Please read if you have public ASP.NET sites

Sunday, September 19, 2010

Yesterday, a new crypto oracle-type vulnerability was publicly disclosed. It is an important vulnerability that is likely to be exploitable on a large proportion of ASP.NET sites, even those that are using configuration settings that were previously considered safe.

There is a workaround available already that should be set-up right now. You should pay a lot of attention to this and apply the workaround without trying to simplify it as that may result in your sites still being vulnerable. The issue is rather subtle (like pretty much all oracle attacks are).

Scott published a blog post with all the details that I will not attempt to reproduce here in order to minimize any chance of confusion.

Please go to Scott’s post, read it and do what you have to do.

It’s always a bummer when that sort of thing happens but now is the time to take action so that your sites don’t fall to an automated or manual attack in the next few days.

http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx

UPDATE: Scott published a FAQ on this issue:
http://weblogs.asp.net/scottgu/archive/2010/09/20/frequently-asked-questions-about-the-asp-net-security-vulnerability.aspx

2 Comments

I assume WCF is safe, but could old style ASP.NET web service be impacted by this?

Zakster82 - Monday, September 20, 2010 2:29:30 PM

@Zak: you should not assume safety, no. The right thing to do is to first apply the workaround as it's described in the advisory.

Bertrand Le Roy - Monday, September 20, 2010 7:51:18 PM

Comments have been disabled for this content.