HEAT Security Blog

ASP Bite Danger

This is outside my normal beat on data protection, but since we know that most cyber exploits these days are about getting to your data, I figure it’s OK to stray a bit. Two bits of news which popped up over the weekend which I found interesting: the Microsoft ASP.Net vulnerability and the out-of-band Adobe patch. I won’t go into depth on these – just the facts, as Sgt. Friday used to demand.

Let’s start with the Microsoft ASP.Net vulnerability; here’s what we know so far:

  • On Friday, September 17, Microsoft released Security Advisory 2416728 addressing a security hole in Microsoft’s popular Web framework, ASP.NET.
  • This vulnerability was first disclosed by researchers Thai Duong and Juliano Rizzo at the annual ekoparty hacking conference in Buenos Aires, Argentina; you can see a video of it in action here (music by the Plain White T’s).
  • The problem lies in the way that ASP.NET implements the AES encryption algorithm to protect the integrity of the cookies these applications generate to store information during user sessions. This is related to something the crypto pros call “padding oracle,” which has nothing to do with Oracle the company.
  • The attack allows someone to decrypt sniffed cookies, which could contain valuable data such as bank balances, Social Security numbers or crypto keys. The attacker may also be able to create authentication tickets for a vulnerable web application and abuse other processes that use the application’s crypto API.
  • Scott Guthrie from Microsoft has suggested a work-around in his blog (see here); it involves “explicitly configur[ing the] applications to always return the same error page – regardless of the error encountered on the server.”

Next up, the recently announced Adobe Out-of-Band patch for its Flash Player:

  • This vulnerability was published by Adobe on September 13 and impacts Adobe Flash Player and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player for Android.
  • It “could cause a crash and potentially allow an attacker to take control of the affected system.”
  • According to the US Computer Emergency Readiness Team (US-CERT), hackers can exploit the vulnerability by luring users to a malicious Web site or by getting them to open a booby-trapped PDF or MS Word document.
  • You can check your version of Flash at this Adobe About page. The 2.7 MB fix is available from this link; please remember that if you run more than one browser, you’ll need to patch each one separately. Of course, you could just use your patch management solution to do this all for you!  😉
  • And one last thing: unless you want additional toolbars, please make sure you uncheck the options offered.

OK, there you have it — another set of vulnerabilities discovered and (mostly) sorted. I recently heard that we’re on course to hit 10,000 vulnerabilities this year, well above the historic levels of 6-7,000 per year — this, combined with the exponential growth in malware, suggest that we’re going to get busier and busier with these sorts of “crises” moving forward unless we change the game. But that’s a topic for another day.