I am doing some research on .NET security. The most of sources just describe .NET security mechanisms but no even a word of possible vulnerabilities or things to be kept in mind. Do you know any security problems on .NET platform?
+3
A:
You can take a look at Secunia. They show 14 vulnerabilities for .NET 2.0, zero unpatched.
Dario Solera
2008-12-23 11:54:17
+2
A:
You really need to check out Keith Brown's excellent book on the topic, which can be read online. It's worth buying the paper copy though, IMO.
Dave Markle
2008-12-23 12:04:31
+4
A:
The major source of security problems in the .NET world is the developers using it. It is easy to write applications with any framework and .NET framework is not any better.
Apart from that the only major problem I can think of is all the controls that use String instead of SecureString for storing sensitive data like passwords. Each version of the .NET framework is better than the last here, but I think there are still several common controls that don't use them.
The SecureString can be thought of as a String that is stored in encrypted memory and that is deleted from memory after use. Since strings in .NET are immutable any new strings will be stored in memory in a shared locations so that new strings of the same value can share that memory location. This means that sensitive data stored in a string is relatively easy to get hold of.
Rune Grimstad
2008-12-23 12:30:47
A:
For a very interesting, yet not necessarily exploitable (since you'd need root access anyway), check out this talk at this year's Blackhat (hmm, going on right now) by Erez Metula, on using some techniques to hack the .NET Framework and implement ".NET Rootkits".
AviD
2009-07-30 23:01:13