Microsoft didn't put all information in public which is quite understandable as to not expose ideas to people with the wrong intentions. The good thing is just that there's a fix for it.
Grz, Kris.
Read my blog | Twitter Working with Azure, chatbots, ASP.NET MVC, Web API, EF, MS SQL, ...
Keep the forums clean: report to the moderation team!
I read on link u gave as below..But i have deployed on 3rd party hosting in that case how do i proceed?
What is the impact of applying the update to a live web-server?
If you apply the update to a live web-server, there will be some period of time when the web-server will be offline (although an OS reboot should not be required). You’ll want to schedule and coordinate your updates appropriately.
Importantly – if your site or application is running across multiple web-servers in a web-farm, you’ll want to make sure the update is applied to all of the machines (and not just some of them). This is because the update changes the encryption/signing behavior
of certain features in ASP.NET, and a mix of patched and un-patched servers will cause that encryption/signing behavior to be incompatible between them. If you are using a web-farm topology, you might want to look at pulling half of the machines out of rotation,
update them, and then swap the active and inactive machines (so that the updated machines are in rotation, and the non-updated ones are pulled from rotation and patched next) to avoid these mismatches.
I read on link u gave as below..But i have deployed on 3rd party hosting in that case how do i proceed?
A) Yes you need to do this patch.
B) Ask you hosting provider how they are managing this patch release and explain teh serverity. That is one of the problems of having 3rd party hosting in general your site admin does not have control of the server.
Participant
1213 Points
820 Posts
Microsoft Security Bulletin MS10-070 - Important
Sep 29, 2010 04:30 AM|mehta.rahulit|LINK
http://www.microsoft.com/technet/security/Bulletin/MS10-070.mspx
Also can experts comment on same..How it was detected and how it happens..where was the problem etc
MCAD
Contributor Award 2011
All-Star
191738 Points
20952 Posts
ASPInsiders
Moderator
MVP
Re: Microsoft Security Bulletin MS10-070 - Important
Sep 29, 2010 05:11 AM|XIII|LINK
Hi,
it was detected by a security expert from South America and presented during a security conference.
Microsoft released a hotfix/patch for it this morning: http://weblogs.asp.net/scottgu/archive/2010/09/28/asp-net-security-update-now-available.aspx.
Microsoft didn't put all information in public which is quite understandable as to not expose ideas to people with the wrong intentions. The good thing is just that there's a fix for it.
Grz, Kris.
Working with Azure, chatbots, ASP.NET MVC, Web API, EF, MS SQL, ...
Keep the forums clean: report to the moderation team!
Participant
1213 Points
820 Posts
Re: Microsoft Security Bulletin MS10-070 - Important
Sep 29, 2010 05:57 AM|mehta.rahulit|LINK
i have a live website in asp.net3.5.
Do i need to put this fix?
I read on link u gave as below..But i have deployed on 3rd party hosting in that case how do i proceed?
What is the impact of applying the update to a live web-server?
If you apply the update to a live web-server, there will be some period of time when the web-server will be offline (although an OS reboot should not be required). You’ll want to schedule and coordinate your updates appropriately.
Importantly – if your site or application is running across multiple web-servers in a web-farm, you’ll want to make sure the update is applied to all of the machines (and not just some of them). This is because the update changes the encryption/signing behavior of certain features in ASP.NET, and a mix of patched and un-patched servers will cause that encryption/signing behavior to be incompatible between them. If you are using a web-farm topology, you might want to look at pulling half of the machines out of rotation, update them, and then swap the active and inactive machines (so that the updated machines are in rotation, and the non-updated ones are pulled from rotation and patched next) to avoid these mismatches.
MCAD
Contributor Award 2011
Member
120 Points
83 Posts
Re: Microsoft Security Bulletin MS10-070 - Important
Sep 29, 2010 06:13 AM|Rovastar|LINK
A) Yes you need to do this patch.
B) Ask you hosting provider how they are managing this patch release and explain teh serverity. That is one of the problems of having 3rd party hosting in general your site admin does not have control of the server.