Security Vulnerability in ASP .Net — Padding Oracle Attack

All editions of ASP .Net (1.0 – 4.0) are vulnerable to the “Padding Oracle” crypto attack. Scott Guthrie has a good post about it here.  Microsoft has acknowledged the attack and is offering a work around.  There is also a post on Microsoft’s Security Research and Defense blog here.  Microsoft’s official response shows that they aren’t too happy that the hacker decided to publicly disclose the attack without telling them about it first:

We continue to encourage security researchers to coordinate vulnerability disclosure with software vendors. We believe public disclosure before a comprehensive update can be produced only leads to customer risk through criminal activity.

An actual demostration of the attack on a DotNetNuke installation to become the “SuperUser” took less than five minutes…

DotNetNuke has published their response here.

I’ll be keeping up with this over the weekend.  So come back to find out more.  I haven’t seen any attacks yet… but that will be when it get interesting….


Check to see if an assembly is strongly named.

Type sn -v NameOfAssembly.dll at the command line. It will say “NameOfAssembly.dll is valid” if it is strongly named.  It will say “NameOfAssemby.dll does not represent a strongly named assembly” if it is not.

c:\>sn -v Microsoft.AnalysisServices.AdomdClient.dll

Microsoft (R) .NET Framework Strong Name Utility Version 4.0.30319.1
Copyright (c) Microsoft Corporation. All rights reserved.

Assembly ‘Microsoft.AnalysisServices.AdomdClient.dll’ is valid

Software Architecture Deployment Viewpoint – Network Model Diagram Example

There seems to be a dearth of good software architecture diagrams on the web.  So, this is one of the examples I promised from my previous post.  Enjoy!

Software Architecture Viewpoints and Perspectives

In Philippe Kruchten’s seminal paper, “Architectural Blueprints—The “4+1” View Model of Software Architecture”, the idea of looking at software architectures from a number of viewpoints is put forth.  This idea is needed because architectures are too complex to fit into one diagram.  The views the Kructhen outlines are:

  • Logical
  • Development
  • Physical
  • Process

He “+1” of his model are scenarios or use cases that illustrate the architecture from a functional view.

Nick Rozanski and Eoin Woods build on that idea in their book, Software Systems Architecture.  They list a number of other viewpoints that can be used to describe a Software Architecture.  They are:

  • The Functional Viewpoint
  • The Information Viewpoint
  • The Concurrency Viewpoint
  • The Development Viewpoint
  • The Deployment Viewpoint
  • The Operational Viewpoint

They also introduce the idea of software architecture perspectives.  These perspectives take on architectural attributes that are found across viewpoints, such as security.  I encourage you to read their book and tailor it to your architecture.  It has helped me tremendously on past projects and I plan to post samples soon.

Important Update for TFS 2010

It appears, according to this blog post, that the Update just released for Lab Management has many other updates in it around all functions of TFS. One of my clients was experiencing unexpected behavior during merges that this will hopefully address.  I would apply it asap.