Security hole in ASP.NET

Jason__C · September 28, 2010, 4:37am

You all need to know this:

Patch is in progress…

chieftain · October 1, 2010, 8:53am

Murphy’s Law - “Anything that can go wrong, will go wrong”

Jason__C · September 30, 2010, 5:49pm

Look, I understand where you two are coming from, but a security hole this massive should not have happened. I’m coming off as a open-source homer, but I assure you I like .NET, and am not a fan of PHP. However, yes, PHP and Linux has security holes and patches, but something of this nature and easy to implement? It’s like XSS x1,000. Software is never perfect and their will always be bad code, however, none as big as this in nature when it would have been so easy to avoid when creating the Framework starting in 2001. That is 9 years, no excuses. Makes you wander what jack*** exploit will come next.

NightStalker · September 30, 2010, 4:23am

@logic_earth. Yes, I agree 100%. There are also lots of security pitfalls and hole in PHP and Linux. It happens, it is not the end of the world. It is how you react to it that counts.

logic_earth · September 29, 2010, 2:12pm

As long as humans write the code there will be flaws, there will be security holes. Always. And the open source fan boys have nothing to say, I just installed 200+ security patches on several of my Linux servers just last week.

Jason__C · September 29, 2010, 12:20pm

Their should have never been this type of flaw in the first place, I bet the open-source fan boys are loving this. Although, Microsoft was on this fast, and put out a patch in a fairly quick manner. I do give them credit for that. Just hope another security flaw doesn’t show up in the future. Thanks for the update guys.

wwb_99 · September 30, 2010, 7:05pm

In 2001, you saw stuff like the Nimda and Code Red worms. You didn’t have the network nor computing horsepower in general to send hundreds of thousands of requests at a web server to scan for errors. And that is if the web servers in question didn’t melt under the load and just quit serving stuff altogether. Keep it in perspective.

NightStalker · September 29, 2010, 9:54am

Launched: http://weblogs.asp.net/scottgu/archive/2010/09/28/asp-net-security-update-now-available.aspx

wwb_99 · September 28, 2010, 3:04pm

More important, the fix is dropping today. There goes any productivity this afternoon/evening.

NightStalker · September 28, 2010, 5:25am

Yes, I already know about that. Thanks for sharing. My site has already in the past had a different attack against it that required me to implement URLscan as a protection. And further more, I think it is very bad practice to deploy an app without customErrors enabled