FAQ Released For Microsoft ASP.NET CryptographicException Attack
Scott Guthrie, Microsoft’s corporate vice president for the .NET platform, posted on his blog late Monday a FAQ about the ASP.NET CryptographicException vulnerability.
Highlights:
- All versions of ASP.NET are affected. That includes WebForms and MVC versions 1 and 2.
- Sharepoint is affected, too. A workaround on how to employ a new generic error document for Sharepoint is detailed at that team’s blog.
- Everyone should employ the recommended workarounds.
- You have to route all HTTP errors to the workaround’s generic error page. Otherwise, the hack still works.
- A patch will be released as a Windows Update hotfix, but no release date has been set yet.
- Check your logs for CryptographicException errors. If you see them, it’s possible you are being probed.
I take this very seriously. There’s a tool and video tutorial out there detailing how to run this exploit, so every script kiddie in the world is looking for sites to exploit, I am sure.
All links in this post on delicious: http://www.delicious.com/dougvdotcom/faq-released-for-microsoft-asp-net-cryptographicexception-attack
Major Security Hole In ASP.NET Requires Error Redirect Workaround
A major security flaw in ASP.NET was announced on Friday — one that affects all versions and can allow an attacker to see ViewState and web.config data in clear text.
As such, everyone who has made an ASP.NET Web site should take this threat very seriously.
Microsoft is putting together a patch. Until then, they suggest a workaround of turning on customErrors, and having it point to a single error file.
For ASP.NET versions 1.x, 2.0 and 3.5, create a single HTML-based error page, upload it to the root directory of your Web site, then add or change the customErrors section in your web.config file with the following:
<configuration>
<system.web>
<customErrors mode="On" defaultRedirect="~/error.html" />
</system.web>
</configuration>
Where, of course, error.html is the name of the error page you made.
If your site uses ASP.NET 3.5 SP1 or ASP.NET 4.0, use the custom ASPX error page located on Scott Guthrie’s blog (VB and C# versions), and change the customErrors section of your web.config file thus:
<configuration>
<system.web>
<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/error.aspx" />
</system.web>
</configuration>
Where, of course, error.aspx is the name of the error page you created.
To make things easier, I have zipped up copies of the three error documents — error.html, and the VB.NET / C# versions of the ASP.NET error files — for download. I distribute all code under the GNU GPL.
I’m taking this threat very seriously and have patched all my ASP.NET sites as advised.
All links in this post on delicious: http://www.delicious.com/dougvdotcom/major-security-hole-in-asp-net-requires-error-redirect-workaround
New England GiveCamp 2010: What A Great Experience
The first New England GiveCamp was this weekend at Microsoft’s Northeast Research and Development building in Cambridge, MA, and it was, by far, one of the most rewarding experiences I’ve had in the 15 years I have been professionally coding.
About 100 technical and non-technical volunteers spent the weekend of June 11-13 writing code for charities. Most projects were Web site upgrades — either installing a content management system, or extending that system to do something it didn’t do before, such as collecting very specific data, integrating with a customer relationship management tool, etc.
Other projects were more complex. For example, my project was data normalization and version control.
I was assigned to the Goshen Land Trust, a charity that protects open and green space in Goshen, CT. My team members were Kriss Aho and Pat Tormey, both from the Boston area; and Chris Craig, the president of GLT.
Prior to last weekend, GLT tracked all its customer relationships in Excel spreadsheets. They do their accounting in Quickbooks.
If someone was a volunteer, his name went into the volunteer spreadsheet. If he owned land, his name was in the landowner spreadsheet. If he was a land or money donor, his name went into another spreadsheet. And so on, and so on; this story has been told a thousand times before, we all know it by heart.
And, of course, there were several versions of each of these spreadsheets out there: They were exchanged back and forth via e-mail, meaning no two copies of the same spreadsheet were alike. Again, stop me if you’ve heard this one before.
Finally, donor payments are managed entirely separate from the spreadsheets, via entries into Quickbooks. So there’s a completely different store of around 800 mostly duplicate names in Quickbooks, too, which isn’t easily compared to a spreadsheet of about 2,000 names.
