ASP.NET Security Patch

Last week I cross-posted, about a security flaw in ASP.NET which could allow an attacker to get access to files on the server.

Microsoft has announced an out-of-band patch for this on Tuesday, September 28, 2010.

Here is the blog post from the Microsoft SharePoint Team blog with details and links.

x-post from the Microsoft Security Response Center blog — The download links for the security updates are in the Security Bulletin.

As we announced yesterday, today we released Security Bulletin MS10-070 out-of-band to address a vulnerability in ASP.NET. The bulletin and the blog by Scott Guthrie, corporate vice president of Microsoft’s .NET Developer Platform are available for more information.

This security update addresses a vulnerability affecting all versions of the .NET Framework when used on Windows Server operating system. While desktop systems are listed as affected, consumers are not vulnerable unless they are running a web server from their computer.

The update will be made available initially only through the Microsoft Download Center and then released through Windows Update and Windows Server Update Services within the next few days. This allows customers the option to deploy it manually now without delaying for broader distribution.

For customers who use Automatic Updates, the update will be automatically applied once it is released broadly. Once the Security Update is applied, customers are protected against known attacks related to Security Advisory 2416728.

If you can, please join me and Dustin Childs today for a live webcast where we will cover the details of this bulletin and take customer questions live. Here is the registration information:

Date: Tuesday September 28, 2010
Time: 1:00 p.m. PDT
Click Here to Register

Thanks,
Dave Forstrom
Director, Trustworthy Computing

Advertisements

Your Mid-Week Microsoft Dump

This weeks dump is mostly some new courses now available from Microsoft and a pretty good looking podcast about PowerShell and .NET development.


Course 50468A: SharePoint 2010 End User – Level I

This 3-day Instructor Led course Explores all the basic end user features of SharePoint 2010 including all basic lists and sites.


Course 50468A: SharePoint 2010 End User – Level I

This 3-day Instructor Led course Explores all the basic end user features of SharePoint 2010 including all basic lists and sites.


Course 50470A: Microsoft SharePoint Server 2010 for the Site Owner/Power User

This two-day instructor-led course is designed for the site owner/”power user” of a SharePoint site who needs to know how to create sites and lists, manage user access and customize lists and pages. This class uses the SharePoint Server 2010 version of SharePoint. While it is of equal value for users of SharePoint Foundation, it does include a few features not found in Foundation.


geekSpeak: PowerShell for .NET Developers with Doug Finke


In this episode of geekSpeak, Microsoft Most Valuable Professional (MVP) Doug Finke takes us on a deep dive into PowerShell from a developer’s point of view. Doug shows techniques for integrating/debugging PowerShell from and to C# code as well as using

Big Security Hole for SharePoint Servers

You may have already read this somewhere out there, it is making the rounds across the Twitter-phere, blogs, and news. But I felt it would be important to post, or I should say re-post the issue.

Executive Summary from Vulnerability in ASP.NET Could Allow Information Disclosure (http://www.microsoft.com/technet/security/advisory/2416728.mspx)

Microsoft is investigating a new public report of a vulnerability in ASP.NET. An attacker who exploited this vulnerability could view data, such as the View State, which was encrypted by the target server, or read data from files on the target server, such as web.config. This would allow the attacker to tamper with the contents of the data. By sending back the altered contents to an affected server, the attacker could observe the error codes returned by the server. Microsoft is aware of limited, active attacks at this time. We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Scott Guthrie has an excellent post up regarding this vulnerability at http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx. As normal, he has gone through with code snippets to explain the issue and what you can due to protect your systems.

Good luck keeping your systems safe!

Your Mid-Week Microsoft Dump

As promised, here is a collection of cool links to Microsoft content thanks to the Microsoft Broadcaster.

Good reading and listening!


