In May, Microsoft issued a security update for .NET due to a number of serious issues I found. This release was the biggest update in the product's history, it aimed to correct a number of specific issues due to unsafe serialization usage as well as changing some of the core functionality to mitigate anything which could not be easily fixed without significant compatibility issues.
This presentation will cover the process through which I identified these vulnerabilities and provide information on how they can be used to attack .NET applications, both locally and remotely, as well as demonstrating breaking out of the partial trust sandboxes used in technologies such as ClickOnce and XAML Browser Applications.
"James is a principal consultant for Context Information Security in the UK, with a keen focus on novel security research. He has been involved with computer hardware and software security for almost 10 years with a skill set which covers the bread and butter of the security industry such as application testing, through to more bespoke product assessment, vulnerability analysis and exploitation. He has spoken at a number of security conferences in the past, on a range of different topics such as Sony Playstation Portable hacking at Chaos Computer Congress, WebGL exploitation at Ruxcon and Citrix network exploitation at Blackhat Europe. He is also the developer of CANAPE networking tool presented at that conference."