So we had to figure out a way to impose some version control on these sheets; we had to create a master data store, so we could have an authoritative source of customer relationship information; and we had to sync customer information in Quickbooks to match the master data store.
Sounds like fun, I know. It actually was, after it stopped being awful.
Continue reading: New England GiveCamp 2010: What A Great Experience »
Designers And Developers: Donate Your Time, Talent At New England GiveCamp, June 11-13, 2010
One of the things I found out about at Tuesday’s MSDN Northeast Roadshow stop in Augusta is the first New England GiveCamp, June 11-13 at Microsoft’s Northeast Research and Development center in Cambridge, MA.
I’m attending, and I’d urge you to do so.
A GiveCamp is basically a gathering of developers, DBAs, project managers, designers and other IT folks in a given place, to donate their time and skills to charitable projects.
In the case of the New England GiveCamp, typical projects include upgrading Access databases, or converting Excel spreadsheets to Access; integrating open-source tools, such as Joomla, Drupal and Django, into existing Web sites; adding various gizmos to and tuning up existing Web sites; and several requests to spruce up the look of various types of collateral.
I believe the biggest mistake you could make in deciding whether to participate is thinking that you don’t have the kind of skills needed. From what’s been said at the GiveCamp’s Web site, there’s going to be plenty to do, whether you’re Linus Torvalds or Linus Van Pelt.
I think this goes doubly for graphic designers. Trust me, if you are an artistic person, no matter how little you think of your work, your worst effort is 10 times better than the best design ever produced by a programmer. I am speaking from extensive personal experience here. We’re the people who gave the Internet Comic Sans, animated GIFs and the <marquee> tag, remember. Please, save us from ourselves.
As the Northeast GiveCamp put it, “If you have the passion, we’ll find a place for you.”
In addition to the technical work on site, there are a myriad other volunteer opportunities both before and during the event, including registration, sponsor solicitation, organizing the development teams and matching them to non-profit organizations, handling logistics for food and snacks, and others we’ll discover along this journey!
Visual Studio 2010 / .NET 4 Events For Maine-Based Developers
On Monday, Microsoft set its Internet volume knob to 11, announcing the official release of Visual Studio 2010 and the .NET 4 framework. If you haven’t seen it, take a look at Scott Hanselman’s comprehensive rundown of where to get the tools (including free Express editions) and what those new tools have waiting for you. (Oh, and some guy named Scott Guthrie mentioned it in passing, too. {lulz})
Of course, no major Microsoft product release is complete without scads of in-person events to show them off, a trade show / seminar / reception for Partners to upsell you goods or services, and a little swag. In the case of Maine, we get two bites of the apple, as it were — that is, if you consider a day trip to Boston something that’s local to Maine (and trust me, you should.)
These events are free but do require registration.
On April 29, Microsoft conducts a day-long launch event at the Westin Copley Place hotel in Boston. (As of this writing, registration was still open for the Boston event. However, I would recommend acting yesterday if you want to attend; once word spreads, these events fill up quickly).
Labeled “Launch 2010 Technical Readiness Series,” the developer track of this event (there are IT professional and manager tracks, too) is actually more an overview of the new technologies. SharePoint / Office programming; Windows; ASP.NET (Web); Azure (cloud); and Windows 7 Phone (mobile) platforms development each get a one-hour overview, and Microsoft kicks in a free continental breakfast and box lunch.
While Microsoft is coy about the “giveaways” being offered at the end of the event, when I went to the Visual Studio 2008 / Windows Vista launch back in 2007, I received free, fully functional copies of VS 2008 Standard and Vista Ultimate, plus copies of the developer editions of Windows Server 2008 and and SQL Server 2008. I can’t be sure that such high-class swag will be offered this time around, but even if Microsoft sends me home empty-handed, I can’t miss this opportunity to shake hands and kiss babies.
Continue reading: Visual Studio 2010 / .NET 4 Events For Maine-Based Developers »
