All editions of ASP .Net (1.0 – 4.0) are vulnerable to the “Padding Oracle” crypto attack. Scott Guthrie has a good post about it here. Microsoft has acknowledged the attack and is offering a work around. There is also a post on Microsoft’s Security Research and Defense blog here. Microsoft’s official response shows that they aren’t too happy that the hacker decided to publicly disclose the attack without telling them about it first:
We continue to encourage security researchers to coordinate vulnerability disclosure with software vendors. We believe public disclosure before a comprehensive update can be produced only leads to customer risk through criminal activity.
An actual demostration of the attack on a DotNetNuke installation to become the “SuperUser” took less than five minutes…
DotNetNuke has published their response here.
I’ll be keeping up with this over the weekend. So come back to find out more. I haven’t seen any attacks yet… but that will be when it get interesting….
Woody Press 