Meetu's Desk [Meetu Choudhary]: September 2010

Tuesday, September 28, 2010

You are invited to register on

This is an e-mail from website sent by Meetu Choudhary. You are invited to register on this site: http://mynangal.com/component/user/?task=register&referrer=AUPRS-4C46A300E6E73.

Monday, September 20, 2010

Buzz from Meetu Choudhary

Link to this post:
http://www.google.com/buzz/109834034077908872313/PwEx3FeyRaJ/Experience-the-web-development-with-a-new-tool-by

11:55 am Meetu Choudhary: Experience the web development with a new tool by microsoft and try it is it is absolutely free THe new generation of Web Development

http://www.microsoft.com/web/webmatrix/default.aspx?wt.mc_id=soc-in-wag-msp-arpititpro

An URGENT ASP.NET (all versions) security Vulnerability Found

Important: ASP.NET Security Vulnerability

A few hours ago we released a Microsoft Security Advisory about a security vulnerability in ASP.NET. This vulnerability exists in all versions of ASP.NET.

This vulnerability was publically disclosed late Friday at a security conference. We recommend that all customers immediately apply a workaround (described below) to prevent attackers from using this vulnerability against your ASP.NET applications.

What does the vulnerability enable?

An attacker using this vulnerability can request and download files within an ASP.NET Application like the web.config file (which often contains sensitive data).

At attacker exploiting this vulnerability can also decrypt data sent to the client in an encrypted state (like ViewState data within a page).

How the Vulnerability Works

To understand how this vulnerability works, you need to know about cryptographic oracles. An oracle in the context of cryptography is a system which provides hints as you ask it questions. In this case, there is a vulnerability in ASP.NET which acts as a padding oracle. This allows an attacker to send cipher text to the web server and learn if it was decrypted properly by examining which error code was returned by the web server. By making many such requests (and watching what errors are returned) the attacker can learn enough to successfully decrypt the rest of the cipher text.

How to Workaround The Vulnerability

A workaround you can use to prevent this vulnerability is to enable the <customErrors> feature of ASP.NET, and explicitly configure your applications to always return the same error page - regardless of the error encountered on the server. By mapping all error pages to a single error page, you prevent a hacker from distinguishing between the different types of errors that occur on a server.

Important: It is not enough to simply turn on CustomErrors or have it set to RemoteOnly. You also need to make sure that all errors are configured to return the same error page. This requires you to explicitly set the "defaultRedirect" attribute on the <customErrors> section and ensure that no per-status codes are set.

Enabling the Workaround on ASP.NET V1.0 to V3.5

If you are using ASP.NET 1.0, ASP.NET 1.1, ASP.NET 2.0, or ASP.NET 3.5 then you should follow the below steps to enable <customErrors> and map all errors to a single error page:

1) Edit your ASP.NET Application's root Web.Config file. If the file doesn't exist, then create one in the root directory of the application.

2) Create or modify the <customErrors> section of the web.config file to have the below settings:

<configuration>

   <system.web>

      <customErrors mode="On" defaultRedirect="~/error.html" />

   </system.web>

</configuration>

3) You can then add an error.html file to your application that contains an appropriate error page of your choosing (containing whatever content you like). This file will be displayed anytime an error occurs within the web application.

Notes: The important things to note above is that customErrors is set to "on", and that all errors are handled by the defaultRedirect error page. There are not any per-status code error pages defined – which means that there are no <error> sub-elements within the <customErrors> section. This avoids an attacker being able to differentiate why an error occurred on the server, and prevents information disclosure.

Enabling the Workaround on ASP.NET V3.5 SP1 and ASP.NET 4.0

If you are using ASP.NET 3.5 SP1 or ASP.NET 4.0 then you should follow the below steps to enable <customErrors> and map all errors to a single error page:

1) Edit your ASP.NET Application's root Web.Config file. If the file doesn't exist, then create one in the root directory of the application.

