Thanks to those user group members and Xero partners that came along to our talk today.
We covered the two vulnerabilities released last week, the workarounds, and the patches that were released this morning.
Here are the slides: KirkJackson-PaddingOracle.pdf (641.14 KB)
All ASP.NET applications are affected. The best thing to do is install the patches released this morning.
Problem & bulletins:
Security bulletin MS10-070
Useful info on ScottGu's blog
Forum about the security vulnerability
Video of a site exploit, even with the workarounds applied
Scott Gu's writeup of the patch
Post-mortem of the patch - Marc Brooks
How to configure the new patched features
Juliano Rizzo and Thai Duong and their POET tool
Padbuster tool (including a great writeup of Padding Oracles)