Microsoft is warning people of a potentially serious vulnerability in its ASP.NET framework used to create Web sites.
The hole affects all versions of the .NET framework and affects Windows XP, Vista, Windows 7, and Windows Server 2003 and 2008, company said in an advisory released late on Friday.
"At this time we are not aware of any attacks using this vulnerability and we encourage customers to review the advisory for mitigations and workarounds," the company said in a blog post.
Microsoft also provided a script to help administrators determine if their ASP.NET applications are vulnerable.
The vulnerability is caused by ASP.NET providing Web clients details in error messages when decrypting certain ciphertext, Microsoft said. An attacker could be able to read or tamper with data that was encrypted by the server, as well as read data from files on the target server.
Microsoft's security advisory came after two researchers presented a talk on the vulnerability at the Ekoparty security conference in Buenos Aires on Friday.
"You can decrypt cookies, view states, form authentication tickets, membership password, user data, and anything else encrypted using the framework's API!" the researchers said in the description of their talk on the conference Web site. "The vulnerabilities exploited affect the framework used by 25 percent of the Internet websites. The impact of the attack depends on the applications installed on the server, from information disclosure to total system compromise."
The hole affects all versions of the .NET framework and affects Windows XP, Vista, Windows 7, and Windows Server 2003 and 2008, company said in an advisory released late on Friday.
"At this time we are not aware of any attacks using this vulnerability and we encourage customers to review the advisory for mitigations and workarounds," the company said in a blog post.
Microsoft also provided a script to help administrators determine if their ASP.NET applications are vulnerable.
The vulnerability is caused by ASP.NET providing Web clients details in error messages when decrypting certain ciphertext, Microsoft said. An attacker could be able to read or tamper with data that was encrypted by the server, as well as read data from files on the target server.
Microsoft's security advisory came after two researchers presented a talk on the vulnerability at the Ekoparty security conference in Buenos Aires on Friday.
"You can decrypt cookies, view states, form authentication tickets, membership password, user data, and anything else encrypted using the framework's API!" the researchers said in the description of their talk on the conference Web site. "The vulnerabilities exploited affect the framework used by 25 percent of the Internet websites. The impact of the attack depends on the applications installed on the server, from information disclosure to total system compromise."
1 comments:
We've begun to see limited attacks with the ASP.NET vulnerability.Another irresponsible disclosure of a security vulnerability. These so called 'researchers' are the real ones putting people at risk. They are basically accomplices to cyber-crime. Your 15 minutes of fame will likely cause some poor small business owner a lot of time and money.I am sure Microsoft will give you credit for finding the bug if you tell them first.
Post a Comment