Wednesday, September 29, 2010

Thanks to those user group members and Xero partners that came along to our talk today.

We covered the two vulnerabilities released last week, the workarounds, and the patches that were released this morning.

Here are the slides: KirkJackson-PaddingOracle.pdf (641.14 KB)

All ASP.NET applications are affected. The best thing to do is install the patches released this morning.


Problem & bulletins:

Security bulletin MS10-070

Useful info on ScottGu's blog

Forum about the security vulnerability

Video of a site exploit, even with the workarounds applied

Patch:

Scott Gu's writeup of the patch

Post-mortem of the patch - Marc Brooks

How to configure the new patched features

Research:

Juliano Rizzo and Thai Duong and their POET tool

Padbuster tool (including a great writeup of Padding Oracles)

posted on Wednesday, September 29, 2010 8:25:39 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Monday, September 27, 2010
If you're in Wellington this Wednesday and you develop, maintain, manage or host ASP.NET or SharePoint websites, please do come along to hear about the security vulnerability disclosed a week ago:

http://www.dot.net.nz/Lists/Events%20Calendar/DispForm.aspx?ID=321

posted on Monday, September 27, 2010 9:08:47 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]
 Wednesday, September 01, 2010

Here's the presentation I delivered at the Auckland Code Camp 2010. It covers 10 things that I found when surveying attendees websites :)

posted on Wednesday, September 01, 2010 4:18:01 PM (New Zealand Standard Time, UTC+12:00)  #    Comments [0]