Information Security News mailing list archives
Microsoft warns of in-the-wild attacks on web app flaw
From: InfoSec News <alerts () infosecnews org>
Date: Wed, 22 Sep 2010 03:02:38 -0500 (CDT)
http://www.theregister.co.uk/2010/09/21/asp_dot_net_padding_oracle_fix/ By Dan Goodin in San Francisco The Register 21st September 2010 Attackers have begun exploiting a recently disclosed vulnerability in Microsoft web-development applications that opens password files and other sensitive data to interception and tampering. The vulnerability in the way ASP.Net apps encrypt data was disclosed last week at the Ekoparty Conference in Argentina. Microsoft on Friday issued a temporary fix for the so-called “cryptographic padding attack,” which allows attackers to decrypt protected files by sending vulnerable systems large numbers of corrupted requests. Now, Microsoft security pros say they are seeing “limited attacks” in the wild and warned that they can be used to read and tamper with a system's most sensitive configuration files. “There is a combination of attacks that was publicly demonstrated that can leak the contents of your web.config file, including any sensitive, unencrypted, information in the file,” Microsoft's Scott Guthrie wrote on Monday night. “You should apply the workaround to block the padding oracle attack in its initial stage of the attack.” (He went on to say sensitive data within web.config files should also be encrypted.) [...]
_______________________________________________________ Subscribe to InfoSec News - www.infosecnews.org http://www.infosecnews.org/mailman/listinfo/isn
Current thread:
- Microsoft warns of in-the-wild attacks on web app flaw InfoSec News (Sep 22)