There has been quite some discussion (and speculation!) about the ASP.NET padding oracle vulnerability on various blogs around the Internet the last couple of days. After Microsoft published an advisory on it, the ASP.NET community has been following ScottGu's blog closely.
The issue has seen increasing attention. Yesterday the vulnerability was mentioned on Schneier's blog, where he provided a link to a Threat Post from Kaspersky where the guys behind the exploit were interviewed. The vulnerability and exploit tools were also discussed. The threat post was dated September 13, four days before Microsoft released the first security advisory on the issue. Since then, the amount of information on the vulnerability has only increased throughout the Internet. Now, there's so much information available from different sources that there's not much security through secrecy left.
In today's Kaspersky article on the vulnerability the authors of the exploit state that Microsoft's workarounds are ineffective. These guys seem very confident in the effectiveness of their attack. But as long as the attack relies on observing different behaviour occurring over a series of requests to a webserver, Microsoft's workarounds make sense. It's all about maximising the effort an attacker has to put into a successful attack — through reducing his likelihood of success per time period. In the demo, it took 38 000 web requests before the attack was successful. E.g. Doubling the amount of requests necessary for a successful attack will buy valuable time!
But, good news has arrived as I'm writing this! ScottGu just blogged about a security update shipping tomorrow! Honestly, we've been looking forward to this one! I guess a lot of people will spend the next day or two testing the patch. Happy patching! :)
Software security blog by André N. Klingsheim, who's learning to love .NET and Microsoft servers.
Disclaimer
Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).
Sep 28, 2010
Subscribe to:
Post Comments (Atom)
Copyright notice
© André N. Klingsheim and www.dotnetnoob.com, 2009-2018. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.
Read other popular posts
-
Visual Studio Online looks pretty cool so I’ve decided that I'll use it for the next NWebsec release. The project setup was relatively...
-
I just ran into a weird problem while creating a bootable USB-stick, it was impossible to do a full copy of the files from an .iso. I tried...
-
Security headers in an HTTP response There are many things to consider when securing a web application but a definite "quick win...
-
Microsoft's widely used e-mail service Hotmail was recently overhauled and rebranded Outlook.com. One of the less known services they pr...
-
The release of Firesheep a week ago brought a lot of attention to a problem that has been known for many, many years: cookies sent over both...
-
I guess it was long overdue for me to follow up on my Hardening Windows Server 2003 SSL/TLS configuration and Windows server 2003 vs 20...
-
Though Windows Server 2003 has been around for a while, we'll still see them around the Internet for many years to come. Despite their u...
-
Just a quick note on an error I often run into when I'm working on my Azure applications. I usually create Azure packages and upload the...
-
I just discovered that Facebook reveal to search engines the users who "Like" a page , regardless of their privacy settings. Try a...
-
Recently I wrote a piece of software that needed some configurable secrets — and they needed to be VERY secret. Consequently, I had to encry...
ralph lauren polo
ReplyDeletecoach outlet
rolex watches
pittsburgh steelers jerseys
toms shoes
oakley sunglasses
prada sunglasses
michael kors bags
tiffany and co
toms uk
chenlina20170421
20170518 leilei3915
ReplyDeletecoach outlet
cheap jordans
polo outlet
cheap oakley sunglasses
pandora charms
mont blanc pens
pandora bracelet
canada goose
cheap jerseys
fitflops sale clearance
I think that you should definitely read this and learn something new. It was really useful for me in college.
ReplyDeleteGone off a Xany, nodding off, watching Menace. Rolling off some purple that my n-gga call Grimace read this.
ReplyDeleteThank you for this post. This is very interesting information for me.
ReplyDelete
ReplyDeletehttps://khalejmovers.com/نقل-اثاث-الرياض-الامارات/
ارخص شركة نقل عفش
There are many vulnerabilities in Microsoft programs, and the most annoying thing is that most of these programs are paid. Therefore, it is better for students to choose software from other manufacturers; this does not guarantee 100% reliability, but at least it will save you money. Like the site CustomEssayMeister , where you can find the best tips on writing an essay.
ReplyDeleteIf you want to be like Einstein, you’ll find that it’s easier said than done. Not only did he have an amazing intellect, but he had a unique worldview that made it possible for him to think way outside the box. If you want to become a genius like Einstein, here’s how to start thinking like he did https://essaysprofessors.com/business-essay-writing-service.html .
