Microsoft has responded to news of a serious security vulnerability in the way that ASP.Net web applications are secured by issuing an emergency patch.
And you know that if a problem is serious enough for Microsoft decides to release a fix outside of its normal “Patch Tuesday” monthly schedule that it’s definitely an important vulnerability.
And rightly so – ASP.Net is a very popular framework for building applications on the web, with many online banking and ecommerce sites relying upon the technology.
The security issue was discovered by researchers Thai Duong and Juliano Rizzo, who discovered a way of exploiting the way that ASP.net web applications handle encrypted session cookies, and demonstrated their findings at a security conference in Argentina earlier this month.
If left unfixed, the security hole could give malicious hackers the ability to read any file on a web application server.
Chillingly, Duoung said:
“It’s worth noting that the attack is 100%…
Read more in my article on the Naked Security website.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.