top of page
Search
madeleneisidro591g

Update Obsolete JavaScriptSerializers: A Comprehensive Overview



SmtpClient is not being deprecated in .NET. This is a byproduct of a bug in the way the docs are generated: github.com/dotnet/docs/issues/1876#issuecomment...which points togithub.com/mono/api-doc-tools/issues/76The Mono implementation marked SmtpClient obsolete and since Xamarin assemblies are aggregated from a doc standpoint, the annotation is incorrectly displaying for all doc types.The issues with .NET's SmtpClient are still points to keep in mind as disposal does send the QUIT message across all established connections.


As of October 25, the official documentation has been changed and Microsoft is no longer marking SMTPClient as obsolete. However, it is still fundamentally broken and shouldn't be used for production applications where alternatives exist.




Update Obsolete JavaScriptSerializers



One of the most effective best practices to mitigate many vulnerabilities is to update software versions once patches are available and as soon as is practicable. If this is not possible, consider applying temporary workarounds or other mitigations, if provided by the vendor. If an organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited or that would be accessible to the largest number of potential attackers (such as internet-facing systems). This advisory highlights vulnerabilities that should be considered as part of the prioritization process. To further assist remediation, automatic software updates should be enabled whenever possible.


Recommended MitigationsDownload and install a fixed software version of the software from a vendor approved resource. If it is not possible to update quickly, restrict access via the following actions.


Vulnerability Discussion, IOCs, and Malware CampaignsCVE-2020-0688 exists in the Microsoft Exchange Server when the server fails to properly create unique keys at install time. An authenticated user with knowledge of the validation key and a mailbox may pass arbitrary objects for deserialization by the web application that runs as SYSTEM. The security update addresses the vulnerability by correcting how Microsoft Exchange creates the keys during install.


This component is part of the ASP.NET AJAX update library in System.Web.Extensions and allows serialization and deserialization of data. The interface is pretty straight forward and works reasonably well for most data types in application scenarios. The serializer works by simply passing an object and returning a string JSON result. Type support is adequate although there are a some useful omissions.


The JavaScriptSerializer has another problem though: It's now marked obsolete and according to the documentation and compiler error we're supposed to use DataContractJsonSerializer for Json serialization. I think it was a good idea that JSON moved into a more generic portion of the .NET framework, but unfortunately the DataContractJsonSerializer has even more restrictive interface than JavaScriptSerializer.


This is the conundrum we recently came across while trying to update credentials for an on-prem Power BI data source using PowerShell. The tricky part in that scenario was some RSA-OAEP encryption logic that needed to be applied to the data source authentication credentials before sending the request payload to the Update Gateway Data Source API endpoint. The Power BI team had recently provided a brand new v3 .NET Power BI SDK which included helper classes for easier encryption when creating the credential objects, but these classes hadn't been translated into corresponding PowerShell cmdlets to be used as part of our deployment process. Trying to recreate those encryption helpers in PowerShell would have taken quite a bit of effort, so we really wanted to utilize this new SDK.


JSON (JavaScript Object Notation), specified byRFC 7159 (which obsoletes RFC 4627) and byECMA-404,is a lightweight data interchange format inspired byJavaScript object literal syntax(although it is not a strict subset of JavaScript [1] ).


The old version of JSON specified by the obsolete RFC 4627 required thatthe top-level value of a JSON text must be either a JSON object or array(Python dict or list), and could not be a JSON null,boolean, number, or string value. RFC 7159 removed that restriction, andthis module does not and has never implemented that restriction in either itsserializer or its deserializer.


It has been a couple of years since the docs were properly updated. New features added since then like extension data, annotations and JSONPath now have documentation and code samples. The new code samples brings the total up to 116!


As of 12.0.2.17496, you only have access to the client secret key in two scenarios, when the client is initially created and when the key is regenerated. It is important to immediately record the secret key as you will not be able to view it again. If you lose this key, it must be regenerated and any integrations using it updated.


While they are not deprecated or obsolete, API keys are considered a legacy feature and the recommendation is to not use them for production code. Generally it is recommended that API keys are used only in maintenance or utility applications when OAuth is not a reasonable option.


As of 12.0.2.17496, you can only see an API key after its immediately created or regenerated so it is imperative you record it immediately as it will not be visible after this. If you lose this key, it must be regenerated and all usages updated.


ABBYY may make changes to any products or services offered on the Site, or to the applicable prices for any such products or services, at any time, without notice. The materials on the Site with respect to products and services may be outdated, and ABBYY makes no commitment to update the materials on the Site with respect to such products and services. ABBYY provides access to ABBYY international data and documentation and may contain references to products and services that are not offered in every country. Such reference does not imply that ABBYY intends to offer such products or services in Your country. Although the Site is accessible worldwide, not all features, products or services referenced or offered through or on the Site are available to all persons or in all geographic locations. ABBYY reserves the right to limit, in its sole discretion, the provision and quantity of any Content, feature, product or service to any person or geographic area. Any offer for any feature, product or service made on the Site is void where prohibited. 2ff7e9595c


0 views0 comments

Recent Posts

See All

Comments


bottom of page