2) Create or modify the <customErrors> section of the web.config file to have the below settings. Note the use of redirectMode="ResponseRewrite" with .NET 3.5 SP1 and .NET 4.0:

<configuration>

   <system.web>

     <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/error.aspx" />

   </system.web>

</configuration>

3) You can then add an Error.aspx to your application that contains an appropriate error page of your choosing (containing whatever content you like). This file will be displayed anytime an error occurs within the web application.

4) We recommend adding the below code to the Page_Load() server event handler within the Error.aspx file to add a random, small sleep delay. This will help to further obfuscate errors.

VB Version

Below is a VB version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into an application – you can optionally just save this Error.aspx file into the application directory on your web-server:

<%@ Page Language="VB" AutoEventWireup="true" %>

<%@ Import Namespace="System.Security.Cryptography" %>

<%@ Import Namespace="System.Threading" %>

<script runat="server">

    Sub Page_Load()

        Dim delay As Byte() = New Byte(0) {}

        Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider()

        prng.GetBytes(delay)

        Thread.Sleep(CType(delay(0), Integer))

        Dim disposable As IDisposable = TryCast(prng, IDisposable)

        If Not disposable Is Nothing Then

            disposable.Dispose()

        End If

    End Sub

</script>

<html>

<head runat="server">

    <title>Error</title>

</head>

<body>

    <div>

        Sorry - an error occured

    </div>

</body>

</html>

C# Version

Below is a C# version of an Error.aspx file that you can use, and which has a random, small sleep delay in it. You do not need to compile this into an application – you can optionally just save it into the application directory on your web-server:

<%@ Page Language="C#" AutoEventWireup="true" %>

<%@ Import Namespace="System.Security.Cryptography" %>

<%@ Import Namespace="System.Threading" %>

<script runat="server">

   void Page_Load() {

      byte[] delay = new byte[1];

      RandomNumberGenerator prng = new RNGCryptoServiceProvider();

      prng.GetBytes(delay);

      Thread.Sleep((int)delay[0]);

      IDisposable disposable = prng as IDisposable;

      if (disposable != null) { disposable.Dispose(); }

</script>

<html>

<head runat="server">

    <title>Error</title>

</head>

<body>

    <div>

        An error occurred while processing your request.

    </div>

</body>

</html>

How to Verify if the Workaround is Enabled

Once you have applied the above workaround, you can test to make sure the <customErrors> section is correctly configured by requesting a URL like this from your site: http://mysite.com/pagethatdoesnotexist.aspx

If you see the custom error page appear (because the file you requested doesn't exist) then your configuration should be setup correctly. If you see a standard ASP.NET error then it is likely that you missed one of the steps above. To see more information about what might be the cause of the problem, you can try setting <customErrors mode="remoteOnly"/> – which will enable you to see the error message if you are connecting to the site from a local browser.

How to Find Vulnerable ASP.NET Applications on Your Web Server

We have published a .vbs script that you can save and run on your web-server to determine if there are ASP.NET applications installed on it that either have <customErrors> turned off, or which differentiate error messages depending on status codes.

You can download the .vbs script here. Simply copy/paste the script into a text file called "DetectCustomErrors.vbs" and save it to disk. Then launch a command window that is elevated as admin and run "cscript DetectCustomErrors.vbs" to run it against your local web-server. It will enumerate all of the applications within your web server and verify that the correct <customErrors> configuration has been specified.

It will flag any application where it finds that an application's web.config file doesn't have the <customErrors> section (in which case you need to add it), or doesn't have it set correctly to workaround this attack (in which case you need to update it). It will print "ok" for each application web.config file it finds that is fine. This should hopefully make it easier to locate issues.

Note: We have developed this detection script over the last few hours, and will be refining it further in the future. I will post an update in this section each time we make a change to it.

How to Find More Information about this Vulnerability

You can learn more about this vulnerability from:

Forum for Questions

We have setup a dedicated forum on the www.asp.net site to help answer questions about this vulnerability.

Post questions here to ask questions and get help about this vulnerability.

Summary

We will post more details as we learn more, and will also be releasing a patch that can be used to correct the root cause of the issue (and avoid the need for the above workaround).

