Researchers Demo ASP.NET Crypto Attack

Trailrunner7 writes "The crypto attack against ASP.Net Web apps has gotten a lot of attention this week, and with good reason. Microsoft on Friday night issued a security advisory about the bug, warning customers that it poses a clear danger to their sites. Also on Friday, the researchers who found the bug and implemented the attack against it released a slick video demo of the attack, clearly showing the seriousness of the problem and how simple it is to exploit with their POET tool."

Re:Not as serious as it sounds

[Eirenarch]

Not really. This option works the other way around. Custom errors in ASP.NET are the ones provided by the developer. He turned custom errors off. Also in ASP.NET by default this option is set to RemoteOnly meaning that the errors are on for anyone but the localhost. This way you can develop on your own machine but when you deploy you can't be exploited by this or similar exploit even if you don't change the default configuration. Now if you go out and change it this is another thing...

I believe it is a standard security practice to NOT show your error infomation to the user in production environment. If anyone is doing it he should be fired anyway. No need to wait for an exploit to hit.

NOOOO!

[spongman]

The attack requires the ASP.NET error page that shows exception information to be enabled.

NO! NO! NO!

This is wrong, and dangerous. There is no such requirement, the HTTP status code is sufficient. Actually, the timing is sufficient, but slightly harder to exploit.

No sane person will leave it like this in production let alone that it is turned off by default.

This is correct, and, unfortunately, why the 1st statement is so dangerous.

Assuming that your site is safe just because you've followed best practices is WRONG! You MUST apply the fix in ScottGu's post immediately!