Though the vulnerability affects other web platforms, on ASP.Net it is described as giving “a specially crafted ~100kb HTTP request [the ablility to] consume 100 percent of one CPU core for between 90 and 110 seconds” by Suha Can and Jonathan Ness from Microsoft Security Responce Center. By repeating these requests a user could mount a DoS attack on even a cluster of multi-core servers.

HybrisDisaster, alluding to be a member of Anonymous released the code, telling the public to “use it your own way.” It was expected, of course as Can and Ness stated in December, “We anticipate the imminent public release of exploit code.” Anyone who maintains an ASP.Net application should deploy the patches in Microsoft’s MS11-100 security bulletin.

ComputerWorld reported how an exploit was discussed by Klink and Walde during the Chaos Communication Conference a few weeks prior. Based on research from a 2003 paper, Klink and Walde demonstrated how a low-bandwidth attack could be initiated without the use of bots to take down entire websites – an attack equivalent to that of a full fledged denial of service attack. This attack utilizes the high CPU load needed to handle various hashing techniques to create a unbearable load on the server with minimal requests. Although the exploit requires a web application to utilize hash tables to even be vulnerable, it was found that various parts of auto-generated forms and its data in ASP .NET utilize these hashes, and thus was easily exploited.

Other languages, such as Ruby and PHP, were also vulnerable to this exploit. Ruby immediately released a patch to help combat the issue, while PHP made modifications to a future release. However, these releases were not critical as hashing is not as frequently used nor utilized by default in these languages.

Bravo, Microsoft. Bravo.

The Silverlight team released a press release a few days ago announcing the upgrade and describing all of the new goodies that have been included. Some of these include:

• Improved support for various media formats such (as well as some nifty variable speed playback support.
• Improved text support.
• Improved graphics.
• Generally improved performance.
• Lots of nice extensions and such for “Building next-generation business applications.”

Apparently this release of Silverlight allows developers to use the trusted application format. According to their report, that means that “when enabled via a group policy registry key and an application certificate, mean users won’t need to leave the browser to perform complex tasks.” For more information on the new release (such as what what it does, where to get it, and how to use it) check out this blog post that is linked from the ASP.net website.

So far, well over a million websites have been affected in some way by this. These are mainly sites that are associated with schools, universities, small businesses, and hospitals i.e. the types of organizations that probably wouldn’t spend thousands of dollars a year on advanced Internet security measures. Most of these were sites built using ASP.NET, and they were compromised by code being inserted by the bug. The code inserts an invisible link on the page that takes users to unsafe sites, which apparently divert to other sites as well. Apparently, all of the rogue sites are registered under the name “James Northone,” which is the same false name that was used during the aforementioned Liza Moon attack.

Surprisingly, only six out of forty three big web-security firms have actually been able to identify the virus, which is not good for the people that regularly visit the types of websites that would get infected. Experts have suggested that users keep all of the anti-virus and web related (Javascript, Flash, etc.) completely up to date because hackers often exploit weaknesses in previous under-supported versions of software.

Most of the features from the old site have stayed constant, such as the two navigation bars at the top of the page, and the community spotlight feed. The redesign includes some features such as more tutorials and the integration of social networking functionality (facebook, twitter, etc.). They have also added what they call an “Improved onboarding experience”, which means that they intend to make it easier to get new developers started. It seems that the most important aspect here is to make sure that the site is much easier to use than the previous one. Go ahead and check it out at http://beta.asp.net, and for more information on the new additions to and some of the plans for the site, go to this link to read an official rundown of what is going on.

He references Scott Guthrie’s vNext blog that keeps everyone up to date as well. There have been updates in editor support for smart tasks and event handler generation, data controls, and model binding.

We previously mentioned updates on MVC 4 which has a number of great new features. Some of the best new features are various new mobile functionalities.

Visual Studio 11 will come with Page Inspector. The tool allows you to do things like inspect web pages and select CSS rules.

Jason Zanders’ post notes that ASP.NET 4.5 is tailored to meet the top concerns developers have had.