Until then, please apply the above workaround to all of your ASP.NET applications to prevent attackers from exploiting it.

Re Post of : http://bit.ly/bcmwUo

Regards, May Lord Shiva Bless all of us

Thursday, September 16, 2010

Count number of times day will fall in a month of a year

People who starts learning any programing language have the problem that how they can find out no. of days in a particular month of a year. Sometimes it has been given as assignments to them and sometimes our real world programming creates the situation where we have to do the same, recently I was surfing a forum site and stop by on the same question so thought to write an article about it.

I will write the function in two ways first the traditional approach and second will implement Linq in that

First: The traditional implementation:

Create a Function which will return an integer value of times the particular day will occur in a particular month of the year

/// <summary>

/// Count number of times day will fall in a month of a year

/// </summary>

/// <param name="year">Year in which the month will fall</param>

/// <param name="month">Month for which we need to count the no of days</param>

/// <param name="dayOfWeek">day of week which we wnt to count</param>

/// <returns>Number of times the day will fall in that month</returns>

static int NumberOfParticularDaysInMonth(int year, int month, DayOfWeek dayOfWeek)

{

//create a variable to start from date i.e. 1st of that month in thta year which has passed as arrgument

DateTime startDate = new DateTime(year, month, 1);

//use the function of DateTime class which will return the no of days in thta particular month

int days = DateTime.DaysInMonth(startDate.Year, startDate.Month);

//create and initalize a variable with 0 which will hold no of occurnces in that month

int weekDayCount = 0;

//create a loop to count the number of occurncess of that day

for (int day = 0; day < days; ++day)

{

//add days to the start date and check its day of week is what we are counting for if yes add 1 to our variable else add 0

weekDayCount += startDate.AddDays(day).DayOfWeek == dayOfWeek ? 1 : 0;

}

//return the count variable

return weekDayCount;

}

Now what we need is just to call above function will be like this

int CountDayOfWeekInMonth = NumberOfParticularDaysInMonth(2010, 9, DayOfWeek.Friday);

The Linq Implementation of the same function will go like this

/// <summary>

/// Count number of times day will fall in a month of a year

/// </summary>

/// <param name="year">Year in which the month will fall</param>

/// <param name="month">Month for which we need to count the no of days</param>

/// <param name="dayOfWeek">day of week which we wnt to count</param>

/// <returns>Number of times the day will fall in that month</returns>

static int NumberOfParticularDaysInMonth(int year, int month, DayOfWeek dayOfWeek)

{

//create a variable to start from date i.e. 1st of that month in thta year which has passed as arrgument

DateTime startDate = new DateTime(year, month, 1);

//use the function of DateTime class which will return the no of days in thta particular month

int days = startDate.AddMonths(1).Subtract(startDate).Days;

//use Linq to get the no of occurance of that day

int weekdaycount = Enumerable.Range(1, days)

.Select(item => new DateTime(year, month, item))

.Where(date => date.DayOfWeek == dayOfWeek)

.Count();

//return the count variable

return weekdaycount;

}

Now you can call this above function using the following statement

int CountDayOfWeekInMonth = NumberOfParticularDaysInMonth(2010, 9, DayOfWeek.Friday);

Regards, May Lord Shiva Bless all of us

IE9 Beta is now available for download

Hi Friends !!!

IE9 Beta is now available for download at http://www.beautyoftheweb.com/

You can now download it and test it :)

Why IE9 will not run on Windows XP?

Hear it straight from Horse’s mouth-

http://www.youtube.com/meratechport#p/a/u/2/3oKrWvkliR8

Dean Hachamovitch explains why Internet Explorer 9 will not run on Windows XP.

Regards, May Lord Shiva Bless all of us

Monday, September 13, 2010

Insert Flash Objects in PowerPoint 2010

Insert Flash Objects in PowerPoint 2010

It Seems strange that I am writing an article for PowerPoint as I always write something in .net or Silverlight but today my sister asked me that how she can insert a Flash File (swf) in PowerPoint as has to insert her company's Flash presentation into some other PowerPoint which she was making using PowerPoint 2010 so I thought to Share it.