ReplyDeleteessay edge is a reliable online company that offers customers from all over the world professional help in writing academic papers. Its specialists are the best in exploring different subjects and creating great academic masterpieces.
ReplyDeleteGood information and, keep sharing like this.
ReplyDeleteCrm Software Development Company in Chennai
Thanks for this valuable information sharing, and i learned a lot and cleared my all doubts in this.. keep posting like this useful information.
ReplyDeletepost free classified ads in india
Hello everybody! Our essay writer net has been rated the best in completing diverse writing tasks given to students at their educational institutions, such as colleges, high schools, and universities. Our essay writer service has been crafting high-quality and flawless academic and custom pieces of writing for several years already.
ReplyDeleteThanks for this valuable information sharing, and i learned a lot and cleared my all doubts in this.. keep posting like this useful information.
ReplyDeleteScaffolding Dealers in Chennai
Aluminium Scaffolding Dealers in Chennai
Thanks for sharing this wonderful information. I hope you will share more helpful information regarding the content.
ReplyDeleteweb portal development company in chennai
Thanks for sharing this wonderful information. I hope you will share more helpful information regarding the content.
ReplyDeletescaffolding dealers in chennai
aluminium scaffolding dealers in chennai
Hello, thanks for sharing this interesting information I appreciate reading. Moreover, the material mentioned here will be useful for a lot of people. Personally, I used in my care plan for constipation.
ReplyDeleteASP.NET is great tool for beginners who are interested in making websites. It is very easy to use. Just make database and start making your website. Best Assignment Writing
ReplyDeleteskycut plotter india
experts
mobileskinsoftware
silhouette cameo 4
mobileskinsoftware
ambition gifts
top sublimation
wemaketrips
If you are looking for a taxi service that can get you to and from Luton Airport comfortably, quickly, and without any hassle, then you have come to the right place. 247 Airport Taxids is honored to be the go-to taxi service in Luton and London. Our goal is 100% customer satisfaction, and we strive hard every day to achieve this goal with our prompt Luton airport taxis services. We understand what it means to be a reliable taxi company that goes the extra mile in order to provide our customers with quality services at an affordable price.
ReplyDeleteWith our 24/7 prompt airport cabs service available across Luton and London, we are always there for you when you need us most! We utilize GPS tracking technology so that we know exactly where our cars are at all times so that we can respond quickly if there is an unexpected delay or problem during your trip. And last but not least, we also offer Meet & Greet service on request; meaning that no matter where you might be staying while on business in Luttnig or London, your driver will pick you up from your doorsteps (assuming he/she has reached their destination).
24/7 Airport Taxis
เปิดร้านส้มตำ สร้างยอดขาย ด้วยเทคนิค pg slot game อยากเปิด ร้านส้มตำเล็กๆ สร้างยอดขายหลักแสน หลักล้าน ไม่ยากอย่าง ที่คิด วันนี้ pg slot game สร้างอาชีพ จะมาเผยสเต็ปเคล็ดไม่ลับ
ReplyDeleteJoker123 ที่พวกเราพรีเซ็นท์ เกมออนไลน์ได้เงินจริง ที่ตื่นเต้นเยอะแยะ กราฟฟิกงามไม่มีอันตราย ให้คุณเพลินและก็ศึกษาและทำการค้นพบระยะเวลาที่ความสนุกที่ pg และก็คุ้มค่ามาก
ReplyDeleteGreat news! Just heard that the ASP.NET vulnerability has been fixed. It's always a relief when developers act swiftly to address security issues. Kudos to the team for their prompt response in ensuring the safety of our web applications. This underscores the importance of staying vigilant and proactive in the ever-evolving landscape of cybersecurity. Cheers to a more secure digital space! #ASPNET #SecurityFirst Most students are drawn to these types of articles and information, but they are unable to prepare for their exams, If you have been struggling with your exams and want assistance, students can do my class - help with my online class and get higher grades on their examinations by providing them with the best available resources, including quality academic services.
ReplyDeleteGreat news! The vulnerability in ASP.NET has finally been fixed, ensuring enhanced security for websites and applications built on this framework. This significant development brings relief to developers and website owners who were concerned about potential cyber threats and unauthorized access.
ReplyDelete