Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

New security flaw discovered in Microsoft's ASP.Net technology

Add to del.icio.us     Digg this story Digg this

September 14, 2010

A new security vulnerability has been discovered in the way some Internet applications handle encrypted session cookies and that could leave online banking accounts open to multiple attacks from hackers.

The security flaw stems from cryptographic weaknesses in some Internet apps developed using Microsoft's ASP.Net technology.

Overall, Microsoft's ASP.Net framework uses the U.S. government approved AES encryption algorithm to secure the browser session cookies generated by applications during online banking tasks performed from remote users.

It simply works like this: implementation security holes in how ASP.Net handles various errors when the encrypted data in a browser cookie has been modified can offer strong clues to a potential attacker that would allow him to narrow down the possible range of the security keys used in an online banking session.

Additionally, such similar attacks based on this security vulnerability might allow an attacker to decrypt 'sniffed' cookies or forge session authentications tickets, among various other attacks similar in nature.

Internet security researchers Thai Duong and Juliano Rizzo have developed a "Padding Oracle Exploit Tool" to basically demonstrate the feasibility of such an attack, an extension of their previous research on similar security vulnerabilities in Java Server Faces and other Web frameworks.

"The most significant new discovery is a universal Padding Oracle affecting every ASP.Net web application. In short, you can decrypt browser session cookies, view states, form authentication tickets, view membership passwords, user data and just about anything else encrypted using the framework's API," said Rizzo.

Additional details of this critical security flaw are due to be outlined at a presentation during the Ekoparty conference in Argentina later this week, Rizzo added.

Rizzo also said that the attack might be exploited to allow a moderately skilled attacker to break into a website in just 30 to 40 minutes, probably even less.

"The security vulnerabilities exploited affect the framework used by about twenty-five to thirty percent of all Internet web sites. The impact of these attacks depend on the applications installed on the server, from information disclosure to total system compromise," said Duong.

"At the beginning, the first few stages of the attacks take a few thousand requests, but once it succeeds and the attacker gets the secret keys, it accelerates very fast," said Rizzo.

"What's worse, is that the cryptographic knowledge required in these attacks is very basic," Rizzo added.

Add to del.icio.us     Digg this story Digg this

Source: Juliano Rizzo.

Save Internet Security.ca's URL to the list of your favorite web sites in your Web browser by clicking here.


You can link to the Internet Security web site as much as you like.


| Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact |
Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer






Get your Linux or Windows dedicated server today.