Earlier this week, on the lead up to the ekoparty Security Conference in Argentina, a pair of security researchers announced that they would demonstrate an attack to exploit the way that ASP.NET handles encrypted session cookies.
I first learned of this on Wednesday, when someone posted a question on Stack Overflow. Since then, Microsoft have issued a security alert and Scott Guthrie has put out a blog post giving a full explanation of how this works and how it may affect you. Scott's post includes a link to a script you can run on your servers to identify vulnerable sites. In short, you need to have a <customErrors> section in your Web.Config file and map all errors to a single error page.
As reported here, the attack is 100% reliable; any ASP.NET website can be "owned" in seconds. The longest it takes is less than 50 minutes. Confirm with your bank that this has been remedied before logging into your account (ASP.NET sites)!
Update to Security Advisory 2416728 (09-20-2010)
FAQ about the ASP.NET Security Vulnerability - Scott Guthrie (09-21-2010)
Update on ASP.NET Vulnerability - Scott Guthrie (09-24-2010)
ASP.NET Security Update Shipping Sept 28th - Scott Guthrie (09-27-2010)
Microsoft Security Bulletin MS10-070 (09-28-2010)
ASP.NET Security Fix Now on Windows Updates - Scott Guthrie (09-30-2010)
The Microsoft Connected Information Security Group (CIGS) has released an updated build of the CAT.NET tool.
There are some bug fixes and the ability to export results to Excel included in this release and users are advised to upgrade:
Note that this is the 32-bit version.