Researchers Demo ASP.NET Crypto Attack

Trailrunner7 writes "The crypto attack against ASP.Net Web apps has gotten a lot of attention this week, and with good reason. Microsoft on Friday night issued a security advisory about the bug, warning customers that it poses a clear danger to their sites. Also on Friday, the researchers who found the bug and implemented the attack against it released a slick video demo of the attack, clearly showing the seriousness of the problem and how simple it is to exploit with their POET tool."

Impressive video

[erroneus]

There was so much wrong about that, I cannot begin to say it all. But I will say this. That "superuser" is available as a user in a web app is unforgivable. If it wasn't this exploit to take advantage of that fact, it would be another. *NIXes have learned the folly of that long ago and so now, with the exception of certain administrative tools, web services don't run as root, but as apache or some other non-root user. While this doesn't make the feat of root-level compromise impossible, it does make it less easy. (Then again, root isn't often as necessary as people seem to think as these days, the ability to run a [D]DoS or to extract sensitive information from a database only requires user level access as granted by level of the process compromised.)

Still, the dangers of a direct root level compromise is plain for all to see and understand. At that level, it's "game over" for all things including updating the BIOS or other ROM code of other on-board controllers of the host system to make "removal" or "cleaning" a much more difficult if not impossible task to perform.

I know Microsoft is not listening as we all begin to chant the same things: STOP RUNNING EVERYTHING AS ADMINISTRATOR

Maybe they will start to listen one day.

Re:Not as serious as it sounds

[devent]

There are 197 results, but half of them are posted on a wordpress blog about something else. This search yields 347 results which are all IIS vulnerabilities, my favorite one is 500 Thousand MS Web Servers Hacked . A search for the same with Apache is useless, because Slashdot have a menu with an "Apache" item. The Slashdot's own search against "Apache vulnerability" only yields one reacent item Serious Apache Exploit Discovered, which only affects Windows servers. And the next is from 2008 Mystery Malware Affecting Linux/Apache Web Servers which "[exploit] vulnerabilities in QuickTime, Yahoo! Messenger, and Windows". So I don't know why it's affects Linux.

Please give me an example, where half a million websites are affected with Apache. While Apache is the most run webserver on the whole internet there is only the IIS server which is taken down which such big numbers. Why?

Re:Not as serious as it sounds

[devent]

Technically it's not an IIS bug, true. But why is only the IIS affected and not the more used Apache? Actually, why is it always the IIS and almost never the Apache? You should think that a hacker would target the most used webserver to hack as many websites as he/she can.