{"id":3226,"date":"2010-09-28T22:05:43","date_gmt":"2010-09-28T21:05:43","guid":{"rendered":"http:\/\/www.itwriting.com\/blog\/3226-asp-net-padding-oracle-fix-released-time-to-patch-for-windows-administrators.html"},"modified":"2010-09-28T22:05:43","modified_gmt":"2010-09-28T21:05:43","slug":"asp-net-padding-oracle-fix-released-time-to-patch-for-windows-administrators","status":"publish","type":"post","link":"https:\/\/www.itwriting.com\/blog\/3226-asp-net-padding-oracle-fix-released-time-to-patch-for-windows-administrators.html","title":{"rendered":"ASP.NET Padding Oracle fix released, time to patch for Windows administrators"},"content":{"rendered":"<p>Scott Guthrie\u2019s blog <a href=\"http:\/\/weblogs.asp.net\/scottgu\/archive\/2010\/09\/28\/asp-net-security-update-now-available.aspx\" target=\"_blank\">reports<\/a> that a fix is now available for the Padding Oracle attack, which enables successful attackers to break the security of ASP.NET applications. There are a few points of interest.<\/p>\n<p>First, there is not one patch but several, and which ones you need depend both on the version of Windows and the version of .NET. Multiple versions of .NET may be installed on a single server.<\/p>\n<p>Second, the exploit is rated \u201cimportant\u201d in Microsoft security-speak, rather than \u201ccritical\u201d. This is apparently because in itself the vulnerability merely discloses information. However, Microsoft is treating it with a high priority because the vulnerability is likely to reveal information that <strong>would<\/strong> let the attacker go to to more sever actions such as taking over a server. Confusing, but to my mind it is as critical as they come. <\/p>\n<p>Third, Guthrie\u2019s blog notes:<\/p>\n<blockquote>\n<p>We\u2019d like to thank Juliano Rizzo and Thai Duong, who discovered that their previous research worked against ASP.NET, for not releasing their POET tool publicly before our update was ready.<\/p>\n<\/blockquote>\n<p>The implication is that the POET tool may be publicly available soon \u2013 so if you are responsible for an affected machine, get patching! In fact, in the webcast on the subject Microsoft stated that \u201cThe potential for exploit is very high during the next 30 days.\u201d<\/p>\n<p>Fourth, the update <a href=\"http:\/\/www.microsoft.com\/technet\/security\/bulletin\/MS10-070.mspx\" target=\"_blank\">works<\/a> by \u201cadditionally signing all data that is encrypted by ASP.NET.\u201d<\/p>\n<p><strong>Update<\/strong>: Marc Brooks has <a href=\"http:\/\/musingmarc.blogspot.com\/2010\/09\/ms10-070-post-mortem-analysis-of-patch.html\" target=\"_blank\">investigated<\/a> and it looks like there is a bit more to it than that.<\/p>\n<p>Finally, the update will be included in Windows Update but not immediately. Your choice is whether to risk a hack in the period before the automatic update appears, or endure the hassle of the manual downloads. Microsoft advises to do it as soon as possible for servers on the public internet.<\/p>\n<p>I am not sure what percentage of systems are likely to be patched soon, but I\u2019d guess that plenty of vulnerable systems will remain online and that we have not heard the last of this bug.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Scott Guthrie\u2019s blog reports that a fix is now available for the Padding Oracle attack, which enables successful attackers to break the security of ASP.NET applications. There are a few points of interest. First, there is not one patch but several, and which ones you need depend both on the version of Windows and the &hellip; <a href=\"https:\/\/www.itwriting.com\/blog\/3226-asp-net-padding-oracle-fix-released-time-to-patch-for-windows-administrators.html\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">ASP.NET Padding Oracle fix released, time to patch for Windows administrators<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,55,67],"tags":[170,586,698,810],"class_list":["post-3226","post","type-post","status-publish","format-standard","hentry","category-net","category-microsoft","category-professional","tag-asp-net","tag-microsoft","tag-padding-oracle","tag-security"],"_links":{"self":[{"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/posts\/3226","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/comments?post=3226"}],"version-history":[{"count":0,"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/posts\/3226\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/media?parent=3226"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/categories?post=3226"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.itwriting.com\/blog\/wp-json\/wp\/v2\/tags?post=3226"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}