Hackers Exploit ASP.Net Bug
Following a research demo of how "oracle padding" bug can be exploited by force-feeding cypher text to an ASP.Net application, Microsoft needs some patching up for their web application framework.
A warning from Microsoft has it that hackers are exploiting the un-patched bug in ASP.Net. Symantec, however, said that is has not seen any attacks yet. All versions of ASP.Net are vulnerable to this attack, letting the culprits access Web applications with full administrator rights. The company promised a patch for the zero-day bug, but no delivery date was set.
For the mean time, Microsoft exec for ASP.Net Development Team – Scott Guthrie – urges websites and application developers to cork the hole with a temporary work around by means of editing the “web.config” file. In response to this, Microsoft’s SharePoint team already published a different web.config editing procedures for its high-profile and highly profitable collaboration software.
The Microsoft Security Response Center (MSRC) also took its shot to researchers who disclose bugs publicly before a patch has been made:
View Article Source »
“We fundamentally believe, and history has shown, that once vulnerability details are released publicly, the probability of exploitation rises significantly. Without coordination in place to provide a security update or proper guidance, risk to customers is greatly amplified.”