back to article Microsoft warns of in-the-wild attacks on web app flaw

Attackers have begun exploiting a recently disclosed vulnerability in Microsoft web-development applications that opens password files and other sensitive data to interception and tampering. The vulnerability in the way ASP.Net apps encrypt data was disclosed last week at the Ekoparty Conference in Argentina. Microsoft on …


This topic is closed for new posts.
  1. Anonymous Coward
    Thumb Down

    People still use ASP.NET viewstate?

    I thought everyone had moved onto AJAX. Viewstate was one of the ugliest technical hacks ever to exist (next to Intel's segment memory pointers).

    1. Anonymous Coward
      Anonymous Coward


      I've never used ASP.NET. What I understood from vaguely ignoring the issue on mailing lists, was that ViewState was supposed to be used to store "session-like" data, ie. semi-persistent user data, the values entered into a multi-page form perhaps.

      Was I totally off-base or are there really people storing passwords with this thing?

  2. Neal 5

    @voodoo trucker

    brilliant logic there, Ajax, essentially for web application client side, can be hacked or used for server hacking a lot easier than the viewstate, or even as you mention Intel, who just lately have taken to giving it away rather than make you steal it.

    So, as a developer, would I want a product to be hacked in a few moves, Ajax, a combination of HTML,CSS and Javascript, probably the must openly prevalent features of any hack attack, or ASP.NET which is as you rightly say is ugly, in particular of attack methods, not just coding.

    I'm sorry if that's not very clear, I've a few beers too many inside me, and I'm not on UK time either.

  3. amanfromMars 1 Silver badge

    The Height of Futility in Deep Dark Matters

    "Microsoft hasn't said when it plans to issue a permanent fix." .... Is there such a thing whenever a a Covert Utility and Crack Facility?

  4. Anonymous Coward

    base64 == encryption?

    "Microsoft personnel also warned about ASP.Net applications that store passwords, database connection strings or other sensitive data in the ViewState object. Because such objects are accessible to the outside, the Microsoft apps automatically encrypt its contents."

    I hope they don't "encrypt" their customer's financial and other personal details this way. Yet another *huge* MS security fail. See

  5. sandtrap

    random delay does not fix the problem

    A random delay on the error page does not prevent the timing attack. Only making all security checks uniform in runtime performance (between success and failure) will defeat the timing attacks.

  6. Tom Chiverton 1

    I never realised it was this bad

    "the ASP.Net application stores ... passwords or database connection strings, in the ViewState object ... The ViewState object is encrypted and sent to the client"


    'What were they thinking' springs to mind.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2021