http://www.theregister.co.uk/2010/09/21/asp_dot_net_padding_oracle_fix/ By Dan Goodin in San Francisco The Register 21st September 2010 Attackers have begun exploiting a recently disclosed vulnerability in Microsoft web-development applications that opens password files and other sensitive data to interception and tampering. The vulnerability in the way ASP.Net apps encrypt data was disclosed last week at the Ekoparty Conference in Argentina. Microsoft on Friday issued a temporary fix for the so-called “cryptographic padding attack,” which allows attackers to decrypt protected files by sending vulnerable systems large numbers of corrupted requests. Now, Microsoft security pros say they are seeing “limited attacks” in the wild and warned that they can be used to read and tamper with a system's most sensitive configuration files. “There is a combination of attacks that was publicly demonstrated that can leak the contents of your web.config file, including any sensitive, unencrypted, information in the file,” Microsoft's Scott Guthrie wrote on Monday night. “You should apply the workaround to block the padding oracle attack in its initial stage of the attack.” (He went on to say sensitive data within web.config files should also be encrypted.) [...] _______________________________________________________ Subscribe to InfoSec News - www.infosecnews.org http://www.infosecnews.org/mailman/listinfo/isnReceived on Wed Sep 22 2010 - 01:02:38 PDT
This archive was generated by hypermail 2.2.0 : Wed Sep 22 2010 - 01:06:52 PDT