Microsoft recently released Microsoft Security Advisory (2416728) about a vulnerability (CVE-2010-3332) in ASP.NET that allows the unauthorized access to files that can contain sensitive data within an ASP.NET application such as web.config, and be able decrypt data sent to the client. Microsoft has released a work around for the vulnerability, but they do not have a patch out at this time.
Customers utilizing SecureAuth® Identity Enforcement Platform are already mitigating this risk from outside attackers for their ASP.NET applications. Customers who have integrated their ASP.NET applications with SecureAuth® Identity Enforcement Platform are thwarting attackers who wish to utilize this attack by forcing strong bilateral authentication that authenticates both the user and the server before communication is allowed to the ASP.NET application. Because the attackers are unable to communicate to the customer’s ASP.NET applications, such as Microsoft SharePoint 2010, the risk of this vulnerability has been mitigated from the unauthorized users.
In fact, SecureAuth is the only “Authentication Provider” that provides strong authentication for Microsoft SharePoint 2010 that is token-less, non-phishable, authenticates both the user and the server , easy to deploy, and does not require any agent, proxy, or VPN to be installed.
Contact us to find out about what people are calling the “Game Changer” when it comes to a strong authentication and true identity enforcement that is also a 2-Factor, Web Single-Sign-On, and Identity Management solution that is low cost and easy to deploy.
SecureAuth believes in a defense-in-depth strategy and recommends that you patch this vulnerability once a patch is released.
More information about this vulnerability and work around can be found at:
Microsoft Security Advisory (2416728)
Scott Guthrie’s Blogs: Important: ASP.NET Security Vulnerability and Frequently Asked Questions about the ASP.NET Security Vulerability
Microsoft SharePoint Team Blog
CVE-2010-3332
Categories
Blog |
Tags
2factor, ASP.NET, authentication, cloud security, Identity Management, rsa, RSA Alternatives, SecureAuth, secureID, SharePoint, two factor
|
Author
Milton |
|
I just returned from a week in beautiful but hot St. Louis where SecureAuth Corporation had the privilege of being one of select few vendors to be invited to participate in the FBI sponsored Information Security Officer Training Symposium. This is a truly unique event. Held every two years it is hosted and paid for by the FBI. They invite the ISO from all 50 states to come to a week of training and discussion on IT Security and Cyber Crime.
Vendors can attend by invitation only, no buy in, SecureAuth was invited based upon our project with the state of New Hampshire. Jad Flewelling, ISO for state of NH, led a panel discussion on how the state has successfully used the SecureAuth Identity Enforcement Platform to securely integrate into the Criminal Justis Information System (CJIS) Data Base. The discussion was very well received by the attendees with lots of questions for Jad on how he successfully achieved the integration and met the FBI mandate a year early.
One of the main topics of the conference was that the CJIS ISO office has revised the CJIS Information Security Policy and it is in formal staffing for approval with an implementation goal of January 2011 for all states and territories. The new policy is a significant departure from the current policy in its approach and scope. As a result all proposed multifactor authentication solutions for authentication of users into the CJIS system by the state and local agencies must be approved by the state ISO and then approved by George White of the FBI. While there is not a list of FBI certified authentication products for use in accessing the CJIS, all proposed solutions and architectures must be submitted by the state ISO to George White’s office for approval. We are very proud to say that the SecureAuth Identity Enforcement Platform was approved by Mr. White for deployment at state of NH.
There are 17,000 agencies that need to implement FBI approved access to the CJIS by 2011. SecureAuth IEP is the approved, cost effective, and secure way to meet this mandate.
The world famous St. Louis Arch
