Microsoft’s Malware Mayhem: Beware of ViewState Key Blunders!
Microsoft warns that attackers are using ViewState code injection attacks with ASP.NET machine keys found online. Developers should avoid default or public keys, upgrade to ASP.NET 4.8, and secure machine keys to prevent malicious payloads on IIS servers. Over 3,000 keys are at risk, posing a higher threat than stolen ones.
Hot Take:
Who needs the dark web when you have Microsoft documentation? It seems like cybercriminals have been taking a page from the ‘how to’ book of ASP.NET and flipping it into a ‘how to hack’ guide. Maybe it’s time for developers to stop playing hide and seek with their keys online and start locking them up in a safe place!
Key Points:
- Attackers are using publicly available ASP.NET machine keys for ViewState code injection attacks.
- Microsoft has identified over 3,000 publicly disclosed keys that pose a security risk.
- Developers are urged to securely generate machine keys and avoid using default or online-found keys.
- Microsoft recommends upgrading apps to ASP.NET 4.8 and using attack surface reduction rules.
- Web-facing servers with publicly disclosed keys should undergo rigorous security checks and potential reinstallation.
Already a member? Log in here