infosec-news September 2010 archive
Main Archive Page > Month Archives  > infosec-news archives
infosec-news: [ISN] Microsoft warns of in-the-wild attacks on we

[ISN] Microsoft warns of in-the-wild attacks on web app flaw

From: InfoSec News <alerts_at_nospam>
Date: Wed Sep 22 2010 - 08:02:38 GMT

By Dan Goodin in San Francisco
The Register
21st September 2010

Attackers have begun exploiting a recently disclosed vulnerability in
Microsoft web-development applications that opens password files and
other sensitive data to interception and tampering.

The vulnerability in the way ASP.Net apps encrypt data was disclosed
last week at the Ekoparty Conference in Argentina. Microsoft on Friday
issued a temporary fix for the so-called “cryptographic padding attack,”
which allows attackers to decrypt protected files by sending vulnerable
systems large numbers of corrupted requests.

Now, Microsoft security pros say they are seeing “limited attacks” in
the wild and warned that they can be used to read and tamper with a
system's most sensitive configuration files.

“There is a combination of attacks that was publicly demonstrated that
can leak the contents of your web.config file, including any sensitive,
unencrypted, information in the file,” Microsoft's Scott Guthrie wrote
on Monday night. “You should apply the workaround to block the padding
oracle attack in its initial stage of the attack.” (He went on to say
sensitive data within web.config files should also be encrypted.)


Subscribe to InfoSec News -