An additional measure is needed to fully protect against the Oracle attack on ASP .NET sites.
Scot Guthrie seems to be still bearing the weight of dealing with getting the news out about the on-going ASP .NET security problems. The latest update on his blog issues revised instructions on defending sites against the attack which basically include some additional measures.
In addition to the previous steps you should now also install and configure the IIS URLScan module (x86 Version or x64 Version).
Once URLScan is installed modify the UrlScan.ini file in this location:
Near the bottom of the UrlScan.ini file you’ll find a [DenyQueryStringSequences] section.
Add an additional “aspxerrorpath=” entry immediately below it and then save the file:
The above entry disallows URLs that have an “aspxerrorpath=” querystring attribute from making their way to ASP.NET applications, and will instead cause the web-server to return an HTTP error. Adding this rule prevents attackers from distinguishing between the different types of errors occurring on a server – which helps block attacks using this vulnerability.
After saving this change, run “iisreset” from a command prompt (elevated as admin) for the above changes to take effect. To verify the change has been made, try accessing a URL on your site/application that has a querystring with an aspxerrorpath and verify that an HTTP error is sent back from IIS.
More on the ASP.NET vulnerability
New ASP .NET vulnerability
Microsoft Security Advisory 2416728 (Updated 9/24)
Understanding the ASP.NET Vulnerability
Initial Blog Post
Frequently Asked Questions Post
SharePoint Team Blog Post
Microsoft Security Response Center Blog Post
Microsoft Security Response Center Update Post
The DMCA, Programmers And VWGate
The news is full of how VW cheated on emissions test, but it isn't focused on our, that is the programmer's, role in the entire affair and it isn't highlighting the way the Digital Millennium Copyrigh [ ... ]
BBC Micro Bit Delay - A Chance For CodeBug?
The BBC has confirmed that the Micro Bit, its tiny development board, will be delayed until the end of 2015. At the same time CodeBug, which offers many of the same features, is now available to [ ... ]