Microsoft recently released Microsoft Security Advisory (2416728) about a vulnerability (CVE-2010-3332) in ASP.NET that allows the unauthorized access to files that can contain sensitive data within an ASP.NET application such as web.config, and be able decrypt data sent to the client. Microsoft has released a work around for the vulnerability, but they do not have a patch out at this time.
Customers utilizing SecureAuth® Identity Enforcement Platform are already mitigating this risk from outside attackers for their ASP.NET applications. Customers who have integrated their ASP.NET applications with SecureAuth® Identity Enforcement Platform are thwarting attackers who wish to utilize this attack by forcing strong bilateral authentication that authenticates both the user and the server before communication is allowed to the ASP.NET application. Because the attackers are unable to communicate to the customer’s ASP.NET applications, such as Microsoft SharePoint 2010, the risk of this vulnerability has been mitigated from the unauthorized users.
In fact, SecureAuth is the only “Authentication Provider” that provides strong authentication for Microsoft SharePoint 2010 that is token-less, non-phishable, authenticates both the user and the server , easy to deploy, and does not require any agent, proxy, or VPN to be installed.
Contact us to find out about what people are calling the “Game Changer” when it comes to a strong authentication and true identity enforcement that is also a 2-Factor, Web Single-Sign-On, and Identity Management solution that is low cost and easy to deploy.
SecureAuth believes in a defense-in-depth strategy and recommends that you patch this vulnerability once a patch is released.
More information about this vulnerability and work around can be found at:
Microsoft Security Advisory (2416728)
Scott Guthrie’s Blogs: Important: ASP.NET Security Vulnerability and Frequently Asked Questions about the ASP.NET Security Vulerability
Microsoft SharePoint Team Blog
CVE-2010-3332
Categories
Blog |
Tags
2factor, ASP.NET, authentication, cloud security, Identity Management, rsa, RSA Alternatives, SecureAuth, secureID, SharePoint, two factor
|
Author
Milton |
|
RSA and VeriSign Partner on Cloud-Based OTP Service
http://www.rsa.com/press_release.aspx?id=10462
This is an interesting response to MultiFactor Corporation’s cloud solution. Having RSA and VeriSign try to tweak and then reposition what many view as cumbersome, old, expensive technology as “cloud-based” is validation of SecureAuth and our vision. However, the problem is that their joint solution delivers primarily on buzz words while keeping the hassles and challenges that users want to be free from. SecureAuth was designed from its inception on modern web architecture to provide its customers true browser-based, strong, secure access without the cost and burden of special hardware or client software.
According to the headline on the joint press release, the new arrangement “allows channel partners to offer users managed, shared authentication to access multiple Websites”. It appears that you will need every user to own and carry an RSA SecurID token to access VeriSign VIP which then can be configured by their partners to let you into other “participating” websites. What’s left out are enterprise applications and networks (VPNs). Additionally, users still need to type in little numbers from a plastic token or fat mobile phone application every time they log-in.
Quote from the release: “The alliance of two powerhouses with the integration of RSA SecurID technology into VIP will strengthen their combined market leadership and work to increase the collective clout of both VeriSign and RSA”. We hope to keep our customers happy with an innovative product and good service, rather than wielding clout. Sounds like they want to keep customers locked into a lucrative, albeit dying, OTP cash cow business for both of them.
If you are truly interested in a two factor authentication and identity solution that has been designed to meet enterprise cloud security needs, please allow MultiFactor to show you what our customers know: There is a better alternative to RSA SecurID and VeriSign. Of course, we also can offer the same, singular solution for secure websites, web applications, enterprise applications, identity management systems, IPSec VPNs and SSL VPNs.
In the next post we’ll explore how these dinosaurs are responding with their own SecurID token alternatives. RSA calls it the “RSA Decision Tree”. For those willing to give up more security and flexibility, they’ll go a bit easier on the price.
