(WEB HOST INDUSTRY REVIEW) — More than a week after first divulging a vulnerability in the ASP.Net Web application framework used to create websites, Microsoft (www.microsoft.com) is set to issue an emergency patch Tuesday addressing the security flaw, which could allow the attacker to tamper with the contents of users’ private data.
On September 17, Microsoft released an advisory for a vulnerability found in the ASP.Net Web application framework that would allow the stealing and changing of user data such as usernames, passwords, and database connection strings.
The flaw involves ASP.NET’s use of encryption padding, which provides information in error messages that gives an attacker the opportunity to possibly read and alter encrypted data, according to an eWeek report. Security researchers Juliano Rizzo and Thai Duong demonstrated the flaw and presented thier findings at the Ekoparty security conference in Buenos Aires, Argentina.
According to a Microsoft security bulletin advance notification issued Monday, Microsoft will mend the flaw in the ASP.Net framework. The out-of-band security bulletin will be released at 1 pm PT, at which time there will be a 90 minute webcast featuring Microsoft response communications director Dave Forstrom and senior security manager Dustin Childs, who will be addressing customer questions.
The emergency update for the .NET Framework used on all Windows Server operating systems will carry the severity rating of “important”. Windows desktop systems are also listed as affected, but consumers should not vulnerable unless they are running a Web server locally from their computer.
In the meantime, Microsoft Developer Division corporate vice president Scott Gutherie detailed a workaround that can be applied immediately to sites and applications to prevent exploition, as well as the additional defensive measure with the installation of an additional URLScan rule that prevents attackers from distinguishing between the different types of errors occurring on a server.
No related posts.
