http://www.theregister.co.uk/2010/09/27/asp_dot_net_padding_oracle_fix/ By Dan Goodin in San Francisco The Register 27th September 2010 Microsoft will release an emergency patch on Tuesday that plugs a security hole in a variety of its web developer tools that has been under active attack for more than a week. The vulnerability in ASP.Net applications allows attackers to decrypt password files, cookies, and other sensitive data that is supposed to remain encrypted as they pass from the server to a web browser. It works by flooding a server with thousands of corrupted web requests and then analyzing the error messages and other responses that result. The series of responses are known as a “cryptographic padding oracle” that over time deliver information that an attacker can deduce the secret key used to scramble the communications. The vulnerability was disclosed two weeks ago at the Ekoparty conference in Argentina. Microsoft soon responded with an advisory that warned that the vulnerability was under “limited attack.” It recommended that users implement several temporary measures to make the exploits harder to carry out. The workaround involves reconfiguring a webserver so that all error messages are mapped to a single error page that prevents the attacker from distinguishing among different types of errors, effectively muzzling the oracle. Thai Duong, one of the researchers who disclosed the vulnerability, has said turning off customized error messages isn't enough to prevent exploits, because attackers can still glean important clues by measuring the different amounts of time required for certain errors to be returned. [...] _______________________________________________________ Subscribe to InfoSec News - www.infosecnews.org http://www.infosecnews.org/mailman/listinfo/isnReceived on Thu Sep 30 2010 - 00:05:24 PDT
This archive was generated by hypermail 2.2.0 : Thu Sep 30 2010 - 00:15:50 PDT