Patch For ASP.NET Vulnerability Available

Microsoft has published a Security Advisory (2416728) about a security vulnerability in ASP.NET on Saturday, September 18th. This vulnerability exists in all versions of ASP.NET and was publically disclosed late Friday at a security conference.

Scott Guthrie has provided information on workarounds (please see Important: ASP.NET Security Vulnerability and ASP.NET Security Vulnerability) to prevent attackers from using this vulnerability against their ASP.NET applications.

To help with Microsoft’s response to the new padding oracle vulnerability, a new forum was also set up: Security Vulnerability.

Microsoft has now announced the release of an out-of-band security update to address the ASP.NET Security Vulnerability.

Applying the update addresses the ASP.NET Security Vulnerability, and once the update is applied to your system the workarounds Scott has previously blogged about will no longer be required. But, until the update has been installed, those workarounds must be used.

You can learn more about this security update release from this reading the Microsoft Security Response Center Blog Post as well as the official Advance Notification Bulletin.

Important Links:


  • So now we have four posts immediately above Scott's post which basically read: "Scott's just posted [something] [link to Scott's post]".

    It's like trying to have a conversation with someone when, every time the other person says something, the person sitting next to you leans over and says, "Did you hear that? He just said [this]."

    If you were posting this to another blog, fine. If you were posting it several days later as a reminder, fine. If you were adding something to the conversation, also fine. But posting this less than 12 hours after Scott's post, when there's no other posts getting in the way? Annoying, to say the least.

    To make matters worse, this is a word-for-word copy of Paulo Morgado's post [1], which is immediately before yours. Not only are you posting unimaginative tripe, you're posting *someone else's* unimaginative tripe!


  • This post is a co-work with Paulo Morgado and I'm pleased to say it.
    You didn't find it interesting but we both agreed to help spreading this fix.
    That's it.

  • Does this break TripleDES? I applied the security update and now I'm getting an error on my application's encryption method.

  • Yes it does but it's slower.

    Check if the security update is really there:

    Also if you are mixing pre-patch and post-patch machines, that would not work.

  • -----------------------------------------------------------
    "Helo there, properly I truly see that your published content material is somewhat considerate because it highlights an assorted range of exciting data. Anyhow, was curious whether you'd prepared to exchange links with my website web page, as I am searching to construct website links to additional enlarge and gain ground for my internet space. I do not seriously mind you locating my contacts in the sitewide page, just accepting this hyperlinks on this unique website link is more than adequate. Furthermore, please achieve me at my web portal if you're eager within the website link exchange, I would truly like that. I would like to thanks a ton and that i wish to acquire a reply from you as soon as probable! "

  • You produced some excellent points there. I are you aware a look for to the topic and discovered most men and women will agree together with your blog site.

Comments have been disabled for this content.