Slashdot Mirror


Microsoft Issues Ominous ASP.Net Security Warning

An anonymous reader writes "A security flaw in Microsoft's ASP.NET apparently allows access to password-protected areas just by altering a URL. There's no patch yet, but in the meantime Microsoft is telling ASP.NET developers they can rewrite their applications to prevent exploits. About 2.9 million web sites run on ASP.NET according to Netcraft." Some more links: another Microsoft article, NTBugtraq, K-Otik and Heise.

22 of 554 comments (clear)

  1. How Dogbert would handle this by mfh · · Score: 5, Funny

    There's no patch yet, but in the meantime Microsoft is telling ASP.NET developers they can rewrite their applications to prevent exploits.

    And that's why Microsoft is going to eventually lose the war against open source. Can you imagine the heated boardroom discussions going around the table now?

    Dilbert: "Microsoft says we need to pull 20 programmers away from their current workloads to focus on fixing ASP .NET in all our websites. C-c-canon-ical-ization is what they are calling it."

    Dogbert: "How long is this going to take? And who is making these words up anyway?"

    Dilbert: "Two weeks." (I mean that's the standard response right?)

    Dogbert: "Let's give all our programmers a holiday, effective yesterday. Shut the sites down in twenty minutes after I call our contact in Belize. It's time for EULA loophole #27. {{WAG!}}"

    So do the math. And tell me, please, all ye Microsoft supporters, why Open Source lowers my ROI again!

    --
    The dangers of knowledge trigger emotional distress in human beings.
    1. Re:How Dogbert would handle this by nizo · · Score: 5, Funny
      Microsoft is telling ASP.NET developers they can rewrite their applications to prevent exploits.

      My first thought was, "yes, rewrite them in perl or PHP".

    2. Re:How Dogbert would handle this by ThePatrioticFuck · · Score: 5, Funny
      "All thats required is a couple of lines in Global.asax. Thats hadly a rewrite."
      No no no, I'm afraid we can't allow that. This is a MS bashing story, you can only submit such insightful and logical suggestions on *Nix flaw stories :)
    3. Re: How Dogbert would handle this by Black+Parrot · · Score: 4, Funny


      > While I think the flaw itself is a concern the 'rewrite their applications' quote is pure drivel. All thats required is a couple of lines in Global.asax. Thats hadly a rewrite.

      Since it's trivial, can I expect Microsoft to send someone by to do it for us?

      --
      Sheesh, evil *and* a jerk. -- Jade
    4. Re:How Dogbert would handle this by Spoing · · Score: 2, Funny
      A slight re-write;

      1. Dilbert: "Microsoft says we need to pull 20 programmers away from their current workloads to focus on fixing ASP .NET in all our websites. C-c-canon-ical-ization [reference.com] is what they are calling it."

      Dogbert: "With so many companies using ASP .NET, it's unlikely that we will be singled out for attack. Besides, if our admins aren't fighting fires, how do we know that they are doing a good job or not?"

      --
      A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
    5. Re:How Dogbert would handle this by FyRE666 · · Score: 2, Funny
      If a car has a screw that becomes loose after 10,000 miles and could potentially let the engine drop out, regardless of how rare it might happen, every car will be recalled and the screw will be tightened and the car given back. Do you really think that a car company would tell its customers to tighten the screw?
      Cue: Dialogue from "Fight Club"

      Narrator: A new car built by my company leaves somewhere traveling at 60 mph. The rear differential locks up. The car crashes and burns with everyone trapped inside. Now, should we initiate a recall? Take the number of vehicles in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of a recall, we don't do one.

      Business woman on plane: Are there a lot of these kinds of accidents?

      Narrator: You wouldn't believe.

      Business woman on plane: Which car company do you work for?

      Narrator: A major one."
    6. Re:How Dogbert would handle this by Anonymous Coward · · Score: 1, Funny

      Clearly you don't know how to design modular systems.

