Monday, September 20, 2010

IMPORTANT: Security hole in ASP.NET and how to secure your installation

This weekend a security flaw has been identified in Microsoft ASP.NET - the framework that Umbraco is based on. This will affect any Microsoft ASP.NET based application including any Umbraco installation as well as any other CMS that builds upon Microsoft ASP.NET.

This means that you have to take action to secure your site!

We've produced a guide that describes how to patch your installation and we've also produced an Umbraco package that will try to patch your installation automatically and if it can't it'll guide you how. You can find the package in the package repository under Developer tools and it's called "ASP.NET Security Vulnerability Patch":


When you run the package, it'll show you a status on whether or not your website is vulnerable. If it is there's a big "Fix this problem" button to press:


We're seeding this information via the update checker, our mailing list and our twitter accounts but please help us spread the word. This speechbubble (yes, we'll need to work on the css on long messages!) will be shown to all administrators that log in to Umbraco over the next 14 days. It'll show even if you've patched your installation - unfortunately we don't have any way to prevent this as the patch isn't related to the Umbraco core:


The Panic Fund

We were able to make, test and distribute this patch because of our Panic Fund. In the HQ we have an account which makes it possible to book all HQ staff on core development for a week. We can use this fund in cases of emergencies like the this one. Despite the frustrating circumstances, it's just yet another example of why I'm proud of how we've managed to build the Umbraco HQ and why it makes the whole project sustainable.

Now stop reading and start patching!

For in-depth information on the ASP.NET security issue, visit Scott Guthries blog.

Want to be updated on everything Umbraco?

Sign up for the Umbraco newsletter and get the latest news and special offers send directly to your inbox

Are you sure, that's your real e-mail?