MS emergency fix plugs ASP.Net web development hole

Yellow alert over severe server peril

By John Leyden • Get more from this author

Microsoft has released an out-of-sequence patch designed to address a serious flaw in its ASP.Net web application development toolkit.

The vulnerability, which has been under active attack for several weeks, creates a mechanism for attackers to read any file on a web application server. Microsoft rates the flaw as only “important”, while independent security watchers such the the SANS Institute’s Internet Storm Centre say that rating underestimates the risk posed by the flaw to online shops built using Microsoft’s developer tools. The ISC has raised the InfoCon status of the flaw from green to yellow.

Microsoft’s advisory provides more detail on the “information disclosure” flaw. It explains that “in Microsoft .NET Framework 3.5 Service Pack 1 and above, this vulnerability can be used by an attacker to retrieve the contents of any file within the ASP.NET application, including web.config” and that “this vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server”.


ASP.NET logo

Yellow alert over severe server peril

By John LeydenGet more from this author

Microsoft has released an out-of-sequence patch designed to address a serious flaw in its ASP.Net web application development toolkit.

The vulnerability, which has been under active attack for several weeks, creates a mechanism for attackers to read any file on a web application server. Microsoft rates the flaw as only “important”, while independent security watchers such the the SANS Institute‘s Internet Storm Centre say that rating underestimates the risk posed by the flaw to online shops built using Microsoft’s developer tools. The ISC has raised the InfoCon status of the flaw from green to yellow.

Microsoft’s advisory provides more detail on the “information disclosure” flaw. It explains that “in Microsoft .NET Framework 3.5 Service Pack 1 and above, this vulnerability can be used by an attacker to retrieve the contents of any file within the ASP.NET application, including web.config”  and that “this vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server”. Leer más “MS emergency fix plugs ASP.Net web development hole”

.XXX domain deal stripped bare

ICM says .xxx gives members of the adult industry the opportunity to self-identify, enabling easier filtering, and to promote responsibility by voluntarily abiding by a set of industry best practices.

Registrants will have to have their identities verified, and $10 from each domain will go to a new organisation focussed on supporting free speech and child protection efforts.

It’s the sixth time over the last six years that the .xxx application has come in for public scrutiny. Most recently, this spring an ICANN comment period attracted an unprecedented 13,000 letters and emails, the vast majority of which came from outraged American religious groups.


ICANN Logo
Image via Wikipedia

Gun-totin’ pornsters step up
By Kevin Murphy
The company behind a proposal to create .xxx, an adults-only top-level internet domain, is set to run the gauntlet of objections from angry pornographers and appalled Christians for the sixth time.

ICANN last week published a draft contract that, if signed, could allow Florida-based ICM Registry to start offering .xxx domains as early as next summer, and opened up a 30-day public comment period.

Pornographers led by the Free Speech Coalition are already asking ICANN to kill the proposal. They claim ICM’s application is little more than a balls-out effort to bilk them out of money during a time of economic hardship and rampant piracy.

Domains with the .xxx extension are expected to cost more than $60 per year, compared to roughly $10 per year for .com domains. Leer más “.XXX domain deal stripped bare”

Nokia drops Nokia from Nokia Music

What’s an Ovi?

By Andrew Orlowski

The world’s biggest mobile company is to remove the obscure and confusing “Nokia” branding from its key strategic music service, Comes With Music, and lavish it with the world-renowned and highly respected “Ovi” brand, instead.

The news didn’t merit an official announcement, but was leaked to bloggers instead. A spokesperson explained the move:

“The new name is also simpler for music fans around the world to understand, and when presented in local language, will better communicate our truly local service proposition in each market. In doing so, we are giving our users a simplified, Ovi-branded experience.”

Quite right.

People often ask, “What’s a Nokia? – is it some new kind of yoga or a fashionable new diet?” Then you remind them – it’s the platform for the Ovi mobile services experience – and the fog of confusion quickly clears.

The Comes With Music program bundles unlimited access to music with a Nokia device for a period of 12, 18 or 24 months. Users can then keep the music they download, or pay to renew the subscription. The phone giant pulled its other music service, the Music Store, which is available in 23 countries, under its the Ovi services brand some time ago.


What’s an Ovi?

By Andrew Orlowski

The world’s biggest mobile company is to remove the obscure and confusing “Nokia” branding from its key strategic music service, Comes With Music, and lavish it with the world-renowned and highly respected “Ovi” brand, instead.

The news didn’t merit an official announcement, but was leaked to bloggers instead. A spokesperson explained the move:

“The new name is also simpler for music fans around the world to understand, and when presented in local language, will better communicate our truly local service proposition in each market. In doing so, we are giving our users a simplified, Ovi-branded experience.”

Quite right.

People often ask, “What’s a Nokia? – is it some new kind of yoga or a fashionable new diet?” Then you remind them – it’s the platform for the Ovi mobile services experience – and the fog of confusion quickly clears.

The Comes With Music program bundles unlimited access to music with a Nokia device for a period of 12, 18 or 24 months. Users can then keep the music they download, or pay to renew the subscription. The phone giant pulled its other music service, the Music Store, which is available in 23 countries, under its the Ovi services brand some time ago. Leer más “Nokia drops Nokia from Nokia Music”

UK.gov sticks to IE 6 cos it’s more ‘cost effective’, innit

The petition itself was sent to Number 10 earlier this year asking then Prime Minister Gordon Brown to follow German and French governments’ decisions to ditch IE 6.

Brown’s administration was unmoved by security concerns about the crinkly old browser, however.

It claimed at the time that its system, along with regular Microsoft updates, meant it was robust enough against the kind of attack that claimed over 30 corporate firms at the end of last year.

Google was perhaps the most high-profile victim of those attacks. It has since turned its back on supporting the old MS browser in its web apps.

At the same time, Microsoft too has been trying to shepherd users away from IE 6 and Windows XP – the operating system that refuses to die – in favour of its more recent software efforts.

But the ConDem government is singing from the same hymnbook as Number 10’s previous incumbents.

Freetards on the interwebs are in uproar about the decision, and the El Reg mailbox is overflowing with comments from outraged coders.

“Apparently the IT team in Whitehall has yet to realise you could quite easily use IE6 for IE6 only sites, and receive the protection of a more modern browser such as IE8, FF and Chrome for everything else,” Reg reader Mark told us.

“As a senior web application developer, the mention of the positive word ‘standards’ in a document about IE6 makes me die a little on the inside — ‘Public sector organisations are free to identify software that supports their business needs as long as it adheres to appropriate standards’ — I’m not sure which standards they mean… but certainly not the HTML ones.”

Alas, Internet Explorer 6 is here to stay to keep the wheels of central government turning in this big fat society of ours, people. ®


Internet Explorer Mobile Logo
Image via Wikipedia

By Kelly Fiveash

Computers in Whitehall will largely continue to run Microsoft’s Internet Explorer 6, which will make web coders spit out their cheese‘n’pickle sarnies this lunchtime.

“It is not straightforward for HMG departments to upgrade IE versions on their systems. Upgrading these systems to IE 8 can be a very large operation, taking weeks to test and roll out to all users.”

“To test all the web applications currently used by HMG departments can take months at significant potential cost to the taxpayer. It is therefore more cost effective in many cases to continue to use IE6 and rely on other measures, such as firewalls and malware scanning software, to further protect public sector internet users,” it said. Leer más “UK.gov sticks to IE 6 cos it’s more ‘cost effective’, innit”