Make sure that the Flash Player is installed on the computer. Then, follow these steps:

1. Open PowerPoint Presentation in which you want to insert the Flash Object, in normal view.

2. Add the Slide preferably blank slide in which you need to insert the Flash object.

3. Now Click File Menu, and then click Options.

4. Then Click on Customize Ribbon, and then check the check box labeled Developer in the right list, and then click OK.

5. Now on the Developer tab, click the More Controls button in the Controls group.

6. In the list of controls, click Shockwave Flash Object, click OK, and then drag on the slide to draw the control.

7. Resize the control by dragging the sizing handles.

8. Right-click the Shockwave Flash Object and then click Properties

9. On the Alphabetic tab, click the Movie property.

10. In the value column (the blank cell next to Movie), type the full drive path, including the file name (for example, C\:MyFile.swf) or uniform resource locator (URL) to the Flash file that you want to play.

And That's all we need to do, Now you can enjoy playing the file.

Regards, May Lord Shiva Bless all of us

Here You Have' Mass Mailing Worm Spreading

Hello All,

A new kind of WORM/VIRUS is spreading, please be aware of the same. Below are the details about that please check this.

Have you received a mail recently that had the subject - 'Here you Have'? It may be a virus/ worm.

There is a new mass mailing worm out it in the wild and it is sending emails with topic - "Here You Have" or "Just For You". In addition, this also spreads via drives C: through H:. When spreading through email, the message contains a link to the worm hosted on a remote server. The file icon resembles a PDF document to maximize the chances of user clicking on it. Once the client system is infected, Win32/Visal.B uses MAPI to perform a mass mailing to all contacts that it finds on the system. Unfortunately, in a corporate environment the target audience may be extensive. As more machines on a corporate network are infected, more and more email is sent around on the local network, which can cause mail server performance degradation.

Also, once inside a corporate/ home network, it spreads by finding any accessible computer in the network, and copies itself as "N73.Image12.03.2009.JPG.scr" to drives C: to H: of the target computer. The worm creates an autorun configuration file named "autorun.inf" to run the worm copy when the drive is accessed and Autorun is enabled.

A sample email that you may receive looks like:

Subject: Here you have

Body:
Hello:

This is The Document I told you about,you can find it Here.
http://www.sharedocuments.com/library/PDF_Document21.025542010.pdf

Please check it and reply as soon as possible.

Cheers,

---------------------------------------------------------------------------

Microsoft is calling the worm: Worm:Win32/Visal.B. The worm does not leverage a vulnerability in a specific product, but rather, uses a social engineering technique called URL obfuscation to trick a user to launch a malicious SCR file.

An extensive summary of the worm can be found at the Microsoft Malware Protection Center Technical Summary:

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fVisal.B

If you would like to stay safe from this, please don't click on links sent by unknown people are mails that have above structure. Microsoft has already updated their antimalware signatures and you are protected if you are running Windows Defender or Windows Security Essentials.

The complete article can be read from here... "MERA WINDOWS"

Regards, May Lord Shiva Bless all of us

Meetu's Desk [Meetu Choudhary]

Tuesday, September 28, 2010

You are invited to register on

Monday, September 20, 2010

Buzz from Meetu Choudhary

An URGENT ASP.NET (all versions) security Vulnerability Found

What does the vulnerability enable?

How the Vulnerability Works

How to Workaround The Vulnerability

Enabling the Workaround on ASP.NET V1.0 to V3.5

Enabling the Workaround on ASP.NET V3.5 SP1 and ASP.NET 4.0

How to Verify if the Workaround is Enabled

How to Find Vulnerable ASP.NET Applications on Your Web Server

How to Find More Information about this Vulnerability

Forum for Questions

Summary

Thursday, September 16, 2010

Count number of times day will fall in a month of a year

IE9 Beta is now available for download

Monday, September 13, 2010

Insert Flash Objects in PowerPoint 2010

Here You Have' Mass Mailing Worm Spreading

Subscribe via email

MSDotnetMentor

Author

Blog Archive

Pages

FeedBurner FeedCount