ASP.NET Padding Oracle Fix and Risks

As most SharePoint, security and .NET professionals will know by now, a hotfix for the Padding Oracle vulnerability in ASP.NET was released out-of-band on Tuesday. A live TechNet Webcast with a Q&A was held with Dave Forstrom, Director, Response Communications and Dustin Childs, Senior Security Manager. I’ve put together these rough notes from that webcast, as I think this information needs to reach a wider audience.

This is intended to be a (very) rough guide to the webcast content, and I make no claims about the accuracy – I’ve purely attempted to repeat a small portion of what was discussed on the webcast – some of which was covered very quickly. If any of this is of particular interest, I suggest watching the webcast. I’m primarily interested in motivating people to apply the patch while repeating some of the considerations that should be… considered before doing so.

Continue reading “ASP.NET Padding Oracle Fix and Risks”

180 days is approaching

It’s now nearly 180 days since the MOSS 2007 SP2 product expiration problem was discovered. Any systems that are running with the original version of SP2 will expire 180 days after it was installed. There are some quite simple solutions to this problem, but it’s worth assessing the state of your systems to make sure they aren’t at risk.

If the original version of SP2 has been installed on any systems, this can be fixed by re-entering the original product key or by applying this hotfix. If the service pack installer was downloaded after 29/7/09, this fix is included. Any questions should be answered by the original post’s Q&A.