ASP.NET Padding Oracle Fix and Risks

As most SharePoint, security and .NET professionals will know by now, a hotfix for the Padding Oracle vulnerability in ASP.NET was released out-of-band on Tuesday. A live TechNet Webcast with a Q&A was held with Dave Forstrom, Director, Response Communications and Dustin Childs, Senior Security Manager. I’ve put together these rough notes from that webcast, as I think this information needs to reach a wider audience.

This is intended to be a (very) rough guide to the webcast content, and I make no claims about the accuracy – I’ve purely attempted to repeat a small portion of what was discussed on the webcast – some of which was covered very quickly. If any of this is of particular interest, I suggest watching the webcast. I’m primarily interested in motivating people to apply the patch while repeating some of the considerations that should be… considered before doing so.

