Last Saturday (European time), Microsoft released the first version of a security advisory stating that a vulnerability in ASP.NET could allow information disclosure. In the initial report it seemed that a vulnerability had surfaced in a cryptographic function in ASP.NET. The risk appeared to be leakage of information from encrypted viewstate, but there was also a mention of the possibility to disclose files on the IIS. It was unclear whether these were combined or separate issues, but the issue seemed to be viewstate specific.
However, renowned Microsoft employee Scott Guthrie revealed that the vulnerability was far more serious on his blog, first in his post Important ASP.NET security vulnerability just hours after the MS advisory was released. Two days later he posted FAQ about the ASP.NET security vulnerability, probably to sort out some of the confusion around the vulnerability. Guthrie listed disclosure of viewstate and disclosure of files from the webserver as two separate issues stemming from the same vulnerability. He also provided a workaround to reduce the chances of a successful exploit, and urged all ASP.NET users to quickly implement the temporary fix.
An interesting observation was that a lot of the key information useful for system owners was found way down in the several hundred comments on Guthrie's first blog post. There he stated that not only the traditional Web Forms technology (where viewstate is a central component) was affected, but all web applications running on .Net were equally vulnerable, including MVC applications and also products such as Sharepoint. Suddenly, it was clear that the vulnerability affected the vast majority (if not all) of Microsoft's customers running web applications on .Net. It's a good thing Guthrie summarized the information in his second post.
The Microsoft advisory was updated the next day (Tuesday, European time), and informed that Microsoft had already started seeing limited attacks on the Internet. This is bad, if you host a .Net web application, implement the workaround in the security advisory as soon as possible.
The background
Interestingly enough, practical padding oracle exploits are discussed in a Usenix paper by Rizzo and Duong published in May. The paper primarily targets how the vulnerability can be exploited in the Java Server Faces (JSF) framework, but underscores that the weakness probably exists in other technologies as well. The paper further explains how the padding oracle also can act as an encryption oracle — letting an attacker create valid ciphertexts without knowledge of the encryption key.
As a sidenote, Rizzo and Duong in their paper refer to padding oracle attack pre-
sented by Vaudenay at EuroCrypt 2002, a well known crypto conference. Today's severe vulnerability is in no way new. Its principles have been known for eight years and a practical attack has been known for at least five months after Rizzo gave a presentation of the techniques at the Blackhat Europe conference.
Microsoft will hopefully be able to provide a patch sooner than later. The root cause must be resolved, the oracle must be silenced.
Disclaimer
Subscribe to:
Post Comments (Atom)
Copyright notice
Read other popular posts
-
Recently I wrote a piece of software that needed some configurable secrets — and they needed to be VERY secret. Consequently, I had to encry... -
Oracle recently released an update to its Java software, fixing more than 20 critical security issues in the software. Krebs has a good post... -
Security headers in an HTTP response There are many things to consider when securing a web application but a definite "quick win&qu... -
Microsoft's widely used e-mail service Hotmail was recently overhauled and rebranded Outlook.com. One of the less known services they pr... -
I noticed some unexpected activity on my Facebook wall the other day. I have a special list of "friends," who aren't really fr... -
I guess it was long overdue for me to follow up on my Hardening Windows Server 2003 SSL/TLS configuration and Windows server 2003 vs 20... -
Yesterday I was playing around with the validateIntegratedModeConfiguration="true" setting on IIS 7.5. To my surprise I got an ... -
I just discovered that Facebook reveal to search engines the users who "Like" a page , regardless of their privacy settings. Try a... -
Though Windows Server 2003 has been around for a while, we'll still see them around the Internet for many years to come. Despite their u...
-
I just ran into a weird problem while creating a bootable USB-stick, it was impossible to do a full copy of the files from an .iso. I tried...
louboutin pas cher
ReplyDeleteferragamo belt
mcm outlet
patriots jerseys
bulls jerseys
adidas soccer shoes
giuseppe zanotti shoes
coach factory outlet
timberland boots
salvatore ferragamo
chenlina20170421
Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging. If anyone wants to become a .Net developer learn from Dot Net Training in Chennai. or learn thru ASP.NET Essential Training Online . Nowadays Dot Net has tons of job opportunities on various vertical industry.
Deleteor Javascript Training in Chennai. Nowadays JavaScript has tons of job opportunities on various vertical industry.
