Published: August 9, 2020 on our newsletter Security Fraud News & Alerts Newsletter.
Everyday users don’t usually see .NET when they go about their day-to-day business. But for application and software developers explain that .NET is a platform for developing different types of apps, including those for web, mobile, desktop, and IoT (internet of things), among others. However, there’s a row evolving between the creator of .NET, Microsoft, and those who use the .NET platform. The developers maintain that .NET has a vulnerability in its latest 3.1x versions that can be exploited by “garbage collecting” hackers.
Garbage collecting (GC) is where the .NET vulnerability resides. GC is an important function for .NET developers. Running out of memory is a problem for this group, and GC manages the allocation and release of memory for objects no longer being used by the application. When GC is customized, it allows the developer to determine when the best time is to perform a garbage collection. An attacker’s first step is to create a custom garbage collection containing the malicious code they want to execute on a system.
The .NET vulnerability issue pits Microsoft and developers at odds about how they each view it. Microsoft maintains that to exploit .NET, an attacker first needs access to the system. That means the .NET vulnerability is used together with an already existing system exploit. This helps a hacker prevent security software detection. Since an attacker is already in the system, Microsoft takes no responsibility for the flaw and actually considers this ability to customize the garbage collection as a valuable feature. Developers aren’t happy about Microsoft’s “hands off” approach to this and the cover it supplies for attackers and their malware.
The end result of this security scenario involving Microsoft, app developers and the alleged security bug (depending on whom you’re asking) is that if you’re a developer using .NET, or thinking about using it, be aware of this latest security issue that at least for now, is not on the list to be fixed.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at firstname.lastname@example.org