[Micronet] Microsoft Out-Of Band Patch

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[Micronet] Microsoft Out-Of Band Patch

John Ives
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

As you may know, Microsoft released an out-of-band patch yesterday
(Sept. 28th, 2010) for a vulnerability in ASP.NET that could allow
information disclosure and even data tampering on a targeted system,
even when that information was encrypted by the server.  While it is
important to apply this patch to every supported system, it is
particularly important on public facing web servers using ASP.NET
applications where attackers can attack the system directly.  With this
in mind, we (System and Network Security) would like to urge anyone
running a web server with ASP.NET applications to download and install
the patch as soon as possible.

Unlike many patches Microsoft puts out, this patch is not currently
available for automatic distribution, though MS has stated that it will
be in the future.  For now, individuals who need to install the patch
immediately, will need to go to
http://www.microsoft.com/technet/security/bulletin/MS10-070.mspx and
download the appropriate patch for installation.

Yours,

John Ives


- --
- -------------------------------------------------------------------------
John Ives
System & Network Security    Phone (510) 229-8676
University of California, Berkeley
- -------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJMpCioAAoJEJkidK6qbyws9iEH/As8UYxQNx5f5kcoJM0ieMOf
U6D1eyL1dQPs1OOtJkLsPxxv6FlGerc02cZ9pkOfoSIvyPmpKCO2y4831uv1jAcb
4ggGSL1DSCtdRnzTiV//qLJmPAndOo8Jb1ESMep9683/M96yMirojCTmbSd7rgr0
Wj3FD0kMlNtayLNskB6UUYAUFap0q+IijvdJj2MXuLERqqe/1fjq24t5K6uTuaZh
oViLY624uYl3aAL0X6eimHZHfF6siFZxnKD3SIRLBGba3TIv3JTDe0/ceRICECrR
6vEPyqdubTODwghH13Nd0ixjXRzZ/5IAn9f74ihCvt8Ht+w9KcMUcd8W5pzVRPY=
=tnUW
-----END PGP SIGNATURE-----

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Microsoft Out-Of Band Patch

Graham Patterson
Looks like Windows Update has it now.

Graham

On 9/29/10 11:05 PM, John Ives wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> As you may know, Microsoft released an out-of-band patch yesterday
> (Sept. 28th, 2010) for a vulnerability in ASP.NET that could allow
> information disclosure and even data tampering on a targeted system,
> even when that information was encrypted by the server.  While it is
> important to apply this patch to every supported system, it is
> particularly important on public facing web servers using ASP.NET
> applications where attackers can attack the system directly.  With this
> in mind, we (System and Network Security) would like to urge anyone
> running a web server with ASP.NET applications to download and install
> the patch as soon as possible.
>
> Unlike many patches Microsoft puts out, this patch is not currently
> available for automatic distribution, though MS has stated that it will
> be in the future.  For now, individuals who need to install the patch
> immediately, will need to go to
> http://www.microsoft.com/technet/security/bulletin/MS10-070.mspx and
> download the appropriate patch for installation.
>
> Yours,
>
> John Ives
>
>
> - --
> - -------------------------------------------------------------------------
> John Ives
> System&  Network Security    Phone (510) 229-8676
> University of California, Berkeley
> - -------------------------------------------------------------------------
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJMpCioAAoJEJkidK6qbyws9iEH/As8UYxQNx5f5kcoJM0ieMOf
> U6D1eyL1dQPs1OOtJkLsPxxv6FlGerc02cZ9pkOfoSIvyPmpKCO2y4831uv1jAcb
> 4ggGSL1DSCtdRnzTiV//qLJmPAndOo8Jb1ESMep9683/M96yMirojCTmbSd7rgr0
> Wj3FD0kMlNtayLNskB6UUYAUFap0q+IijvdJj2MXuLERqqe/1fjq24t5K6uTuaZh
> oViLY624uYl3aAL0X6eimHZHfF6siFZxnKD3SIRLBGba3TIv3JTDe0/ceRICECrR
> 6vEPyqdubTODwghH13Nd0ixjXRzZ/5IAn9f74ihCvt8Ht+w9KcMUcd8W5pzVRPY=
> =tnUW
> -----END PGP SIGNATURE-----
>
>
> -------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:
>
> http://micronet.berkeley.edu
>
> Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

--
Graham Patterson, Systems Administrator
Lawrence Hall of Science, UC Berkeley   510-643-2222
"...past the Tyranosaurus, the Mastodon, the mathematical puzzles, and
the meteorite..." - directions to my office.

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.