Microsoft issues emergency update for macOS and Linux ASP.NET threat
Summary
Microsoft released an emergency update to fix a serious security problem in its ASP.NET Core software used on macOS and Linux. The flaw allowed hackers to gain full control of affected devices by exploiting a weakness in how the software checks digital signatures. Users must update and take extra steps to protect their systems fully.Key Facts
- The vulnerability affects Microsoft.AspNetCore.DataProtection versions 10.0.0 to 10.0.6 on macOS and Linux.
- Hackers could exploit this flaw to gain SYSTEM-level access, meaning full control of the device.
- The problem is due to incorrect checking of cryptographic signatures during data validation.
- Even after updating to version 10.0.7, previously stolen authentication tokens may still allow unauthorized access.
- Microsoft advises users to rotate their DataProtection keys to invalidate any forged tokens created during the vulnerable period.
- The issue does not affect Windows users because different encryptors are used there.
- The flaw was found while fixing another bug related to decryption failures in the software.
- Users whose applications run internet-facing endpoints are at higher risk and should audit tokens and reset credentials where needed.
Read the Full Article
This is a fact-based summary from The Actual News. Click below to read the complete story directly from the original source.