Using ASP.NET? You MUST read this

A security vulnerability (dubbed as 'Padding Oracle' Crypto Attack) has been identified in ASP.NET.

Scott Guthrie has a detailed blog post that you must read & implement the advice in it to keep your ASP.NET applications safe. Excerpts -


This vulnerability exists in all versions of ASP.NET

...all versions of ASP.NET are affected, including ASP.NET MVC.

An attacker using this vulnerability can request and download files within an ASP.NET Application like the web.config file (which often contains sensitive data).

At attacker exploiting this vulnerability can also decrypt data sent to the client in an encrypted state (like ViewState data within a page).

..it also impacts Sharepoint.

This vulnerability impacts ASP.NET resources (not just ASPX pages).  You shouldn't need to make any changes to the custom error pages of IIS.

When we issue a patch the workaround won't be required.  The workaround right now is a temporary one that can be used until the patch is available to prevent the attack that has been publicly demonstrated. 
There are lots of different platform matrixes and localization languages to build/test/verify which is why producing a patch with high confidence enough to deploy automatically across millions of machines takes a bit of time to get right.


Wikipedia definitions of computer security jargon being used in discussions -

Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw.

An exploit (from the same word in the French language, meaning "achievement", or "accomplishment") is a piece of software, a chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerised). This frequently includes such things as gaining control of a computer system or allowing privilege escalation or a denial of service attack.

A zero-day (or zero-hour or day zero) attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others or undisclosed to the software developer.

Related links:
* StackOverflow: How serious is this new ASP.NET security vulnerability and how can I workaround it?
* Forum discussing this security vulnerability on the official ASP.NET website
* 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps
* Discussion on Y Combinator Hacker News

Comments