Microsoft to Release Emergency ASP.net Patch for Malware Attack
By Dipankar Das, Gaea News NetworkTuesday, September 28, 2010
Microsoft is supposed to release emergency patch on Sept 28, 2010 for ASP.net vulnerability. The patch will be available at company’s download center. According to the researcher Juliano Rizzo who found the bug , an attacker can easily decrypt cookies, view states, form authentication tickets, membership password, user data, and anything else encrypted using the ASP.NET framework’s API. The bug potentially affects millions of Web applications and there are already ongoing attacks. The patch is going to fix the defects for all versions of .NET framework.
“The security update is fully tested and ready for release, but will be made available initially only on the Microsoft Download Center. This enables us to get the update out as quickly as possible, allowing administrators with enterprise installations, or end users who want to install this security update manually, the ability to test and update their systems immediately. We strongly encourage these customers to visit the Download Center, download the update, test it in their environment and deploy it as soon as possible,” said Microsoft security official Dave Forstrom.
Rizzo further added that the impact of the attack depends on the applications installed on the server, from information disclosure to total system compromise. But, users are not vulnerable unless they run Web Server on their system. Microsoft issued guidelines for workarounds to defend against attacks on the ASP.NET bug soon after the researchers disclosed the bug publicly. The security researchers, Juliano Rizzo and Thai Duong, said that the workaround doesn’t protect users fully against the attack.
Tags: API, ASP, Bug Fix, Cookies, Microsoft. ASP.net