hits counter

Patch For ASP.NET Vulnerability Available

Microsoft has published a Security Advisory (2416728) about a security vulnerability in ASP.NET on Saturday, September 18th. This vulnerability exists in all versions of ASP.NET and was publically disclosed late Friday at a security conference.

Scott Guthrie has provided information on workarounds (please see Important: ASP.NET Security Vulnerability and ASP.NET Security Vulnerability) to prevent attackers from using this vulnerability against their ASP.NET applications.

To help with Microsoft’s response to the new padding oracle vulnerability, a new forum was also set up: Security Vulnerability.

Microsoft has now announced the release of an out-of-band security update to address the ASP.NET Security Vulnerability.

Applying the update addresses the ASP.NET Security Vulnerability, and once the update is applied to your system the workarounds Scott has previously blogged about will no longer be required. But, until the update has been installed, those workarounds must be used.

You can learn more about this security update release from this reading the Microsoft Security Response Center Blog Post as well as the official Advance Notification Bulletin.

Important Links:

4 Comments

  • So now we have four posts immediately above Scott's post which basically read: "Scott's just posted [something] [link to Scott's post]".
    It's like trying to have a conversation with someone when, every time the other person says something, the person sitting next to you leans over and says, "Did you hear that? He just said [this]."
    If you were posting this to another blog, fine. If you were posting it several days later as a reminder, fine. If you were adding something to the conversation, also fine. But posting this less than 12 hours after Scott's post, when there's no other posts getting in the way? Annoying, to say the least.

  • I'm sorry it annoyed you.
    In my defense, I’d like to say that I thought this was important enough to publish (I don’t usually publish just links to other people’s blogs) and Scott’s post was announcing a future release of the fix while mine was announcing it had already been released.

  • "Scott’s post was announcing a future release of the fix"

    Look at the post *immediately* before yours in the list. The one that Scott posted *4 hours* before your post. The one titled, "ASP.NET Security Update Now Available".

    http://weblogs.asp.net/scottgu/archive/2010/09/28/asp-net-security-update-now-available.aspx

    Alternatively, look at Ken Cox's post 90 minutes before that:
    http://weblogs.asp.net/kencox/archive/2010/09/28/get-the-asp-net-patch-now.aspx

    I don't have a problem with people spreading the word about the patch, but there are too many people flooding the blogs with links to other posts immediately below theirs without adding anything to the original post.

    Which would you rather see on the front page?
    "ScottGu: [Useful information]"

    or:
    "SomeGuy: [Copy of SomeOtherGuy's post linking to Scott's post]"
    "SomeOtherGuy: [Link to Scott's post]"
    "AnotherGuy: [Link to Scott's post]"
    ...
    (Page 2) "ScottGu: [Useful information]"

  • I can understand that my posts and Nuno's posts tipped your scale, but you’re being unfair blaming us for all the stuff you see just because we felt into that group once.
    It may come as a surprise to you that there are people that read my blog (which is the same in different communities) and doesn’t read Scott’s blog.

Comments have been disabled for this content.