Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Demo ASP.NET Crypto Attack

Posted by timothy on from the theoretical-no-more dept.

Trailrunner7 writes "The crypto attack against ASP.Net Web apps has gotten a lot of attention this week, and with good reason. Microsoft on Friday night issued a security advisory about the bug, warning customers that it poses a clear danger to their sites. Also on Friday, the researchers who found the bug and implemented the attack against it released a slick video demo of the attack, clearly showing the seriousness of the problem and how simple it is to exploit with their POET tool."

1 of 98 comments (clear)

  1. NOOOO! by spongman · · Score: 5, Insightful

    The attack requires the ASP.NET error page that shows exception information to be enabled.

    NO! NO! NO!

    This is wrong, and dangerous. There is no such requirement, the HTTP status code is sufficient. Actually, the timing is sufficient, but slightly harder to exploit.

    No sane person will leave it like this in production let alone that it is turned off by default.

    This is correct, and, unfortunately, why the 1st statement is so dangerous.

    Assuming that your site is safe just because you've followed best practices is WRONG! You MUST apply the fix in ScottGu's post immediately!