.Net security flaw

  • Thread starter Thread starter Stephen Goodridge
  • Start date Start date
S

Stephen Goodridge

I'm sure there are rumours flowing around like this every day but has anyone
heard of a fundamental security flaw in .Netwhich makes any application
running it and the data stored in it accessible to hacker.

I'm sure this is just rumour-mongering but I'd be interested in knowing if
anyone else has heard anything.

Thanks
Stephen
 
¤ I'm sure there are rumours flowing around like this every day but has anyone
¤ heard of a fundamental security flaw in .Netwhich makes any application
¤ running it and the data stored in it accessible to hacker.
¤
¤ I'm sure this is just rumour-mongering but I'd be interested in knowing if
¤ anyone else has heard anything.

You may be thinking of the following:

http://www.microsoft.com/security/incident/aspnet.mspx


Paul ~~~ (e-mail address removed)
Microsoft MVP (Visual Basic)
 
No, it's not that one. I'm aware of that one. Apparently it's a flaw not
yet published by MS which cam eout this morning Nove 4th that is so
fundamental that MS don't want anyone to know about it. Apparenetly
because they don't know how to solve it. I suspect mischief making.

I've seen some posts about code obfuscators and CLI byte code which seem
to suggest .Net can be decompiled, maliciously changed and recompiled
without .Net being aware of the change and I suspect this is along those
lines. Is Java fundamentally different? Does Java have security flaws
which could be exploited?

Thanks

Stephen
 
I'm a little rusty on this area but I believe if you strongly sign your
assembly you can avoid this issue. When you strongly sign your assembly it
creates a public/private key that in addition to your name, version, etc it
more importantly is creates a has that is based on your assemblies manifest
and components. By doing this the .Net runtime can tell if your assembly has
been manipulated or not. Now I'm not sure what protection there is to an
unsigned assembly but I'm assuming there must be some.

Maybe someone else can speak to this a little better or correct me if I'm
off.

As to any specific exploitable defect I have not heard of any and I probably
wouldn't speak to it if I had until MS released a fix :)

Regards,

Josh
 
¤ No, it's not that one. I'm aware of that one. Apparently it's a flaw not
¤ yet published by MS which cam eout this morning Nove 4th that is so
¤ fundamental that MS don't want anyone to know about it. Apparenetly
¤ because they don't know how to solve it. I suspect mischief making.
¤
¤ I've seen some posts about code obfuscators and CLI byte code which seem
¤ to suggest .Net can be decompiled, maliciously changed and recompiled
¤ without .Net being aware of the change and I suspect this is along those
¤ lines. Is Java fundamentally different? Does Java have security flaws
¤ which could be exploited?

I haven't heard of anything as of today. The decompilation issue of course is known but I don't know
of any security vulnerabilities with respect to modifying assemblies in-place.

Java is not immune to security vulnerabilities although those discovered have been less critical.
You can check the below link for more info:

http://secunia.com/


Paul ~~~ (e-mail address removed)
Microsoft MVP (Visual Basic)
 
Back
Top