Microsoft Urges URLScan Implementation To Combat Crypto Vulnerability

In a further update on how to combat the ASP.NET CryptographicException hack, Microsoft is now urging webmasters to use the URLScan utility to further thwart oracle attempts.

In a blog post on Friday, Scott Guthrie, corporate vice president of .NET at Microsoft, said the step — which removes aspxerrorpath as an allowed querystring variable — “prevents attackers from distinguishing between the different types of errors occurring on a server – which helps block attacks using this vulnerability.”

URLScan is an Internet Information Server (IIS) extension. If you manage your own IIS server, you should follow the instructions at Guthrie’s blog post to download, install and configure the workaround.

If you are on shared or managed hosting, check with your Web host’s tech support department to see if they have implemented, or will implement, this step for you.

Again, this is a serious threat that is fully scripted, meaning any malcontent — including one with no practical programming skill — can exploit a site with widely available tools.

All links in this post on delicious: http://www.delicious.com/dougvdotcom/microsoft-urges-urlscan-implementation-to-combat-crypto-vulnerability

Leave a Reply