September 2010 - Posts
When trying to backup my machine onto a USB drive, a few weeks ago I have been starting to get a very unhelpful 0x81000037 error. Of course, the first thing I did was to bing it but I didn’t like what I found. There is a “How to troubleshoot Windows Backup and Restore issues when a reparse point folder or its subfolder is added to a user library in Windows 7” KB article that unfortunately does not live up to its title. It does some hand waving around “reparse points” but does not even bother to explain what a reparse point is, let alone how to discover and remove them. Other links I found were from distressed users hitting the problem and having no clue how to solve it. Responses from support have been equally unhelpful and full of jargon as...
This morning Microsoft released a security update that addresses the ASP.NET Security Vulnerability that I’ve blogged about this past week. We recommend installing it as soon as possible on your web-servers. Common Questions/Answers Below are some answers to a few common questions people have asked: Do the updates require me to change any code? No. The update should not require any code or configuration change to your existing ASP.NET applications. Will I still need to use the workarounds after I install the update? No. The update removes the need to use the security workarounds we’ve published this past week. Those were temporary steps that could be taken to protect yourself before the update was released. After you’ve installed...
An hour ago Microsoft released an advance notification security bulletin announcing that we are releasing an out-of-band security update to address the ASP.NET Security Vulnerability that I’ve blogged about this past week. The security update is fully tested, and is scheduled for release tomorrow - Tuesday September 28th – at approximately 10:00 AM PDT. The advance notice bulletin is intended to ensure administrators know it is coming, and are better prepared to apply it once the update is available. We’ll release the update tomorrow via the Microsoft Download Center (I’ll blog links to the individual downloads for each version of .NET). We will then release the update via Windows Update and the Windows Server Update Service...
Earlier this week I posted about an ASP.NET Vulnerability , and followed this up with another blog post that covers some Frequently Asked Questions about it. We are actively working on releasing a security update that fix the issues, and our teams have been working around the clock to develop and test a fix that is ready for broad distribution across all Windows platforms via Windows Update. I’ll post details about this once it is available. Revised Workaround and Additional URLScan Step In my first blog post I covered a workaround you can apply immediately on your sites and applications to prevent attackers from exploiting it. Today, we are revising it to include an additional defensive measure. This additional step can be done...
When you’re working on a web project, there are times you wish you could have captured all of the stuff you’re working on often and then re-use it later on, similar to code snippet. For example, if you work with JaveScript, HTML5 a lot, you would want to be able to create a new web project that already has a predefined set of jQuery library, or add a new page that already has references to the new HTML5 doctype and the jQuery libary, so you don’t have to constantly modify the page to add those in. You can achieve this by creating your own Item Template and Project Template. Recently, Rey Bango has posted a nice blog about this topic at How to Create HTML5 Website and Page Templates for Visual Studio 2010 . Joe Cartano also had a blog about it...
If you haven’t installed the Visual Studio Mobile tools for building Win7 applications I would highly recommend you do so now via one of the following links: Main Site: http://developer.windowsphone.com/ FWLINK: Windows Phone Developer Tools The release notes can be found here: Release Notes Programming Resources: http://charlespetzold.com/phone/index.html Channel 9 Training: http://channel9.msdn.com/learn/courses/WP7TrainingKit/ Windows Phone Developer Forums: http://social.msdn.microsoft.com/Forums/en-US/windowsphone7series XNA Creators Club: http://creators.xna.com/en-US/ Pre-Requites: Uninstall any non-RTM versions of VS 2010. Thanks, –Mike Read More...
Two days ago I published an important blog post about a security vulnerability in ASP.NET . In it I discussed a workaround that we recommend customers use to help prevent attackers from using the vulnerability against your applications. Below are answers to some common questions people have asked since then about the vulnerability. Is Microsoft going to release an update to fix the vulnerability? Yes. We are working on an update to ASP.NET that we will release via Windows Update once it has been thoroughly tested and is ready for broad distribution. Until the update is available, we will also publish details on workarounds (like the one described in this post ) that can be applied immediately to help protect against the vulnerability...
Sayed recently posted a blog on extending XML (web.config) Config transformation. If you haven’t read it already, you can find it here: http://sedodream.com/2010/09/09/ExtendingXMLWebconfigConfigTransformation.aspx Read More...
Yesterday, a new crypto oracle-type vulnerability was publicly disclosed. It is an important vulnerability that is likely to be exploitable on a large proportion of ASP.NET sites, even those that are using configuration settings that were previously considered safe. There is a workaround available already that should be set-up right now. You should pay a lot of attention to this and apply the workaround without trying to simplify it as that may result in your sites still being vulnerable. The issue is rather subtle (like pretty much all oracle attacks are). Scott published a blog post with all the details that I will not attempt to reproduce here in order to minimize any chance of confusion. Please go to Scott’s post , read it and do what you...
A few hours ago we released a Microsoft Security Advisory about a security vulnerability in ASP.NET. This vulnerability exists in all versions of ASP.NET. This vulnerability was publically disclosed late Friday at a security conference. We recommend that all customers immediately apply a workaround (described below) to prevent attackers from using this vulnerability against your ASP.NET applications. What does the vulnerability enable? An attacker using this vulnerability can request and download files within an ASP.NET Application like the web.config file (which often contains sensitive data). At attacker exploiting this vulnerability can also decrypt data sent to the client in an encrypted state (like ViewState data within a page...
More Posts
Next page »