Well, that was a wild read. I'm surprised it isn't getting more traction.
So, full disclosure, I'm no longer a developer due to disabilities, including one that keep me from being able to write code, however: I love C# and .NET, and a good portion of my early career was working with C#, .NET, and SOAP. That being said, Microsoft's response to this bug alone have turned me off to the language and framework. They clearly don't take security seriously. They favor possible compatibility issues over the hijacking of a bunch of servers on the internet. That attitude is not okay. I bet a simple code scan could probably find a whole bunch of endpoints that are vulnerable to this.
I would not be surprised if some of their own web applications are affected by this vulnerability.
Thanks for the read.
butvacuum•1mo ago
Note-
1) this is .Net Framework- which is in a holding pattern.
2) this requires inherently insecure code to be written-
3) I can't find it right now- but I seem to recall there being an option when defining the service in a web.config to write to a file instead of a http endpoint- ostensibly for development purposes.
These don't completely negate a WONTFIX response though- after all, .Net Framework 4.?? Disabled XML External Entities and schema loading by default.
eek2121•1mo ago
So, full disclosure, I'm no longer a developer due to disabilities, including one that keep me from being able to write code, however: I love C# and .NET, and a good portion of my early career was working with C#, .NET, and SOAP. That being said, Microsoft's response to this bug alone have turned me off to the language and framework. They clearly don't take security seriously. They favor possible compatibility issues over the hijacking of a bunch of servers on the internet. That attitude is not okay. I bet a simple code scan could probably find a whole bunch of endpoints that are vulnerable to this.
I would not be surprised if some of their own web applications are affected by this vulnerability.
Thanks for the read.
butvacuum•1mo ago
These don't completely negate a WONTFIX response though- after all, .Net Framework 4.?? Disabled XML External Entities and schema loading by default.