Update: Microsoft Issues Out-of-Band Security Update to address ASP.NET Vulnerability--SharePoint Vulnerable to Oracle Padding Attack

MIcrosoft's ASP.NET Security update now available:
To read the Microsoft Security Bulletin MS10-070 - Important
Vulnerability in ASP.NET Could Allow Information Disclosure (2418042) go to the Microsoft website.

From a SharePoint-related FAQ in Scott Guthrie's blog (ScottGu) entry at Microsoft titled "ASP.NET Security Update Now Available":
"Does this update work with SharePoint?"
"Yes. We have not found any issues in testing SharePoint with this security update. You should install it on SharePoint servers to ensure that they are not vulnerable."

From Microsoft TechNet webinar with Dave and Duncan on 9/28/10:
"Will SharePoint be affected?"
"It is affected but you don't need to do anything beyond applying the security update."
"Will there be a specific patch for SharePoint?"
"The products using ASP.Net will be protected after this update is installed. If you have Exchange or SP, alll you need is this update."

See also the post from the SharePoint Product team blog.

The Microsoft SharePoint Product Group blog has updates about the recent security vulnerability involving ASP.Net. Note the 9/22/10 update. They also offer a workaround and a warning.

If you're interested in learning more about the oracle padding attack, Paul Robichaux, Exchange expert at Windows IT Pro magazine offers a detailed article that's worth a look.
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.