Disclaimer

Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).

Sep 28, 2010

ASP.NET vulnerability gets fixed!

There has been quite some discussion (and speculation!) about the ASP.NET padding oracle vulnerability on various blogs around the Internet the last couple of days. After Microsoft published an advisory on it, the ASP.NET community has been following ScottGu's blog closely.

The issue has seen increasing attention. Yesterday the vulnerability was mentioned on Schneier's blog, where he provided a link to a Threat Post from Kaspersky where the guys behind the exploit were interviewed. The vulnerability and exploit tools were also discussed. The threat post was dated September 13, four days before Microsoft released the first security advisory on the issue. Since then, the amount of information on the vulnerability has only increased throughout the Internet. Now, there's so much information available from different sources that there's not much security through secrecy left.


In today's Kaspersky article on the vulnerability the authors of the exploit state that Microsoft's workarounds are ineffective. These guys seem very confident in the effectiveness of their attack. But as long as the attack relies on observing different behaviour occurring over a series of requests to a webserver, Microsoft's workarounds make sense. It's all about maximising the effort an attacker has to put into a successful attack — through reducing his likelihood of success per time period. In the demo, it took 38 000 web requests before the attack was successful. E.g. Doubling the amount of requests necessary for a successful attack will buy valuable time!

But, good news has arrived as I'm writing this! ScottGu just blogged about a security update shipping tomorrow! Honestly, we've been looking forward to this one! I guess a lot of people will spend the next day or two testing the patch. Happy patching! :)

7 comments:

  1. I think that you should definitely read this and learn something new. It was really useful for me in college.

    ReplyDelete
  2. Thank you for sharing an interesting and very useful article. And let me share an article about health here I believe this is useful. Thank you :)

    Obat Polip Telinga Alami Tanpa Operasi
    Obat Penghancur Kista Ovarium
    Obat Nyeri Tumit Tradisional

    ReplyDelete
  3. Gone off a Xany, nodding off, watching Menace. Rolling off some purple that my n-gga call Grimace read this.

    ReplyDelete
  4. Thank you for this post. This is very interesting information for me.

    ReplyDelete

Copyright notice

© André N. Klingsheim and www.dotnetnoob.com, 2009-2018. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.

Read other popular posts