News from SANS

–Microsoft Says Millions of ASP.net-Based Web Sites Vulnerable To
Major Attack
(September 20, 201, 2010)
Microsoft confirmed that a vulnerability disclosed at a Buenos Aires
hacker conference is present in “millions of web sites” that rely on the
ASP.Net framework. The researchers showed how attackers can exploit an
error in ASP.Net’s encryption to decrypt data on a remote server, and
read and copy files from a site or Web application that relies on the
framework. Especially vulnerable to theft are user names and passwords.
The vulnerability is present on millions of Web sites. Microsoft has
published tool to detect vulnerable ASP.Net applications and established
a dedicated support forum (http://forums.asp.net/1233.aspx) to answer
questions from people building web sites and applications.
[Editor's Note (Pescatore): When you learn to drive, they always try to
ingrain "defensive driving" into you, as driving is dangerous. Since
software engineering is still an oxymoron, and web sites represent the
"LA Freeway" (Or "LIE" for you East Coasters) of software, defensive web
site techniques are clearly required to protect customer and business