Microsoft To Release Emergency Fix For ASP.NET Bug

Trailrunner7 writes "Microsoft on Tuesday will release an emergency out-of-band patch for the ASP.NET padding oracle attack that was disclosed earlier this month. The patch will only be available on the company's Download Center for the time being, however. The company is taking the step of releasing an emergency fix for the bug because of the seriousness of the vulnerability — which potentially affects millions of Web applications — and the fact that there are attacks ongoing against it already. The patch will fix the flaw in all versions of the .NET framework. Although Microsoft issued guidance about workarounds to defend against attacks on the ASP.NET bug shortly after it was publicly disclosed, the researchers, Juliano Rizzo and Thai Duong, said that the workarounds did not fully protect users against their attack."

Re:How serious is this really?

[ls671]

But, but...

Being an equal opportunity fan and enjoying playing the devil advocate, I went to search for an instance where a remote attacker could read web.xml to no avail.

web.xml is used by multiple application server implementations offering the most prevalent alternative to ASP.NET.

So did anybody ever heard of a security hole that allowed a remote attacker to read web.xml ?