Based on the sensational messages in mainstream media, I often hear the following question from consumers "Why does Microsoft have more security issues than other software platforms?". To this I typically respond "They don't... it is all relative" and "The bigger you are the larger the target you have on your back".
The fact is Microsoft dominates the information technology solutions landscape with its multitude of software products. As a result, when compared to other platforms, it has far more users who are pushing the boundaries of its software and utilizing it in unexpected ways. Not to mention, for those folks ( ethical or otherwise ) who make a living identifying and exposing software vulnerabilities, the Windows platform is a much more attractive target as it offers significantly greater opportunities in terms of exposure and financial gain.
This past week a vulnerability was exposed in the Microsoft ASP.NET framework by a couple of independent security 'researchers'. The exploit was characterized as an 'Oracle Padding' vulnerability and had the potential to expose confidential information for any ASP.NET website which was susceptible. Rather than following professional disclosure policies, the 'researchers' did not cooperate with Microsoft and decided to release the exploit details into the wild before any patch or workaround could be made available.
In support of my opening statement regarding "the bigger you are...", over the past 7 years the DotNetNuke community has grown to hundreds of thousands of production deployments worldwide and in the process has emerged as a more attractive target. This was validated this past week, when the 'researchers' chose DotNetNuke as their example application for demonstrating the Oracle Padding vulnerability during a conference in Buenos Aires, Argentina.
Unfortunately, this is not the first time we have had to deal with a security vulnerability in the DotNetNuke project. However, this also means that over the years we have been forced to establish security policies and procedures and a level of professional maturity which is unmatched in most open source projects. DotNetNuke has an elite Security Team led by Cathal Connolly and Brandon Haynes; two of the brightest minds from a software security perspective that I have ever had the pleasure of working with. Our Security Team, complemented by direct communication with the Microsoft Web Platform & Tools team, was an effective defense in dealing with the Oracle Padding vulnerability and protecting our community.
Taking immediate action on the workarounds provided by Microsoft, we were able to patch our own web properties and preserve the privacy of our customers and users within hours of the exploit being publicized. We utilized all of our available channels to notify folks in our community of the vulnerability, provided instructions on how to manually patch their websites, and included guidance on when to expect an official patch from DotNetNuke Corporation. Our world class engineering team stepped up; working overtime to ensure we could get a high quality release out in record time.
DotNetNuke 5.5.1 was officially released on Wednesday, September 22nd and we highly recommended that everyone install the upgrade as soon as possible ( please remember that the only way to ensure the integrity of your website is to stay abreast of current DotNetNuke releases ).
I should also mention that the members of our Security Team, as well as key individuals from our Product, Engineering, Sales, and Marketing teams will be present at DotNetNuke Connections at Mandalay Bay Resort & Casino in Las Vegas, Nevada on November 1-4, 2010. This is the third consecutive year for our premiere North American conference and there is no better opportunity for customers and users to interact directly with DotNetNuke Corporation leaders and decision makers.
The conference is once again partnered with DevConnections which provides unparalleled value in terms of allowing attendees to take advantage of the maximum amount of content from ALL conference tracks; from Scott Guthrie's keynote, to cutting edge demos of future ASP.NET and Visual Studio technology, to Sharepoint and SQL Server, and last but not least, in-depth sessions on every facet of DotNetNuke for both technical and non-technical audiences. DotNetNuke Connections offers the perfect mix of training and education, community engagement, business networking, giveaways and prizes, and entertainment ( yeah, don’t forget its in Las Vegas! ). I personally look forward to seeing many familiar faces at the conference, but I am even more excited to connect one-on-one with new DotNetNuke users.
In closing, please join me in commending the stellar efforts of our team in responding to the recent ASP.NET security situation. In addition, I would also like to mention that I deeply appreciate the patience and confidence of the DotNetNuke community as well as your contributions to the ongoing success and vitality of our ecosystem.