[ISN] Microsoft to issue emergency patch for ASP.Net vuln

From: InfoSec News <alerts_at_private>
Date: Thu, 30 Sep 2010 02:05:24 -0500 (CDT)
http://www.theregister.co.uk/2010/09/27/asp_dot_net_padding_oracle_fix/

By Dan Goodin in San Francisco 
The Register
27th September 2010 

Microsoft will release an emergency patch on Tuesday that plugs a 
security hole in a variety of its web developer tools that has been 
under active attack for more than a week.

The vulnerability in ASP.Net applications allows attackers to decrypt 
password files, cookies, and other sensitive data that is supposed to 
remain encrypted as they pass from the server to a web browser. It works 
by flooding a server with thousands of corrupted web requests and then 
analyzing the error messages and other responses that result. The series 
of responses are known as a “cryptographic padding oracle” that over 
time deliver information that an attacker can deduce the secret key used 
to scramble the communications.

The vulnerability was disclosed two weeks ago at the Ekoparty conference 
in Argentina. Microsoft soon responded with an advisory that warned that 
the vulnerability was under “limited attack.” It recommended that users 
implement several temporary measures to make the exploits harder to 
carry out.

The workaround involves reconfiguring a webserver so that all error 
messages are mapped to a single error page that prevents the attacker 
from distinguishing among different types of errors, effectively 
muzzling the oracle. Thai Duong, one of the researchers who disclosed 
the vulnerability, has said turning off customized error messages isn't 
enough to prevent exploits, because attackers can still glean important 
clues by measuring the different amounts of time required for certain 
errors to be returned.

[...]


_______________________________________________________      
Subscribe to InfoSec News - www.infosecnews.org
http://www.infosecnews.org/mailman/listinfo/isn
Received on Thu Sep 30 2010 - 00:05:24 PDT

This archive was generated by hypermail 2.2.0 : Thu Sep 30 2010 - 00:15:50 PDT