Microsoft Security Response Center recently released the latest security warning, reminding ASP. NET users to prevent a new security vulnerability. Attackers can exploit the latest vulnerability in the ASP. NET encryption module to access any files including web. config. This vulnerability exists in all versions of ASP. NET that have been released, and its impact cannot be underestimated. No Patches have been released. Developers and maintenance personnel are invited to strengthen defense.
It is reported that the new vulnerabilities in the ASP. NET encryption module allow attackers to decrypt and tamper with arbitrary encrypted data. If ASP. NET applicationProgramASP. NET 3.5 SP1 or later is used. Attackers can use this encryption vulnerability to request any file content in ASP. NET applications. Some stream-spreading attack cases on the network show that attackers can exploit this encryption vulnerability to obtain the content of the Web. config file. In fact, once an attacker obtains the access permission of the Worker Process of the Web application, the attacker can access arbitrary files in the application.
Microsoft said it is currently working with its partners to provide temporary protection measures for its users before Microsoft releases patches. Microsoft pointed out that after completing the investigation of this vulnerability, the company will provide security upgrades during the monthly routine patch release, and may also release unconventional patches as appropriate.
Operating systems affected by this vulnerability in ASP. NET include Windows XP SP3, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.
For more information about this vulnerability, visit: http://www.microsoft.com/technet/security/advisory/2416728.mspx
Link: http://www.cnbeta.com/articles/122277.htm