Last post Sep 18, 2010 03:26 PM by lwoody3
Sep 17, 2010 11:29 AM|Tim Acheson|LINK
Can anybody direct me to an official response from Microsoft to the recently identified, and highly exaggerated and sensationalised, Padding Oracle / AES cookie encryption vulnerability which allegecly affects various platforms including Java, Ruby on Rails,
As far as I can tell, this issue is not as serious on any of the affected platforms as the regurgitated suggestions in the hyped articles seem to imply. Data is only compromised if developers are careless enough to . And despite all the headlines mentioning
banking and singling-out ASP.NET, websites where security is that important should all be using HTTPS.
One highly sensationalised headline and article about this, which only mentioned ASP.NET, has been picked-up and distributed and repeated prolifically. And sensationalist hype is a good way to get people to click on and share a link to your website. However,
as fun and trendy as it may be to try and find reasons to criticise Microsoft technology, it is also dangerous and irresponsible when doing so overlooks or neglects to mention other platforms affected by the same type of vulnerability. Nevertheless, it's reassuring
to know that potential issues in MS technology are quickly flagged and hard to miss, because they attract so much publicity. THe original report presented at Woot 2010 doesn't even mention ASP.NET. Of course, various other platforms may be vulnerable, e.g.
Python, which have not yet been tested because they are not very numerous/popular.
Sep 17, 2010 10:59 PM|levib|LINK
The MSRC advisory for this issue is available at http://www.microsoft.com/technet/security/advisory/2416728.mspx. Please refer to that article for more information.
Sep 18, 2010 04:09 AM|Tim Acheson|LINK
Thanks for the link to the Microsoft's official security advisory for this padding oracle exploit, which is still under investigation.
It would be useful to see a more detailed response from MS. The's a lot of misleading and unreliable information about this in articles cirulating online, and some clarity from a trusted source is needed. There are thousands of articles make gross exaggerations,
e.g. that this "completely breaks ASP.NET's security".
What would be especially useful from Microsoft is some clarity on the following points.
Sep 18, 2010 04:17 AM|levib|LINK
The MSRC advisory contains answers to those questions. Additionally, you might be interested in http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx, which explains the technical side behind this a little bit more.
The MSRC advisory also contains a large section regarding steps application developers can take to mitigate this vulnerability. It includes a sample custom error page that you can drop into your application and a Web.config snippet demonstrating how to
hook it up.
Sep 18, 2010 04:26 AM|Tim Acheson|LINK
I have found Microsoft's official response to the padding oracle exploit in ASP.NET on the
Microsoft official security response blog. This is accompanied by a
blog post about the extent of the risk and how to detect and protect against it. (Thanks to Nazim's IIS security blog
where I found the information.)
This confirms that there is only a risk if the web application displays details of errors. Obviously all production web applications should display a generic user-friendly error page regardless of the error. Displaying details of errors exposes an application
to many other potential risks, not just this padding oracle attack.
Sep 18, 2010 10:14 AM|OWScott|LINK
Tim, it's more impacting than that. Just having the status code available makes you vulnerable. So, the important part is ensuring that all error pages (404, 500, etc) are directed
to the same completely generic page, that doesn't even reveal what the status code is.
Sep 18, 2010 03:26 PM|lwoody3|LINK
I've tried to compile all the pertinent, up-to-date info here:
Padding Oracle Attack