20170518 leilei3915
ReplyDeleteadidas outlet store
polo ralph lauren
mulberry uk
hermes belts outlet
kate spade handbags
kate spade outlet online
nike shoes on sale
oakley sunglasses wholesale
cheap oakley sunglasses
christian louboutin shoes
ugg shoes
ReplyDeletecanada goose jackets
coach outlet store
kate spade handbags
adidas shoes
jordan retro
kate spade outlet store
coach outlet store
nike air max
coach factory outlet
12.09linpingping
I always like to find something new in the Internet. Few weeks ago I found https://domyhomework.guru/blog/how-to-focus-on-homework and now I know how to concentrate on my homework.
ReplyDeleteThis article is interesting and useful. Thank you for sharing. And let me share an article about health that God willing will be very useful. Thank you :)
ReplyDeleteObat Alami Menurunkan tekanan Darah Tinggi
Obat Penyakit kulit Eksim
Obat Benjolan Di Ketiak
Cara Mengobati Kencing Tersendat
Obat Tradisional Telinga Berdengung
Cara Mengobati Prurigo
surveillancekart security system
ReplyDeletesurveillancekart cctv installation services
cp plus
Pestveda pest control services
dezigly
The feedgasm Latest News And Breaking News
quicksodes
latest news in hindi
jordan 12
ReplyDeletegoyard handbags
ferragamo belt
golden goose slide
gucci belt
michael kors bags
air max
nike huarache
off white jordan 1
gucci belts
Good information and, keep sharing like this.
ReplyDeleteCrm Software Development Company in Chennai
Good Information keep going.
ReplyDeleteYouTube Marketing Company in Chennai
Nice post.
ReplyDeleteSmm company in Chennai
Great Sound, you provided a valuable information.
ReplyDeletewordpress ecommerce development company chennai
Nice information.
ReplyDeleteSeo Company in Chennai
ReplyDeleteNice information keep sharing like this.
scaffolding dealers in chennai
Aluminium scaffolding dealers in chennai
Aluminium scaffolding hire
Thanks for this valuable information sharing, and i learned a lot and cleared my all doubts in this.. keep posting like this useful information.
ReplyDeletepost free classified ads in india
Thanks for this valuable information sharing, and i learned a lot and cleared my all doubts in this.. keep posting like this useful information.
ReplyDeleteScaffolding Dealers in Chennai
Aluminium Scaffolding Dealers in Chennai
Thanks for sharing this wonderful information. I hope you will share more helpful information regarding the content.
ReplyDeleteweb portal development company in chennai
Thanks for sharing this wonderful information. I hope you will share more helpful information regarding the content.
ReplyDeleteweb portal development company in chennai
Thanks for sharing this wonderful information. I hope you will share more helpful information regarding the content.
ReplyDeletescaffolding dealers in chennai
aluminium scaffolding dealers in chennai
carlla poggenpoel, kelly khumalo husband, zoocci coke dope anxiety, chad da don new album, chad da don album, emtee, chad da don ft emtee, kelly khumalo, chad da don ft emtee download, chad da don album, chad da don ft emtee mp3, chad da don album download, chad da don ft emtee mp3 download, kelly khumalo and chad da don, fakaza, chad da don ft emtee remix, chad da don instagram, flexyjam, aka, chad da don new album, jason noah ft chad da don, kelly khumalo instagram, chad da don new girlfriend, youngstacpt, kelly khumalo husband, zoocci coke dope anxiety, fakaza.com, chad da don wife, carlla poggenpoel
ReplyDeleteYour writing style is very unique in comparison to other bloggers I have read stuff from. Thanks for posting! when you have time could please write a blog for the get angel investors for startup because I like your writing style, I will just book mark this web site.
ReplyDeleteThank you so much for this amazing information sharing with us. I am an antique article collector and this article is one of the best I have ever read. I just want to say if you have any idea about best altcoin to invest in 2020 include that in your article because i like writing style.
ReplyDeleteASP.NET is an open-source, server-side web-application framework designed for web development to produce dynamic web pages. It was developed by Microsoft to allow programmers to build dynamic websites, applications and services. This platform is very useful for us. Assignment writing services.
ReplyDelete
ReplyDeleteskycut plotter india
experts
mobileskinsoftware
silhouette cameo 4
mobileskinsoftware
ambition gifts
top sublimation
wemaketrips