ASP.Net Vulnerability Remains Unpatched - Techniques

Visual Studio 2010!

	DevSource RSS FEEDS
	Want an easy way to keep up with breaking tech news? And the Get DevSource headlines delivered to your desktop with RSS.

DevSource.com: Your Source for Visual Studio on Facebook

ASP.Net Vulnerability Remains Unpatched

By DevSource
2010-09-22

Article Rating:

/ 0

Rate This Article:

Add This Article To:

Use encryption. That's Microsoft's advice to those looking to defend against a sporadic attack vulnerability in ASP.Net web applications that remains unpatche since the security bulletin was issued on September 19th.

To view the full article in its entirety, please visit eWeek: Microsoft Warns of ASP.NET Attacks

Microsoft is warning users it has seen "limited attacks" targeting an ASP.NET vulnerability that could potentially affect many Web applications.

The issue, which was demonstrated by security researchers Juliano Rizzo and Thai Duong, is due to ASP.NET’s use of encryption padding, which provides information in error messages that can be used by an attacker to potentially read and alter encrypted data. Duong and Rizzo designed a tool to exploit the vulnerability, which they presented at the Ekoparty security conference in Buenos Aires, Argentina, last week.

“An attacker who successfully exploited this vulnerability would be able to read data, such as the View State, which was encrypted by the server,” Microsoft warned in an advisory. “This data may also be tampered with by the attacker…[who] could send this data back to the server and observe the error codes returned by the server. By observing these error codes, an attacker could gain enough information to decrypt and tamper with the encrypted data.”

	Discuss ASP.Net Vulnerability Remains Unpatched

	>>> Be the FIRST to comment on this article!



	>>> More ASP and .Net Coding Techniques Articles >>> More By DevSource

Email Article To Friend ♦ Print Version Of Article ♦ PDF Version Of Article

Contact us \| Advertise \| Site Map
	Security: Enterprise Security Network Security Infrastructure Security How To: Data IT Security News Cheap Hack Blog Security Watch Blog Storage: Data Storage Cloud Storage Storage Virtualization Network Access Storage Storage Reviews Data Storage News How To: Storage Storage Station Blog Computing: Apple OSX Linux Systems Windows Vista Managed Print Services Cloud Computing PC Reviews Microsoft Watch Blog Apple Watch Blog Google Watch Blog Communications: VoIP Solutions Wireless Technology Messaging Software Web Services Mobile Applications Wireless News Mobile Reviews Apps & Development: Application Development SAAS Search Engines Database Software Web 2.0 IT Project Management Emerging Tech Blog CIO Insight Blogs CIOs
	Vertical Markets: Federal Government IT Health Care IT Finance IT Mid-Market Channel Partners Careers Blog Value Added Resellers More eWeek Links: Green Computing Center Tech Knowledge Center Tech Newsletters Tech RSS Feeds White Papers Tech Podcasts Tech Videos Magazine Subscriptions Enterprise Websites: ZDE Home Baseline Channel Insider CIO Insight eSeminars eWeek Mid-Market Publish Online Web Buyers Guide Developer Websites: Dev Shed DeveloperShed ASP Free MS DevSource SEO Chat Codewalkers Tutorialized Scripts.com Dev Mechanic Dev Articles Web Hosters Dev Hardware Technology Websites: Device Forge Desktop Linux Linux Devices Windows for Devices iGrep Search Engine PDF Zone Linux Watch TechDirect
	Use of this site is governed by our Terms of Use and Privacy Policy Copyright ©1996-2012 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. eWEEK and Spencer F. Katt are trademarks of Ziff Davis Enterprise Holdings, Inc. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise Inc. is prohibited. eWeek is your best source for the latest Technology News. ZDE Cluster 6