Sep 28, 2010 Comments Off
Vuln: ASP.NET emergency patch
It’s patch Tuesday again, this time an emergency patch for all asp.net applications. The vulnerability in asp.net allows attackers to decrypt password files, cookies, and other sensitive data that is supposed to remain encrypted as they pass from the server to a web browser. Full details security/advisory/2416728
Common Vulnerabilities and Exposures ID and info CVE-2010-3332
Microsoft .NET Framework 1.0 SP3, 1.1 SP1, 2.0 SP2, 3.5, 3.5 SP1, 3.5.1, and 4.0, as used for ASP.NET in Microsoft Internet Information Services (IIS), provides detailed error codes during decryption attempts, which allows remote attackers to decrypt and modify encrypted View State (aka __VIEWSTATE) form data, and possibly forge cookies or read application files, via a padding oracle attack.
Do patch up as soon as the patch is verified and available.
