ASP.NET cracked!
If you're in charge of an ASP.NET server, you might have some overtime coming. Quite a lot of it.
| A pair of security researchers have implemented an attack that exploits the way that ASP.NET Web applications handle encrypted session cookies, a weakness that could enable an attacker to hijack users' online banking sessions and cause other severe problems in vulnerable applications. Experts say that the bug ... affects millions of Web applications. |
(Emphasis
added)
You'll find a lot more detail in the link above, but this rather tuneful clip gives you an idea of the essence -- and simplicity -- of the attack ...
Stealing the keys to create a super-user's cookie takes less than 5 minutes. From then your server's pwned!
The list of affected systems is impressive: Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. Microsoft's response has so far been measured, though they do note that "Microsoft is aware of limited, active attacks at this time."
I hope they're not against my bank. Or yours!
PC World is New Zealand’s top selling computing and technology magazine.
Comments
Actually after looking into it, it could be a lot worse not going to be a big deal for most sites I think you'll find.
Posted by: Robert | September 28, 2010 8:41 PM
I'm glad most of our projects are OSS based but we have one small asp project so will have to check it ouch!
Posted by: Robert | September 28, 2010 8:37 PM