Wednesday, September 29, 2010

Thanks to those user group members and Xero partners that came along to our talk today.

We covered the two vulnerabilities released last week, the workarounds, and the patches that were released this morning.

Here are the slides: KirkJackson-PaddingOracle.pdf (641.14 KB)

All ASP.NET applications are affected. The best thing to do is install the patches released this morning.


Problem & bulletins:

Security bulletin MS10-070

Useful info on ScottGu's blog

Forum about the security vulnerability

Video of a site exploit, even with the workarounds applied

Patch:

Scott Gu's writeup of the patch

Post-mortem of the patch - Marc Brooks

How to configure the new patched features

Research:

Juliano Rizzo and Thai Duong and their POET tool

Padbuster tool (including a great writeup of Padding Oracles)

Comments are closed.