ASP.NET Crypto Exploit Patch Now Available Through Windows Update
Scott Guthrie announced yesterday that the hotfix for the ASP.NET cryptographic padding oracle exploit is now available on Windows Update / Windows Server Update Services.
Points of note:
- Persistent authentication cookies will need to be reset after applying the patch. In other words, if your site uses Forms Authentication, all your users will need to log in again after you apply this patch.
- You will still be able to persist Forms Authentications sessions across versions of ASP.NET. In other words, if you have multiple applications, running multiple versions of ASP.NET, on a given domain, one Forms Authentication login will work for them all, provided they share the same data store for authentication.
- If you run a web farm, all versions of ASP.NET must be the same in that farm, and the patch needs to be applied to all machines.
All links in this post on delicious: http://www.delicious.com/dougvdotcom/asp-net-crypto-exploit-patch-now-available-through-windows-update
ASP.NET Crypto Exploit Patch Ships Tuesday, Sept. 28
Scott Guthrie noted on his blog that Microsoft will ship, on Tuesday, a hotfix for the ASP.NET cryptographic padding oracle exploit. It is to be released at 10 a.m. PDT; that’s 1 p.m. EDT / 17:00 GMT.
Guthrie says the patch has been fully tested and, once installed, removes the need for the previously published workarounds. As in, after you install this patch, you can turn off custom errors or use custom error files for specific errors.
Glad Microsoft worked this out so quickly. Don’t fail to get and apply this patch.
All links in this post on delicious: http://www.delicious.com/dougvdotcom/asp-net-crypto-exploit-patch-ships-tuesday-sept-28
Microsoft Urges URLScan Implementation To Combat Crypto Vulnerability
In a further update on how to combat the ASP.NET CryptographicException hack, Microsoft is now urging webmasters to use the URLScan utility to further thwart oracle attempts.
In a blog post on Friday, Scott Guthrie, corporate vice president of .NET at Microsoft, said the step — which removes aspxerrorpath as an allowed querystring variable — “prevents attackers from distinguishing between the different types of errors occurring on a server – which helps block attacks using this vulnerability.”
URLScan is an Internet Information Server (IIS) extension. If you manage your own IIS server, you should follow the instructions at Guthrie’s blog post to download, install and configure the workaround.
If you are on shared or managed hosting, check with your Web host’s tech support department to see if they have implemented, or will implement, this step for you.
Again, this is a serious threat that is fully scripted, meaning any malcontent — including one with no practical programming skill — can exploit a site with widely available tools.
All links in this post on delicious: http://www.delicious.com/dougvdotcom/microsoft-urges-urlscan-implementation-to-combat-crypto-vulnerability
The Visual Studio Launch 2010 Boston Event, Reconsidered
Now that I’m a day or so removed from the Visual Studio “Launch 2010″ event in Boston, have plenty of sleep under my belt, and the benefit of hindsight, I’d like to recap my impressions.
I still consider Launch 2010 a significant disappointment, especially compared to the “Heroes Happen Here” launch of Visual Studio 2008 / SQL Server 2008 / Windows Server 2008 that was held in Manchester, NH, two years ago. But I should explain why, and maybe at least put in context, if not rephrase, my criticisms of Thursday.
Attendance: I need to clarify my attendance estimates from Thursday.
I’m guessing there were about 1,000 people in attendance at Launch 2010, which had three tracks: two all-day tracks for developers and IT professionals, and a half-day track for managers / decision makers. Of the total number of attendees, well over half — at least 500 — were in the developer track. I don’t have an exact count because I don’t know who to ask for one, and I doubt there is an accurate count in any event, because Microsoft was allowing walk-ins throughout the event.
However many people were there, it was too many, at least for the developer track. They ran out of seats by 9:30 AM and it only got worse until 3:30 PM, after the ASP.NET session, after which a large number of people left. I did pop in on the IT pro track, after I couldn’t regain my seat following lunch; there were a few empty seats available there.
Allowing such a significant overflow is a huge kick in the balls. I took the time to register ahead of time. I took great pains to ensure I would arrive on time. If you’re letting people filter in six hours after they were supposed to show up, you’re not being fair to me — especially if I can’t fully enjoy the event.
Continue reading: The Visual Studio Launch 2010 Boston Event, Reconsidered »