ASP.NET’s “What’s New” gives a look as well. These new changes will hopefully prove to be of great benefit to the ASP.NET developing world.

A little background information on the seriousness of this problem (which Scott Guthrie provided towards the beginning of the incident): “An attacker using this vulnerability can request and download files within an ASP.NET Application like the web.config file (which often contains sensitive data).”

What’s more, “An attacker exploiting this vulnerability can also decrypt data sent to the client in an encrypted state (like ViewState data within a page).”

So the flaw posed a definite threat.  Fortunately, as we mentioned earlier, Microsoft came up with a solution, and administrators can seek it out in the Microsoft Download Center if they like.

It’s possible administrators can save themselves that slight inconvenience, too, as Microsoft also made it possible to access the fix through Windows Update and Windows Server Update Services.

Administrators should just be sure they patch everything one way or another, as Microsoft officially considers the matter important (via its “Aggregate Severity Rating”) and word of the problem has almost certainly gotten around by now.

Microsoft’s recommended fix at this point is to configure the web application to use custom error pages that return the same error for all requests. This fix however does not address the fact that status codes and the processing time for the request are tell-tale indicators of success or failure. It also is not an option for web applications that depend on custom error pages for web services. The vulnerability is in the inherent design so a true fix may be slow coming. While administrators of a small- to medium-sized web applications might feel that a low enough profile would prevent them from being a target and forgo looking into this vulnerability, they should not ignore the problem. The exploit has been publicly disclosed, the algorithm works as advertised, and there is already a youtube video tutorial. The code makes the exploit mindlessly easy.

With the introduction of magnificent JavaScript libraries and HTML5, the options for creating dynamic, interactive charts and graphs become more powerful. For developers of ASP.NET, many chart and graph classes have been implemented as custom subclasses of System.Web.UI.WebControls that bind to the data source and paint the pretty representations when placed on a page. Extending the WebControls base class brings all the benefits of the .NET Framework to the custom object. After slugging through that process a few times, some enterprising developers added more extensible features andpackaged the custom chart classes into portable DLLs available for purchase. The varied list of Charting and Graphing controls affords plenty of choice in the market. Perhaps lost in that noise for some, a few of seasons ago, Microsoft released theirofficial version of a Chart control that is usable with .NET Framework 3.5 SP1 and above. When the official chart control came out,Microsoft blogged about using the Chart control and demonstrated the control’s nearly drag-and-drop functionality. The Chart control is fairly comprehensive, includes many types of charts, 2D and 3D, and should be able to handle most charted data visualization scenarios.

The official chart control is so good, in fact, with the past Spring-release of ASP.NET 4 and Visual Studio 2010, the Microsoft Chart control is included in the bundle. Officially sanctioned and distributed, the Microsoft Chart control and all of its potential are detailed in someMicrosoft sample Chart code. The Microsoft Chart control manages the presentation of the chart, which leaves the developer with the true programming problem of modeling the data and choosing the best representation for the data relationships. Use theEnergy Information Administration Standards Manual to guide your choice of bar, line, or pie chart, layout and scale, labels, legends, and lines, and everything else that can make your chart as relevant and as meaningful as possible.

When a developer writes code in spite of it being available and functionally equivalent, it is what is called “Not Invented Here” syndrome. If a developer seeks out the work and knowledge that another has prepared, the it is what Proctor and Gamble coined “Proudly Found Elsewhere.” Many custom controls for a multitude of common web application features are already coded and distributed as dynamically linked libraries (DLLs) to the ASP.NET community. Microsoft, themselves, provide such a directory of custom controls on the ASP.NET site, with “over 900 controls and components to use in your own applications … everything from simple controls to full e-commerce components.”

The next time your project needs to fulfill a common use-case or a specification entails a feature that someone else would have a need for, instead of charging ahead with your implementation, take a step back and survey the offering of which components are already available to you and that you can take advantage of. Look past the common framework, and see what you can integrate from the work of others. And always remember that if you see a deficient solution, by all means code it up yourself, but consider sharing your work with others, so as to speed up the innovation across the industry. More innovation leads to more long-term opportunities for development for everyone.