Security hole in ASP.NET

You all need to know this:

Patch is in progress…

Murphy’s Law - “Anything that can go wrong, will go wrong”

Look, I understand where you two are coming from, but a security hole this massive should not have happened. I’m coming off as a open-source homer, but I assure you I like .NET, and am not a fan of PHP. However, yes, PHP and Linux has security holes and patches, but something of this nature and easy to implement? It’s like XSS x1,000. Software is never perfect and their will always be bad code, however, none as big as this in nature when it would have been so easy to avoid when creating the Framework starting in 2001. That is 9 years, no excuses. Makes you wander what jack*** exploit will come next.

@logic_earth. Yes, I agree 100%. There are also lots of security pitfalls and hole in PHP and Linux. It happens, it is not the end of the world. It is how you react to it that counts.

As long as humans write the code there will be flaws, there will be security holes. Always. And the open source fan boys have nothing to say, I just installed 200+ security patches on several of my Linux servers just last week.

Their should have never been this type of flaw in the first place, I bet the open-source fan boys are loving this. Although, Microsoft was on this fast, and put out a patch in a fairly quick manner. I do give them credit for that. Just hope another security flaw doesn’t show up in the future. Thanks for the update guys.

In 2001, you saw stuff like the Nimda and Code Red worms. You didn’t have the network nor computing horsepower in general to send hundreds of thousands of requests at a web server to scan for errors. And that is if the web servers in question didn’t melt under the load and just quit serving stuff altogether. Keep it in perspective.


More important, the fix is dropping today. There goes any productivity this afternoon/evening.

Yes, I already know about that. Thanks for sharing. My site has already in the past had a different attack against it that required me to implement URLscan as a protection. And further more, I think it is very bad practice to deploy an app without customErrors enabled