09.13.10
ASP.NET a Security Failure, Not Just a Patent Issue
Summary: Further new evidence that ASP.NET is a weak technology, Windows is extremely dangerous for use, and developers should replace it, not mimic it
Due to yet more security issues, any Mono and ASP.NET pusher at Novell ought to pay attention to deficiencies in the software it’s mimicking. Here is the latest: [via]
‘Padding Oracle’ Crypto Attack Affects Millions of ASP.NET Apps
A pair of security researchers have implemented an attack that exploits the way that ASP.NET Web applications handle encrypted session cookies, a weakness that could enable an attacker to hijack users’ online banking sessions and cause other severe problems in vulnerable applications. Experts say that the bug, which will be discussed in detail at the Ekoparty conference in Argentina this week, affects millions of Web applications.
That would not be the first such embarrassment. We gave other such examples before. Windows may be the least responsibly patched operating system, based on Microsoft's record as of late.
According to this new statement, things are getting worse than ever for Windows, security-wise.
Windows users are still the number one target: 99.4 percent of all new malware of the first half of this year was written for Microsoft’s operating system. The other 0.6% targeted systems that contain e.g. Unix or Java technologies.
Here is a further analysis/breakdown by Pogson (who also found this cripple-ware cartoon which we missed):
That other OS was the target of 98.5% of malware with a further 0.6% aimed at .NET for a total of 99.4%. The remaining 0.6% was mainly attacks on servers with various scripting and cracking attacks.
The “other OS” is Windows and .NET is there too. .NET is insecure in another sense for other reasons too, patent violations for example. █