A CVE for every Season

Microsoft patches a nasty CVE with System.Text.Encodings.Web that affects every .NET platform (except maybe framework?); Microsoft takes down a security researcher's PoC of the Exchange hack, and "static abstract" may become a thing in C#.

Last Week in .NET - 3/13/2021
💍There's a new proposal for a "static abstract" keyword. My brain is foggy on the use-cases here; but let's go with it.
🚨 Do you use System.Text.Encodings.Web? There's a vulnerability that has been patched. The vulnerability is captured in CVE-2021-26701
This vulnerability has been patched with the release of .NET 5.0.4, and .NET Core 3.1.13.
For .NET 5.0.4, .NET 3.1.13, and .NET 2.1.26 this is a patch release that contains the CVE Fix. The usual provisos apply and patch your systems.
🎉 .NET 6.0.0 Preview 2 has been released. .NET 6.0.02 Preview 2 has been released. This release includes faster blazor compilation, CSS Isolation for ASP.NET MVC views and Razor pages, more blazor improvements, and some MAUI thrown in for good measure.
🕷👨‍⚕️ .NET 6 introduced the Priority Queue and an enterprising Khalid Abuakumah shows how it works with a nice Avengers example Black Widow and Dr. Strange are far too down on his list, but other than that it's a pretty good ranking.
🎥 There's a Windbg video series out, and as someone who has had to suffer through the blog posts and documentation, I'm glad they've taken to video. You won't need Windbg until you do, and by then you'll wish you had already watched these videos.
🕵️‍♂️ There's a nasty CVE out that details vulnerabilities in Microsoft's DNS server. You know, that server that generally serves AD environments? There's a paper out about the CVEs.
🦈 Do you remember the Exchange CVE from last week? (If you haven't patched your Exchange server, please, do so. Now.), well some security researchers published a Proof of Concept on Github (PoC) and that PoC was taken down by Microsoft. Without any word from Microsoft, I can only take this as bad behavior on their part. Exposing this research only helps the pen-testers and security research community improve their craft; and the bad guys already had this information anyway. Taking it down from Github just reminds us that Microsoft owns Github; which may not be such a good. Plan accordingly.
🧓🎁 Visual Studio now lets you remove unused references which brings it up to par with ReSharper from... 2012.
👮‍♂️ Microsoft has a security scanner that can tell you if there are backdoors installed on your server I don't know if it can find rootkits, but there is a little comfort in this tool.
🕵️‍♀️ CISA has released new info on webshells created by the Exchange exploit. Keep a look out if you're an SRE.

© 2020 Double Your Productivity