Steps have finally been taken by Microsoft to protect millions of exposed networks vulnerable to a .Net exploit that was first discovered nine months ago.

During that time many customers were not only left in the dark, but left dangerously exposed by the vulnerability which was a null byte exploit.

The company has tried to patch the exploit since its discovery by analyst group Security-Assessment.com last October, and has kept mum on the flaw which was uncovered in the U.S. this week as a result of Patch Tuesday.

Security consultant and researcher at Security-Assessment.com Matthew Strahan said a filename which contains a null byte in the .Net environment can launch a Null byte injection attack which allows servers to be fully compromised.

He said a flaw exists in an upload file code when the .Net Common Language Runtime (CLR) considers Null bytes as data to directly call a native C function call.

"The flaw could be very dangerous when affected servers are trying to receive uploaded files; a null byte will terminate strings in lower level layers but won't for strings in higher level layers," Strahan said.

"The attack means you can upload any code you want to take over the entire server.

"If you upload a .aspx file, followed by a Null byte and an extension such as .txt, it will be saved as a txt file. [Native function] calls at the injected Null byte allows a remote user to terminate a sting parameter which can lead to a compromise."

Strahan said there are five vulnerabilities that can be exploited under the same method, and warned .Net users to review their .Net frameworks and applications and to ensure they apply the patch for the exploit which was released earlier this week.

He said uploaded files can be sanitized by adding a file extension such as .txt or .doc.

"There are stacks of businesses that need to assess the vulnerability; the code is certainly not uncommon," Strahan said.

Security-Assessment.com reported close to 90 percent of Web sites upon which the company penetration tested in 2006 had "critical to urgent vulnerabilities"

Microsoft's Patch Tuesday release covered vulnerabilities in Microsoft's .Net Framework, Office Excel, Office Publisher, and three for its Windows operating systems.

For more enterprise computing news, visit Computerworld. Story copyright Computerworld, Inc.

Whitepapers

• Gene Kim's Practical Steps to Mitigate Virtualization Security Risks
• Selecting Effective Virtual Directories
• A Modern Approach to On-Demand Email and Data Security
• Best Practices for HP Servers and HP Enterprise Virtual Array in a Microsoft Exchange
• Compliance, Protection, Recovery: A Layered Approach to Laptop Security
• Endpoint Security: Data Protection for IT, Freedom for Laptop Users

View more SECURITY whitepapers

Webcasts

• Key Considerations for a Successful 802.11n Deployment
• Solutions to the Toughest IT Challenges in Remote Offices
• Lowering the Cost of Email Archives
• High Availability for SQL Server 2005 Using Array-Based Replication and Host-Based Mirroring Technologies
• Technical Overview of Exchange Server 2007 with HP Servers and Storage
• Bringing Order and Security to your Mobile Workforce: Corporate Mobility Policy and Device Management On-Demand

View more SECURITY webcasts

Special Reports

• The Evolution of Network Security
• Taking Virtualization Up a Notch
• Learn how to Keep your Mobile Workforce Connected
• The self-managed network

View more SECURITY special reports