-
Token Kidnapping - Fixed
-
A year ago... Cesar Cerrudo presented a serious vulnerability via evalvation of privilege involving the NetworkService or LocalService account specific to IIS worker process. Although Microsoft addressed this in April last year, but it was more towards workaround to get rid of the actual issue, and today after a long wait, and some serious testings, Microsoft releases a security bulletin update to close this gap, I have yet to test this :) busy again !!! and you should test it out in lab env before any production deployment, this KB detailed all the impacted files detail.
And read the blogs over at MSRC and SRD for more information about this issue.
-
ANEW MVP!
-
You know what.... for the past many years this very same day - I will get an email from Microsoft telling me that - Congrats, we are pleased to award you... as MVP from 200X to 200X. And each time I double check the source header, go to the award site to make sure that it is not a prank, since you know it is April's Fool today :)
Anyway, I got renewed, still hang around iis.net or directaccess newsgroups and been really busy. Hopefully somewhere in Q2 will have more time for newsgroups/forums.
Cya.