MS15-034 | Vulnerability in HTTP.sys Could Allow Remote Code Execution (3042553)
Phil Lello
phil at dunlop-lello.uk
Thu Apr 16 13:53:50 EDT 2015
>
> Inquiring into the patching practices of federated partners is one of
> those things that you probably don't want to do unless you're prepared for
> the answer. For example, say they were awful (hint, hint)...what would you
> do as a result? Whose functionality are you prepared to turn off and who's
> going to defend that decision to management?
>
> Just doesn't happen much, sad to say.
Very good point. I guess it's just on my mind as I'm putting together a
proposal to patch the code behind a Shib IdP RemoteUser check to chain on
to an ADFS IdP rather than throwing up a form that does an LDAP-bind
against AD (all part of the joy of using Office365 for email, needing a
WS-Trust based IdP for things like Lync, and various internal web apps that
authenticate directly against the system RemoteUser chains too).
Phil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20150416/f88bcae9/attachment.html
More information about the users
mailing list