[LINK] Serious security hole in Microsoft ASP.NET

Kim Holburn kim at holburn.net
Sat Sep 18 10:10:12 AEST 2010


Note: this is an attack on the server so it doesn't matter which  
browser or operating system you use.

http://www.theinquirer.net/inquirer/news/1732956/security-researchers-destroy-microsoft-aspnet-security

> Security researchers 'destroy' Microsoft ASP.NET security
> In less than 50 minutes
> By Lawrence Latif
> Tue Sep 14 2010, 14:07
> RESEARCHERS have managed to exploit the way in which AES encryption  
> is implemented in Microsoft's ASP.NET software to leave web users'  
> data up for grabs.
>
> The exploit, to be shown off at the Ekoparty Conference later this  
> week, could affect millions of websites that use AES encryption  
> functions built into Microsoft's ASP.NET software to protect the  
> integrity of cookies during user sessions. Since 'sessions' are used  
> in web applications such as online banking, shopping and just about  
> any website that requires a login, the exploit is particularly  
> worrying.
>
> For users there's little to be done, as the problem resides in  
> ASP.NET and is not mitigated by changing the web browser or  
> operating system.
>

.....
> Duong said, "It's worth noting that the attack is 100 [per cent]  
> reliable, [that is], one can be sure that once they run the attack,  
> they can exploit the target. It's just a matter of time. If the  
> attacker is lucky, then he can own any ASP.NET website in seconds.  
> The average time for the attack to complete is 30 minutes. The  
> longest time it ever takes is less than 50 minutes."
>
> The race is now on for Microsoft and those that use its ASP.NET  
> software to protect themselves against an attack that requires only  
> a "moderately skilled attacker".
>


-- 
Kim Holburn
IT Network & Security Consultant
T: +61 2 61402408  M: +61 404072753
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request












More information about the Link mailing list