Microsoft To Release Emergency Fix For ASP.NET Bug

Trailrunner7 writes "Microsoft on Tuesday will release an emergency out-of-band patch for the ASP.NET padding oracle attack that was disclosed earlier this month. The patch will only be available on the company's Download Center for the time being, however. The company is taking the step of releasing an emergency fix for the bug because of the seriousness of the vulnerability — which potentially affects millions of Web applications — and the fact that there are attacks ongoing against it already. The patch will fix the flaw in all versions of the .NET framework. Although Microsoft issued guidance about workarounds to defend against attacks on the ASP.NET bug shortly after it was publicly disclosed, the researchers, Juliano Rizzo and Thai Duong, said that the workarounds did not fully protect users against their attack."

Re:A quick explanation

[ls671]

> not a cookie, rather a hidden, encrypted field for storing state across postbacks

Thanks a lot for the clarification, it seriously helps me understand the problem better and I really mean it.

Now I will re-phrase my post:

WTF ?

Is this serious ? I thought rule 1 of using hidden form fields was to only put meaningless (OK: or already submitted data by the user) data into one. I am still having a hard time to believe this is occurring out of the box in an enterprise platform like ASP.NET.

A hidden form field in more or less the request scoped version of a cookie, never ever store your guts into one, no matter how well it is encrypted ! ;-)