MS emergency fix plugs ASP.Net web development hole

Yellow alert over severe server peril

By John Leyden • Get more from this author

Microsoft has released an out-of-sequence patch designed to address a serious flaw in its ASP.Net web application development toolkit.

The vulnerability, which has been under active attack for several weeks, creates a mechanism for attackers to read any file on a web application server. Microsoft rates the flaw as only “important”, while independent security watchers such the the SANS Institute’s Internet Storm Centre say that rating underestimates the risk posed by the flaw to online shops built using Microsoft’s developer tools. The ISC has raised the InfoCon status of the flaw from green to yellow.

Microsoft’s advisory provides more detail on the “information disclosure” flaw. It explains that “in Microsoft .NET Framework 3.5 Service Pack 1 and above, this vulnerability can be used by an attacker to retrieve the contents of any file within the ASP.NET application, including web.config” and that “this vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server”.

Anuncios

ASP.NET logo

Yellow alert over severe server peril

By John LeydenGet more from this author

Microsoft has released an out-of-sequence patch designed to address a serious flaw in its ASP.Net web application development toolkit.

The vulnerability, which has been under active attack for several weeks, creates a mechanism for attackers to read any file on a web application server. Microsoft rates the flaw as only “important”, while independent security watchers such the the SANS Institute‘s Internet Storm Centre say that rating underestimates the risk posed by the flaw to online shops built using Microsoft’s developer tools. The ISC has raised the InfoCon status of the flaw from green to yellow.

Microsoft’s advisory provides more detail on the “information disclosure” flaw. It explains that “in Microsoft .NET Framework 3.5 Service Pack 1 and above, this vulnerability can be used by an attacker to retrieve the contents of any file within the ASP.NET application, including web.config”  and that “this vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server”. Leer más “MS emergency fix plugs ASP.Net web development hole”

Microsoft rolls out gigantic security update

Microsoft’s regularly scheduled security update is getting a bit more than its typical once-over this morning, as it patches 34 different problems, tying the record for the most vulnerabilities ever tackled in one of the company’s standard updates.

Of course, the vast majority of the updates are classified as low risk, meaning they weren’t necessarily a big threat but still deemed as a stability problem for Microsoft applications.

Fourt of the patches, though, are deemed extremely critical and relate to errors in Windows coding that could be exploitable for a hacker to take over an infected user’s computer. These vulnerabilities specifically relate to:

– Microsoft’s MPEG Layer-3 audio codecs was not protected against specific code that could be exploited through streaming Internet content


Mark Raby

Microsoft‘s regularly scheduled security update is getting a bit more than its typical once-over this morning, as it patches 34 different problems, tying the record for the most vulnerabilities ever tackled in one of the company’s standard updates.

Of course, the vast majority of the updates are classified as low risk, meaning they weren’t necessarily a big threat but still deemed as a stability problem for Microsoft applications.

Fourt of the patches, though, are deemed extremely critical and relate to errors in Windows coding that could be exploitable for a hacker to take over an infected user’s computer. These vulnerabilities specifically relate to:

– Microsoft’s MPEG Layer-3 audio codecs was not protected against specific code that could be exploited through streaming Internet content Leer más “Microsoft rolls out gigantic security update”

MetroTwit, nuevo cliente de twitter para Windows


Por @marcosesperon

metrotwit MetroTwit, nuevo cliente de twitter para WindowsExisten multitud de clientes de twitter para instalar en nuestros equipos y gestionar de forma más sencilla nuestra cuenta de microblogging. Estos clientes nos permiten revisar las actualizaciones de nuestros amigos de una forma más cómoda, con accesos directos a las funciones más comunes y en ocasiones con la posibilidad de gestionar varias cuentas simultaneas. Leer más “MetroTwit, nuevo cliente de twitter para Windows”

More action, less talk.


Step 1 - angry typing

Image by doryexmachina via Flickr

I’ve been disengaged from socialized networks somewhat and deep diving into some new developments in .NET code recently like WebFormsMVP, IoC, and an OODB(db4o). So much to keep up on. Also I’m applying the ITIL strategy info from my recent blogs to a real case study of service management. It’s important to me to do first, and talk later. But being a teacher, I’m paid to talk and it’s a luxury to be able to work out the theory into reality. More soon…

http://www.socialitoutbursts.com

Reblog this post [with Zemanta]