Archives
-
Security update released for ASP.NET Padding Oracle Vulnerability
Microsoft has just released security bulletin MS10-070 with security updates for the issue. The updates are currently on Microsoft Download Center, but will be available through all other channels soon.
-
Update 1: ASP.NET Zero Day Vulnerability - Padding Oracle Exploit
ScottGu has posted some additional FAQs on http://weblogs.asp.net/scottgu/archive/2010/09/20/frequently-asked-questions-about-the-asp-net-security-vulnerability.aspx
-
ASP.Net zero day vulnerability - Padding Oracle exploit
An ASP.Net cryptograhic zero day was publicly disclosed today.
-
Fixes for several IIS issues released in September 2010 patch cycle
We just released a bulletin this September that addresses three IIS vulnerabilites. Two of these were responsibly discolsed, while one was publicly disclosed. The bulletin is on http://www.microsoft.com/technet/security/bulletin/MS10-065.mspx and contains the mitigations and workarounds in each case. The knowledge base articles for each of the three vulnerabilities are linked below and contain affected platform information.
-
Dynamic IP Restrictions Beta 2 released!
Yes, it has been a while since Beta was released, but Beta 2 is finally released! You can download Dynamic IP Restrictions Beta 2 from the links below.
-
Security fix for IIS Extended Protection released
Microsoft has just released a fix for the Extended Protection for Windows Authentication feature in IIS. The details about the issue are in security bulletin MS10-040.
-
Blocking SQL injection using IIS URL Rewrite
We have had quite a few conversations about SQL injection on my blog, including Filtering SQL Injection from Classic ASP and Using Rules Configuration in UrlScan 3.0 to filter SQL injection. One of the shortcomings that we talked about was that UrlScan is not as flexible as some users want it to be since it does not have the ability to use regular expressions. Well the story changes quite a bit with IIS URL Rewrite module, that is capable of doing request and response rewriting based on regular expressions. For those weighing between URL Rewrite and UrlScan, URL Rewrite has more flexibility but UrlScan is a lot more performant, so choose depending on your needs and resources.
-
Fixing IIS 6 issue with semi-colon
In an earlier post I talked about the semi-colon issue and since then we have published a KB article 979124 on how to configure uploads for web applications in IIS as well. To complete the story I wanted to do a quick write-up on how to go about fixing your server configuration to avoid this issue.