  2. Doh! by JohnFromCanada · · Score: 2, Funny

    And I thought register_globals was bad!

  3. How simple! by AndroidCat · · Score: 5, Funny
    Microsoft is telling ASP.NET developers they can rewrite their applications to prevent exploits.

    Ah, that's easy then. Do they have a suggestion for which web app platform and OS I should rewrite my apps for?

    --
    One line blog. I hear that they're called Twitters now.
    1. Re:How simple! by byolinux · · Score: 2, Funny

      Clearly it's Web2 for OS/2 Warp.

      I hear it's what Al Gore and Tim Berners-Lee made the Internet on before they made AOL[1]

      [1] Joke, there.

  4. Rewrite the code! by Mr.+Flibble · · Score: 5, Funny

    They don't have to worry. All the people with black hats will rewrite the code for them... Free of charge!

    --
    Try to hack my 31337 firewall!
  5. Obligatory ... by Anonymous Coward · · Score: 1, Funny

    About 2.9 million web sites run on ASP.NET according to Netcraft.

    It's official, Netcraft confirms: A whole lotta ASP .NET sites are dying ...

  6. Details... by JoeLinux · · Score: 5, Funny

    I guess when it is assumed that your OS is full of security holes, you can issue a press release that more or less just says, "Our security is sh*tty right now", expect everyone to just do a collective, "Yup", and shuffle off.

  7. Obligatory by Anonymous Coward · · Score: 4, Funny

    Asp.NOT or asp.Nyet!

  8. Where do you want to get carjacked today? by Doc+Ruby · · Score: 2, Funny

    I wonder how many US government websites in Iraq and Washington are running these soft targets? This is the kind of thing that's forced all our Cybersecurity chiefs to resign in disgust.

    --

    --
    make install -not war

  9. Re:Time to go egging... by gregarican · · Score: 4, Funny

    Let's all go to http://www.billgates.com/files\private\How Can I Repackage the Same Old Shit in a New Wrapper.doc

  10. Finally! by Garabito · · Score: 5, Funny

    No more [registration required] articles on ASP.net servers!

  11. This isn't a bug really by Jakhel · · Score: 5, Funny

    it was a plot by the guys at Microsoft to gain backdoor access to porn sites. Think about it, develop a system for "secure logins" on the internet (whose business HAPPENS to be composed of 70% porn, 30% other) with a bug that lets you bypass the very login that was supposed to be secure? Riiiight. See business plan below.

    Step 1: Develop language for use with "secure login"
    Step 2: ???
    Step 3: Masturbate!

  12. Re:How Dogbert would handle this (Furthermore...) by Ingolfke · · Score: 5, Funny

    Unfortunately, the few lines required to implement the patch has already been copyrighted by Brian Connolly.

  13. again? by qtone42 · · Score: 2, Funny

    With M$'s track record for secutiry, I fail to see why everyone's panties are in a bunch. Unfortunately, we should be used to this kind of crap from them by now, not surprised or panicky.

    Don't we have an SOP for microsoft security announcements by now?

    --Qtone

  14. Re:'Just a patch' is something of a misnomer by KilobyteKnight · · Score: 2, Funny
    you know if software development is too frustrating for you, you can give a shot at flipping burgers at mcdonalds. You sound like an engineer who whines about having to do fixing and testing. Isn't that part of your job description?

    I used to do tech support for a local Wendy's franchise. You think that guy was bitching? You should hear the burger flippers bitching about thier headsets. And in their case, it was usually their fault, not the equipment's fault.
    --
    When will Windows be ready for the desktop?
  15. Re:'Just a patch' is something of a misnomer by AndroidCat · · Score: 2, Funny
    The Consultant's Curse:

    When the customer has beaten upon you long enough, give him what he asks for, instead of what he needs. This is very strong medicine, and is normally only required once.

    --
    One line blog. I hear that they're called Twitters now.