Vulnerability in ASP.NET applications – Microsoft Security Bulletin released

by Kathy Bryce Friday, October 01, 2010 11:02 AM

A little over a week ago, a security vulnerability was found in all versions of ASP.NET (Microsoft’s web application framework) that could potentially allow private information disclosure. The vulnerability stems from a cryptographic weakness, specifically involving improper error handling during encryption padding verification. Attacks based on this weakness could allow a hacker to decrypt sniffed cookies or forge authentication tickets, among other attacks.

Microsoft has released an out-of-cycle emergency fix to address this security vulnerability. We strongly urge you or your IT staff to go to http://www.microsoft.com/technet/security/bulletin/MS10-070.mspx to download and install all applicable patches on your Microsoft Windows-based Web servers that may be affected by this vulnerability. Additionally, the fix will be rolled out via Windows Updates in the upcoming week or so.

This vulnerability could affect any web sites using ASP.NET, i.e. recent versions of Andornot’s Starter Kits and Inmagic WebPublisher PRO or Inmagic Genie.  It does not impact desktop only installs or clients using the default Inmagic web interfaces.

If you have any further questions regarding applications we have designed for you, please do not hesitate to contact us.

Tags: ASP.NET

blog comments powered by Disqus

Month List