Actu
Wolfgang Kandek, CTO Qualys: Microsoft readies update for ASP.NET issue
September 2010 by Wolfgang Kandek, CTO Qualys
Microsoft announced that they will release an update tomorrow for ASP.NET. The update will address a vulnerability disclosed by Thai Duong and Juliano Rizzo at ekoparty a Latin American Security Conference. The critical vulnerability allows a remote attacker to extract information from web applications programmed under ASP.NET and in certain circumstances can be used to take control over the affected server.
The current advisory provides a workaround for the problem. It minimizes information leakage through the error reporting system and should be considered a best practice for web applications even without the current attack. Scott’s blog post provides great insight, as does the blog post from the DotNetNuke team on how to implement the workarounds in their environment.
We recommend installing the patch immediately, once it becomes available. It administrators should first focus on web servers that do not have the workarounds implemented.
References:
* Exploit tool and Whitepaper from Netifera
* Demo video on Youtube for the 3rd party ASP.NET application DotNetNuke
* DotNetNuke blog post on how to fix the issue
* Technical details on the suggested workarounds