Course 50429A: SharePoint 2010 Business Intelligence

This 5-day instructor-led course teaches you how to use SharePoint as your platform for Business Intelligence. Journey through the SharePoint Business Intelligence Center, Excel Services, Reporting Services, Analysis Service, Performance Point and PowerPivot to implement your BI Strategies and enable your decision makers to see data in new and dynamic ways! This course will take you down a path of building a BI environment from scratch to full interactive dashboards using the Microsoft BI Stack….


Breakthroughs in Social Networking, Search and Collaboration with SharePoint 2010, Exchange 2010, Office 2010 and Visio 2010

In the fast-paced, ever-changing world of business, enterprise collaboration is no longer just an afterthought it is a fundamental business capability that forms a foundational part of any company’s IT strategy. Collaborative processes play a part in almost…


Clinic 10277: What\’s New in Microsoft SharePoint 2010 for Developers

This two-hour clinic describes various new features and enhancements that Microsoft SharePoint 2010 provides developers. It describes how you can create and deploy SharePoint 2010 solutions using Microsoft Visual Studio 2010. It also describes how you can develop remote clients for SharePoint 2010 and develop SharePoint 2010 solutions that incorporate data from external line-of-business applications.


How Do I: Correctly Terminate Multithreaded .NET Compact Framework Applications?

Create a managed multithreaded application for Windows Mobile Devices using the Microsoft .NET Compact Framework, and create and use multiple threads inside that application. Join Maarten Struys as he demonstrates this and, more importantly, shows you…


geekSpeak: Business Intelligence for the .NET Framework Developer with Andrew Brust

In this episode of geekSpeak, Microsoft regional director Andrew Brust answers the question: “Why should developers care about business intelligence?” Andrew gives an overview of Microsoft business intelligence (BI) and discusses why BI is advantageous…

Microsoft Broadcaster

Microsoft Broadcaster

The other day I was poking around the Microsoft’s site for certified professionals and came across a new public service they are testing out. It is a cross between an RSS feed and a magazine subscription.
You select the general technologies as well as specific Microsoft products you wish to get information about, it then generates a list of new and old media regarding these filter values. The list of media options you can get is quite long and includes articles and case studies all the way to virtual labs and web casts. It is a really nice mash up to see some of the content that Microsoft puts out but you might not ever discover.

Right now signup is by invite only, you fill out a little application and they either accept or deny. You can apply at http://www.microsoftbroadcaster.com

My goal is once a week to post a collection of the most unusual as well as most beneficial feeds that come across my broadcaster filters to you. I give my couple cents worth if I have had the time to fully review the material, but many will be posted based on the intro provided.

So here we go:

Bytes by TechNet: John Campbell and Harold Wong on how SharePoint 2010 can help Excel users avoid spreadsheet chaos

Excel Services is a service application that enables you to load, calculate, and display Microsoft Excel workbooks on Microsoft SharePoint Server 2010. Join Harold Wong as he interviews John Campbell, program manager with the Excel Services team for Micr…

Learning Plan for Developing Solutions on Microsoft SharePoint Server 2010

This learning plan is intended to help IT professionals and developers learn how to develop solutions by using Microsoft SharePoint Server 2010 and Microsoft SharePoint Foundation 2010.
Scott’s Comments: I have reviewed this one, and plan on making use of it myself. It provides articles and training coursed in a given order to help you achieve knowledge to develop for SharePoint. I’ll post again with a review of how it did or did not work in ramping me up.

SQL Server 2008 R2: Upgrading SQL Server Business Intelligence Components

Unless you are dealing with a totally new Microsoft SQL Server installation, the upgrade process is clearly an important part of the installation story. In this webcast, we explain what you need to consider when upgrading to Microsoft SQL Server 2008 R


Clinic 10279: What’s New in Microsoft SharePoint 2010 for IT Professionals

This two-hour clinic describes the various benefits that Microsoft SharePoint 2010 offers IT Pros. It describes improvements to the user interface, including the ribbon and enhanced Central Administration console. It also describes features that help you monitor your SharePoint site, such as large list resource throttling, Unattached Content Database Recovery, and the SharePoint Health Analyzer.