FAQ Released For Microsoft ASP.NET CryptographicException Attack
Scott Guthrie, Microsoft’s corporate vice president for the .NET platform, posted on his blog late Monday a FAQ about the ASP.NET CryptographicException vulnerability.
Highlights:
- All versions of ASP.NET are affected. That includes WebForms and MVC versions 1 and 2.
- Sharepoint is affected, too. A workaround on how to employ a new generic error document for Sharepoint is detailed at that team’s blog.
- Everyone should employ the recommended workarounds.
- You have to route all HTTP errors to the workaround’s generic error page. Otherwise, the hack still works.
- A patch will be released as a Windows Update hotfix, but no release date has been set yet.
- Check your logs for CryptographicException errors. If you see them, it’s possible you are being probed.
I take this very seriously. There’s a tool and video tutorial out there detailing how to run this exploit, so every script kiddie in the world is looking for sites to exploit, I am sure.
All links in this post on delicious: http://www.delicious.com/dougvdotcom/faq-released-for-microsoft-asp-net-cryptographicexception-attack
Major Security Hole In ASP.NET Requires Error Redirect Workaround
A major security flaw in ASP.NET was announced on Friday — one that affects all versions and can allow an attacker to see ViewState and web.config data in clear text.
As such, everyone who has made an ASP.NET Web site should take this threat very seriously.
Microsoft is putting together a patch. Until then, they suggest a workaround of turning on customErrors, and having it point to a single error file.
For ASP.NET versions 1.x, 2.0 and 3.5, create a single HTML-based error page, upload it to the root directory of your Web site, then add or change the customErrors section in your web.config file with the following:
<configuration>
<system.web>
<customErrors mode="On" defaultRedirect="~/error.html" />
</system.web>
</configuration>
Where, of course, error.html is the name of the error page you made.
If your site uses ASP.NET 3.5 SP1 or ASP.NET 4.0, use the custom ASPX error page located on Scott Guthrie’s blog (VB and C# versions), and change the customErrors section of your web.config file thus:
<configuration>
<system.web>
<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/error.aspx" />
</system.web>
</configuration>
Where, of course, error.aspx is the name of the error page you created.
To make things easier, I have zipped up copies of the three error documents — error.html, and the VB.NET / C# versions of the ASP.NET error files — for download. I distribute all code under the GNU GPL.
I’m taking this threat very seriously and have patched all my ASP.NET sites as advised.
All links in this post on delicious: http://www.delicious.com/dougvdotcom/major-security-hole-in-asp-net-requires-error-redirect-workaround
xkcd Nails The Real Security Threat
As I was saying … today’s comic from xkcd:
Killing Tynt’s “Read More” Clipboard Copy Hijacker With The Adblock Plus Plug-In For Firefox
Tynt's annoying Read More clipboard jacking: You can kill it with AdBlock Plus for Firefox.
I love Firefox. It’s pretty much the only Web browser I use.
I hate Tynt. If you’ve ever copied text from a Web page, then pasted it, only to find a mysterious “Read More:” link inserted at the end of the text you copied, you just ran headfirst into Tynt.
Each time a user pastes content from your website into an email, blog or website, we automatically add a URL link back to your site’s original content. When someone clicks that URL, they are directed back to your site and see the original content. This drives incremental traffic to your site when your content is shared without your knowledge while maintaining a consistent user experience.
It may well be a “consistent user experience” for me to have to hit the backspace key to delete the “Read more” link Tynt adds every time I copy a small block of text, but it’s a consistently annoying experience.
I appreciate the importance of reciprocal links. I understand the challenge to content publishers of having content lifted from their Web sites without attribution.
So before I get into details about this fix, let me be clear: If you copy Web content, attribute it. It’s the right thing to do.
That said, there’s a wrong way of getting people to do the right thing, and Tynt is definitely the wrong way.
I find having my simple act of extracting a quote from a Web page turned into a link-spamming takeover of my local machine to be far more disturbing than a tracking cookie or layer ad.
Don’t be messing with my clipboard. It’s mine, not yours. I will put into it what I want there, not what you want.
Fortunately, I was able to put an immediate end to Tynt’s “Read More” clipboard copy highjacking in Firefox with Adblock Plus, a highly popular add-in that does what its name suggests: Blocks advertisements, and other content, from displaying on a page.
LastPass: A Great Way To Protect Your Actual Internet Privacy
It’s a trial for me to listen to people complain about privacy on Facebook or anonymity on the Web.
Don’t get me wrong; you aren’t going to find a bigger defender of anonymous speech than me. The same way a secret ballot preserves the integrity of the plebiscite, anonymous political speech protects republicanism.
But there’s a difference between standing up for the right of someone to publish an anonymous blog and listening to people carp about whether some stranger can see pictures of his kids.
In the case of the former, the author wants to be heard, but to protect himself from the repercussions of speaking. That’s a tradition as old as politics itself, albeit that in time, anyone who makes an impact with anonymous speech is exposed.
In the case of the average Joe bitching about his boss via a tweet, there’s a far simpler point to be made: If you put it on the Internet, it’s not private. Period.
When we waste time debating whether it’s right for some potential employer to use a five-year-old drunken tweet against you, we don’t focus on the real things people should be doing to protect their Internet identities. For example, using strong passwords.
I’ll bet a dollar to doughnuts that the average person who worries about Facebook privacy is using his dog’s name as his Facebook password. And not only that, but using that same password for every Internet site he visits, including Amazon.com, online banking, travel sites, etc., etc. And not only that, but has been using the same password for years.
I’m willing to make that bet because that described my password strategy up to about a week ago. Until I discovered, and started using, LastPass.
Continue reading: LastPass: A Great Way To Protect Your Actual Internet Privacy »
