Microsoft To Release Emergency Fix For ASP.NET Bug

Trailrunner7 writes "Microsoft on Tuesday will release an emergency out-of-band patch for the ASP.NET padding oracle attack that was disclosed earlier this month. The patch will only be available on the company's Download Center for the time being, however. The company is taking the step of releasing an emergency fix for the bug because of the seriousness of the vulnerability — which potentially affects millions of Web applications — and the fact that there are attacks ongoing against it already. The patch will fix the flaw in all versions of the .NET framework. Although Microsoft issued guidance about workarounds to defend against attacks on the ASP.NET bug shortly after it was publicly disclosed, the researchers, Juliano Rizzo and Thai Duong, said that the workarounds did not fully protect users against their attack."

Re:A quick explanation

Seriously? This is the second reply to this story that seems to think that it's about cookies.

Please listen carefully: this has NOTHING to do with cookies!

As the GP post and Scott Guthrie's post linked elsewhere (so helpfully) explain, this affects two encrypted elements in use by most (if not all) ASP.NET apps: the ViewState (not a cookie, rather a hidden, encrypted field for storing state across postbacks) and encrypted web.config files which tend to store sensitive connection info (among other things) that needs to be protected from attackers. The flaw allows attackers to decrypt these storage mechanisms and so get at (potentially) sensitive data, depending on how the app was coded.