Browse by Tags
All Tags »
Security (
RSS)
A few minutes ago Microsoft released an advance notification security bulletin announcing that we are releasing an out-of-band security update to address an ASP.NET Security Vulnerability . The security update we are releasing resolves a publicly disclosed Denial of Service issue present in all versions of ASP.NET. We’re currently unaware of any attacks on ASP.NET customers using this exploit, but we strongly encourage customers to deploy the update as soon as possible. We are releasing the security update via Windows Update and the Windows Server Update Service. You can also manually download and install it via the Microsoft Download Center. We will release the update on Thursday, December 29th at approximately 10am...
These things happen, and it seems hopeless at first: you've locked yourself out of your own site and that's that. Well, not quite. If you still have access to the database there is a way out. Access may be through FTP and WebMatrix or Visual Studio if using SQL CE or through SQL Server Management Studio or whatever is your preferred way to access your database. In this tutorial I'll use WebMatrix over a local SqlCe database but other tools would work just as well with minor differences. Open the database and go to the Orchard_Users_UserPartRecord table. You should see something like this: As you can see, the passwords are stored hashed, and the password format is specified for each user. Possible values are Hashed (the default),...
Earlier this week I blogged about the availability of a patch on the Microsoft Download Center to fix the recent ASP.NET Security Vulnerability. Today we also made it possible to update systems through Windows Update (WU) and Windows Server Update Services (WSUS). This enables administrators to more easily streamline patch installs, and enables you to take advantage of the WU/WSUS infrastructure to detect which patches you should install based on what versions of .NET are on your system. Please make sure to install these updates as soon as possible on your servers. This will prevent attackers from using the vulnerability to attack your systems. Using Windows Update If you run Windows Update on your system you’ll see the security...
This morning Microsoft released a security update that addresses the ASP.NET Security Vulnerability that I’ve blogged about this past week. We recommend installing it as soon as possible on your web-servers. Common Questions/Answers Below are some answers to a few common questions people have asked: Do the updates require me to change any code? No. The update should not require any code or configuration change to your existing ASP.NET applications. Will I still need to use the workarounds after I install the update? No. The update removes the need to use the security workarounds we’ve published this past week. Those were temporary steps that could be taken to protect yourself before the update was released. After you’ve installed...
An hour ago Microsoft released an advance notification security bulletin announcing that we are releasing an out-of-band security update to address the ASP.NET Security Vulnerability that I’ve blogged about this past week. The security update is fully tested, and is scheduled for release tomorrow - Tuesday September 28th – at approximately 10:00 AM PDT. The advance notice bulletin is intended to ensure administrators know it is coming, and are better prepared to apply it once the update is available. We’ll release the update tomorrow via the Microsoft Download Center (I’ll blog links to the individual downloads for each version of .NET). We will then release the update via Windows Update and the Windows Server Update Service...
Earlier this week I posted about an ASP.NET Vulnerability , and followed this up with another blog post that covers some Frequently Asked Questions about it. We are actively working on releasing a security update that fix the issues, and our teams have been working around the clock to develop and test a fix that is ready for broad distribution across all Windows platforms via Windows Update. I’ll post details about this once it is available. Revised Workaround and Additional URLScan Step In my first blog post I covered a workaround you can apply immediately on your sites and applications to prevent attackers from exploiting it. Today, we are revising it to include an additional defensive measure. This additional step can be done...
Two days ago I published an important blog post about a security vulnerability in ASP.NET . In it I discussed a workaround that we recommend customers use to help prevent attackers from using the vulnerability against your applications. Below are answers to some common questions people have asked since then about the vulnerability. Is Microsoft going to release an update to fix the vulnerability? Yes. We are working on an update to ASP.NET that we will release via Windows Update once it has been thoroughly tested and is ready for broad distribution. Until the update is available, we will also publish details on workarounds (like the one described in this post ) that can be applied immediately to help protect against the vulnerability...
Yesterday, a new crypto oracle-type vulnerability was publicly disclosed. It is an important vulnerability that is likely to be exploitable on a large proportion of ASP.NET sites, even those that are using configuration settings that were previously considered safe. There is a workaround available already that should be set-up right now. You should pay a lot of attention to this and apply the workaround without trying to simplify it as that may result in your sites still being vulnerable. The issue is rather subtle (like pretty much all oracle attacks are). Scott published a blog post with all the details that I will not attempt to reproduce here in order to minimize any chance of confusion. Please go to Scott’s post , read it and do what you...
A few hours ago we released a Microsoft Security Advisory about a security vulnerability in ASP.NET. This vulnerability exists in all versions of ASP.NET. This vulnerability was publically disclosed late Friday at a security conference. We recommend that all customers immediately apply a workaround (described below) to prevent attackers from using this vulnerability against your ASP.NET applications. What does the vulnerability enable? An attacker using this vulnerability can request and download files within an ASP.NET Application like the web.config file (which often contains sensitive data). At attacker exploiting this vulnerability can also decrypt data sent to the client in an encrypted state (like ViewState data within a page...
Yesterday, I asked some questions about your usage of medium trust . Thank you all for the great answers and comments (but don’t read too much into that, I’m just playing with stuff). If you haven’t answered yet, feel free to do so . Now I have an additional question: What missing permission is preventing you from running in medium trust? Please answer in comments. And thanks again for the great feedback. Read More...
More Posts
Next page »