The illegal we do immediately. The unconstitutional takes a little longer - Henry Kissinger
|
|
|
Microsoft confesses to ASP.NET issue
THE SOURCE OF JOB SECURITY for insecurity workers and occasional software developer Microsoft has confessed to a security problem in its ASP.NET framework..
The Vole has recommended that all users 'immediately' apply its fix for the problem and we guess it really means 'immediately'.
Perhaps unsurprisingly, the firm reluctantly confessed to the security problem late, after it was announced elsewhere.
"A few hours ago we released a Microsoft Security Advisory about a security vulnerability in ASP.NET. This vulnerability exists in all versions of ASP.NET 2," wrote Windows developer Scott Guthrie in a blog post.
"This vulnerability was publicly disclosed late Friday at a security conference. We recommend that all customers immediately apply a workaround (described below) to prevent attackers from using this vulnerability against your ASP.NET applications."
The vulnerability can be exploited by any hacker that can be bothered to send a lot of requests to a Windows system, and it will give them the ability to request and download its files. We are sure there is a lot of stuff ripe for the picking that isn't particularly interesting, but when you consider that attackers can get into the web.config file as well as take encrypted data you start to hope that Microsoft knows what it's doing with its workaround.
Guthrie said that the vulnerability requires many access attempts before an attacker can ascertain that it exists. However, he added, "By making many such requests (and watching what errors are returned) the attacker can learn enough to successfully decrypt the rest of the cipher text."
In order to avoid becoming a victim, Microsoft systems administrators are advised to enable the <customErrors> feature of ASP.NET and configure their system to always return the same error message. By doing this, said Guthrie, you can prevent hackers from "distinguishing between the different types of errors that occur on a server". Microsoft has also released a small code patch for ASP.NET that its users can install.
The affected Microsoft operating system software includes Windows XP, including SP3 and Professional, Windows Server 2003 and 2008, Windows Vista in a variety of flavours, and Windows 7. µ
Share this:
Share
This is not a bug in any Microsoft software. There's a paragraph in web.config where as a Web app developer I want to specify detailed error reports (so I can see what's wrong and fix it). When I'm done, I'm supposed to change that paragraph to a mode where details are only shown to browsers running on the server. If I'm stupid and forget, it's my fault, not Microsoft's.
The problem is that there are so many incompetent developers out there. OK, having to read 1000+ page manuals doesn't help, especially if you have to read them on your own time without extra pay.
Someone correct me if I am mistaken, but if I understood right, this is not about the error code. Apparently .NET sends, along with the error message, some data supposedly to help webmasters figure out what the error was about. But a regular user also gets the same message.
The trouble is that someone figured out that this data isn't so useless, and turns out that it indeed contains very sensitive info about the very encryption of the website. But it only comes in fragments, therefore the attacker needs several messages like this to have workable material.
Like 90% of their products' vulnerabilities, M$ was pitifully humble and the flaw again lies on a thing that they did beyond what was asked (who the hell asked for memory data inside error messages?).
They aren't talking about HTTP errors, they are talking about unhandled exceptions in the developer's code. Big difference.
By default, these exceptions are not shown to the user unless the admin enables it in web.config. This has always been an attack vector on poorly administered systems.
By returning same error codes regardless of error. Also, there is some question whether the workaround works at all, since is only necessary to learn an error condition not particulars.
Must be hell to work at M$ if you have a conscience.