[LINK] Serious security hole in Microsoft ASP.NET
Kim Holburn
kim at holburn.net
Sat Sep 18 10:10:12 AEST 2010
Note: this is an attack on the server so it doesn't matter which
browser or operating system you use.
http://www.theinquirer.net/inquirer/news/1732956/security-researchers-destroy-microsoft-aspnet-security
> Security researchers 'destroy' Microsoft ASP.NET security
> In less than 50 minutes
> By Lawrence Latif
> Tue Sep 14 2010, 14:07
> RESEARCHERS have managed to exploit the way in which AES encryption
> is implemented in Microsoft's ASP.NET software to leave web users'
> data up for grabs.
>
> The exploit, to be shown off at the Ekoparty Conference later this
> week, could affect millions of websites that use AES encryption
> functions built into Microsoft's ASP.NET software to protect the
> integrity of cookies during user sessions. Since 'sessions' are used
> in web applications such as online banking, shopping and just about
> any website that requires a login, the exploit is particularly
> worrying.
>
> For users there's little to be done, as the problem resides in
> ASP.NET and is not mitigated by changing the web browser or
> operating system.
>
.....
> Duong said, "It's worth noting that the attack is 100 [per cent]
> reliable, [that is], one can be sure that once they run the attack,
> they can exploit the target. It's just a matter of time. If the
> attacker is lucky, then he can own any ASP.NET website in seconds.
> The average time for the attack to complete is 30 minutes. The
> longest time it ever takes is less than 50 minutes."
>
> The race is now on for Microsoft and those that use its ASP.NET
> software to protect themselves against an attack that requires only
> a "moderately skilled attacker".
>
--
Kim Holburn
IT Network & Security Consultant
T: +61 2 61402408 M: +61 404072753
mailto:kim at holburn.net aim://kimholburn
skype://kholburn - PGP Public Key on request
More information about the Link
mailing list