Tag Archives: IIS

ASP.NET Crypto Exploit Patch Ships Tuesday, Sept. 28

Scott Guthrie noted on his blog that Microsoft will ship, on Tuesday, a hotfix for the ASP.NET cryptographic padding oracle exploit. It is to be released at 10 a.m. PDT; that’s 1 p.m. EDT / 17:00 GMT.

Guthrie says the patch has been fully tested and, once installed, removes the need for the previously published workarounds. As in, after you install this patch, you can turn off custom errors or use custom error files for specific errors.

Glad Microsoft worked this out so quickly. Don’t fail to get and apply this patch.

All links in this post on delicious: http://www.delicious.com/dougvdotcom/asp-net-crypto-exploit-patch-ships-tuesday-sept-28

Microsoft Urges URLScan Implementation To Combat Crypto Vulnerability

In a further update on how to combat the ASP.NET CryptographicException hack, Microsoft is now urging webmasters to use the URLScan utility to further thwart oracle attempts.

In a blog post on Friday, Scott Guthrie, corporate vice president of .NET at Microsoft, said the step — which removes aspxerrorpath as an allowed querystring variable — “prevents attackers from distinguishing between the different types of errors occurring on a server – which helps block attacks using this vulnerability.”

URLScan is an Internet Information Server (IIS) extension. If you manage your own IIS server, you should follow the instructions at Guthrie’s blog post to download, install and configure the workaround.

If you are on shared or managed hosting, check with your Web host’s tech support department to see if they have implemented, or will implement, this step for you.

Again, this is a serious threat that is fully scripted, meaning any malcontent — including one with no practical programming skill — can exploit a site with widely available tools.

All links in this post on delicious: http://www.delicious.com/dougvdotcom/microsoft-urges-urlscan-implementation-to-combat-crypto-vulnerability

FAQ Released For Microsoft ASP.NET CryptographicException Attack

Scott Guthrie, Microsoft’s corporate vice president for the .NET platform, posted on his blog late Monday a FAQ about the ASP.NET CryptographicException vulnerability.

Highlights:

  • All versions of ASP.NET are affected. That includes WebForms and MVC versions 1 and 2.
  • Sharepoint is affected, too. A workaround on how to employ a new generic error document for Sharepoint is detailed at that team’s blog.
  • Everyone should employ the recommended workarounds.
  • You have to route all HTTP errors to the workaround’s generic error page. Otherwise, the hack still works.
  • A patch will be released as a Windows Update hotfix, but no release date has been set yet.
  • Check your logs for CryptographicException errors. If you see them, it’s possible you are being probed.

I take this very seriously. There’s a tool and video tutorial out there detailing how to run this exploit, so every script kiddie in the world is looking for sites to exploit, I am sure.

All links in this post on delicious: http://www.delicious.com/dougvdotcom/faq-released-for-microsoft-asp-net-cryptographicexception-attack

Major Security Hole In ASP.NET Requires Error Redirect Workaround

A major security flaw in ASP.NET was announced on Friday — one that affects all versions and can allow an attacker to see ViewState and web.config data in clear text.

As such, everyone who has made an ASP.NET Web site should take this threat very seriously.

Microsoft is putting together a patch. Until then, they suggest a workaround of turning on customErrors, and having it point to a single error file.

For ASP.NET versions 1.x, 2.0 and 3.5, create a single HTML-based error page, upload it to the root directory of your Web site, then add or change the customErrors section in your web.config file with the following:

<configuration>
   <system.web>
      <customErrors mode="On" defaultRedirect="~/error.html" />
   </system.web>
</configuration>

Where, of course, error.html is the name of the error page you made.

If your site uses ASP.NET 3.5 SP1 or ASP.NET 4.0, use the custom ASPX error page located on Scott Guthrie’s blog (VB and C# versions), and change the customErrors section of your web.config file thus:

<configuration>
   <system.web>
     <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/error.aspx" />
   </system.web>
</configuration>

Where, of course, error.aspx is the name of the error page you created.

To make things easier, I have zipped up copies of the three error documents — error.html, and the VB.NET / C# versions of the ASP.NET error files — for download. I distribute all code under the GNU GPL.

I’m taking this threat very seriously and have patched all my ASP.NET sites as advised.

All links in this post on delicious: http://www.delicious.com/dougvdotcom/major-security-hole-in-asp-net-requires-error-redirect-workaround