Browse by Tags
All Tags »
Security (
RSS)
Thanks for joining us for the final day of our series on cryptography in ASP.NET 4.5! Up to now, the series has discussed how ASP.NET uses cryptography in general, including how the pipelines are implemented in both ASP.NET 4 and ASP.NET 4.5. We introduced APIs to give developers fuller control over the cryptographic pipeline and to drive consumers toward a wider pit of success. In today's post, I'll discuss advanced usage scenarios and answer some common questions that we anticipate developers might have. The series outline is copied below for quick reference. Background regarding the use of cryptography in ASP.NET 4 . Changes that were introduced in ASP.NET 4.5 . Usage notes and miscellaneous Q&A (this post). Throughout the series...
Thanks for joining us for day two of our series on cryptography in ASP.NET 4.5! In yesterday's post , I discussed how ASP.NET uses cryptography in general, where key material is pulled from and how it is stored, and various problems that the APIs have introduced over the years. In today's post, I'll discuss how we're mitigating those issues using 4.5's opt-in model. The series outline is copied below for quick reference. Background regarding the use of cryptography in ASP.NET 4 . Changes that were introduced in ASP.NET 4.5 (today's post). Usage notes and miscellaneous Q&A (coming tomorrow). Throughout the series I'll refer to a sample solution. This Visual Studio 2012 solution contains projects that demonstrate...
I am Levi Broderick, a developer on the ASP.NET team at Microsoft. In this series, I want to introduce some of the improvements we have made to the cryptographic core in ASP.NET 4.5. Most of these improvements were introduced during beta and spent several months baking. When you create a new project using the 4.5 templates baked into Visual Studio 2012, those projects will take advantage of these improvements automatically. The intent of this series is both to explain why the ASP.NET team made these investments and to educate developers as to how they can take maximum advantage of this system. This series will be divided into three posts: Background regarding the use of cryptography in ASP.NET 4 (today's post). Changes that were introduced...
A few minutes ago Microsoft released an advance notification security bulletin announcing that we are releasing an out-of-band security update to address an ASP.NET Security Vulnerability . The security update we are releasing resolves a publicly disclosed Denial of Service issue present in all versions of ASP.NET. We’re currently unaware of any attacks on ASP.NET customers using this exploit, but we strongly encourage customers to deploy the update as soon as possible. We are releasing the security update via Windows Update and the Windows Server Update Service. You can also manually download and install it via the Microsoft Download Center. We will release the update on Thursday, December 29th at approximately 10am...
These things happen, and it seems hopeless at first: you've locked yourself out of your own site and that's that. Well, not quite. If you still have access to the database there is a way out. Access may be through FTP and WebMatrix or Visual Studio if using SQL CE or through SQL Server Management Studio or whatever is your preferred way to access your database. In this tutorial I'll use WebMatrix over a local SqlCe database but other tools would work just as well with minor differences. Open the database and go to the Orchard_Users_UserPartRecord table. You should see something like this: As you can see, the passwords are stored hashed, and the password format is specified for each user. Possible values are Hashed (the default),...
Earlier this week I blogged about the availability of a patch on the Microsoft Download Center to fix the recent ASP.NET Security Vulnerability. Today we also made it possible to update systems through Windows Update (WU) and Windows Server Update Services (WSUS). This enables administrators to more easily streamline patch installs, and enables you to take advantage of the WU/WSUS infrastructure to detect which patches you should install based on what versions of .NET are on your system. Please make sure to install these updates as soon as possible on your servers. This will prevent attackers from using the vulnerability to attack your systems. Using Windows Update If you run Windows Update on your system you’ll see the security...
This morning Microsoft released a security update that addresses the ASP.NET Security Vulnerability that I’ve blogged about this past week. We recommend installing it as soon as possible on your web-servers. Common Questions/Answers Below are some answers to a few common questions people have asked: Do the updates require me to change any code? No. The update should not require any code or configuration change to your existing ASP.NET applications. Will I still need to use the workarounds after I install the update? No. The update removes the need to use the security workarounds we’ve published this past week. Those were temporary steps that could be taken to protect yourself before the update was released. After you’ve installed...
An hour ago Microsoft released an advance notification security bulletin announcing that we are releasing an out-of-band security update to address the ASP.NET Security Vulnerability that I’ve blogged about this past week. The security update is fully tested, and is scheduled for release tomorrow - Tuesday September 28th – at approximately 10:00 AM PDT. The advance notice bulletin is intended to ensure administrators know it is coming, and are better prepared to apply it once the update is available. We’ll release the update tomorrow via the Microsoft Download Center (I’ll blog links to the individual downloads for each version of .NET). We will then release the update via Windows Update and the Windows Server Update Service...
Earlier this week I posted about an ASP.NET Vulnerability , and followed this up with another blog post that covers some Frequently Asked Questions about it. We are actively working on releasing a security update that fix the issues, and our teams have been working around the clock to develop and test a fix that is ready for broad distribution across all Windows platforms via Windows Update. I’ll post details about this once it is available. Revised Workaround and Additional URLScan Step In my first blog post I covered a workaround you can apply immediately on your sites and applications to prevent attackers from exploiting it. Today, we are revising it to include an additional defensive measure. This additional step can be done...
Two days ago I published an important blog post about a security vulnerability in ASP.NET . In it I discussed a workaround that we recommend customers use to help prevent attackers from using the vulnerability against your applications. Below are answers to some common questions people have asked since then about the vulnerability. Is Microsoft going to release an update to fix the vulnerability? Yes. We are working on an update to ASP.NET that we will release via Windows Update once it has been thoroughly tested and is ready for broad distribution. Until the update is available, we will also publish details on workarounds (like the one described in this post ) that can be applied immediately to help protect against the vulnerability...
More Posts
Next page »