ASP.NET Forms are a pretty common mechanism for web access management (when combined with NTFS permissions) for .NET web applications. Security researchers, Thai Duong and Juliano Rizzo have discovered a technique to compromise an ASP.NET Forms Authentication cookie when using AES encryption.
It’s worth noting that the attack is 100% reliable, i.e. one can be sure that once they run the attack, they can exploit the target. It’s just a matter of time.
The work around seems to be don’t use AES (until MS releases a patch).
The method, why and mitigations are described over here: http://visualstudiomagazine.com/articles/2010/09/14/aspnet-security-hack.aspx
More coverage here: http://threatpost.com/en_us/blogs/new-crypto-attack-affects-millions-aspnet-apps-091310
patches available now:
http://www.microsoft.com/technet/security/bulleti…