
  • Metrics
  • Microsoft
  • miscellaneous
  • Mobile
  • NAPA
  • Office365
  • Opera
  • PDF
  • Performance
  • Personal
  • PHP
  • PM
  • PowerShell
  • Privacy
  • Programming
  • Rant
  • Safari
  • Science
  • Search Engines
  • SearchEngines
  • Security
  • SEO
  • Sharepoint
  • SharePoint2013
  • Silverlight
  • Software Engineering
  • Solutions
  • SQL Azure
  • SQL Server
  • TFS
  • Tip
  • Tips
  • Tools
  • Tools/Utilities
  • Trivia
  • TWIL
  • Twitter
  • UX
  • VM
  • VS.NET
  • VS2010
  • VS2012
  • WCF
  • WebApps
  • Websites
  • WF
  • Windows Phone
  • Windows7
  • Windows8
  • Word
  • WP7
  • WPF

Blog Archive

  • ►  2013 (112)
    • ►  October (16)
    • ►  September (14)
    • ►  August (8)
    • ►  July (8)
    • ►  June (13)
    • ►  May (12)
    • ►  April (12)
    • ►  March (8)
    • ►  February (15)
    • ►  January (6)
  • ►  2012 (127)
    • ►  December (11)
    • ►  November (14)
    • ►  October (13)
    • ►  September (14)
    • ►  August (16)
    • ►  July (16)
    • ►  June (6)
    • ►  May (5)
    • ►  April (11)
    • ►  March (12)
    • ►  February (7)
    • ►  January (2)
  • ►  2011 (98)
    • ►  December (5)
    • ►  November (2)
    • ►  October (5)
    • ►  September (7)
    • ►  August (7)
    • ►  July (15)
    • ►  June (10)
    • ►  May (7)
    • ►  April (8)
    • ►  March (10)
    • ►  February (11)
    • ►  January (11)
  • ▼  2010 (163)
    • ►  December (14)
    • ►  November (19)
    • ►  October (19)
    • ▼  September (15)
      • HOW TO monitor performance and availability status...
      • India ranks fourth in Internet usage
      • Discover patterns with Wordle
      • jQuery on CDN - Usage Stats
      • Your digital camera can land you in trouble
      • Using ASP.NET? You MUST read this
      • Job ad in HTML source code
      • AJAX is like steriods for web apps
      • Think Mobile First
      • See what Google is suggesting - II
      • HOW TO prevent 3rd-party browser extensions from b...
      • 15 years of Internet Explorer
      • Microsoft SharedView - free document & screen shar...
      • HOW TO perform mouse actions with the keyboard
      • HOW TO dynamically generate a Word document with c...
    • ►  August (18)
    • ►  July (17)
    • ►  June (20)
    • ►  May (17)
    • ►  April (19)
    • ►  March (5)
Powered by Blogger.

About Me

Unknown
View my complete profile