Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Microsoft Security Advisory for ASP.NET - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Microsoft Security Advisory for ASP.NET

Microsoft has released a security advisory for ASP.NET (CVE-2010-3332).  It looks like there are no known attacks for this vulnerability at this time, and no patch or workaround has been released. 

To quote the release...

"Microsoft is investigating a new public report of a vulnerability in ASP.NET. An attacker who exploited this vulnerability could view data, such as the View State, which was encrypted by the target server, or read data from files on the target server, such as web.config. This would allow the attacker to tamper with the contents of the data. By sending back the altered contents to an affected server, the attacker could observe the error codes returned by the server. We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time."

A few more details are available at Scott Guthrie's Blog

-- Rick Wanner - rwanner at isc dot sans dot org - http://rwanner.blogspot.com/

Rick

271 Posts
ISC Handler
MS ASP.NET advisory • V1.2 ...
- http://www.microsoft.com/technet/security/advisory/2416728.mspx
• V1.2 (September 24, 2010): Added an entry to the FAQ to announce a revision to the workaround, "Enable a UrlScan or Request Filtering rule, enable ASP.NET custom errors, and map all error codes to the same error page." Customers who have already applied the workaround should -reapply- all listed steps...
- http://blogs.technet.com/b/msrc/archive/2010/09/24/security-advisory-2416728-workaround-update.aspx
24 Sep 2010
- http://weblogs.asp.net/scottgu/archive/2010/09/24/update-on-asp-net-vulnerability.aspx
Sep 24, 2010
.
Anonymous

Posts

Sign Up for Free or Log In to start participating in the conversation!