ASP.Net Vulnerability Patch released: Microsoft Security Bulletin MS10-070

Vulnerability in ASP.NET Could Allow Information Disclosure (2418042)

\r\n

\r\n\r\nMicrosoft released ASP.net Vulnerability path through Download centre, for details please click here.\r\n
\r\n\r\nThis security update resolves a publicly disclosed vulnerability in ASP.NET. The vulnerability could allow information disclosure. An attacker who successfully exploited this vulnerability could read data, such as the view state, which was encrypted by the server. This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server. Microsoft .NET Framework versions prior to Microsoft .NET Framework 3.5 Service Pack 1 are not affected by the file content disclosure portion of this vulnerability.\r\n\r\nThis security update is rated Important for all supported editions of ASP.NET except Microsoft .NET Framework 1.0 Service Pack 3. For more information, see the subsection,Affected and Non-Affected Software, in this section.\r\n\r\nThe security update addresses the vulnerability by additionally signing all data that is encrypted by ASP.NET. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.\r\n\r\nThis security update also addresses the vulnerability first described in Microsoft Security Advisory 2416728.\r\n\r\nRecommendation. Microsoft recommends that customers apply the update at the earliest opportunity.\r\n\r\nSee also the section, Detection and Deployment Tools and Guidance, later in this bulletin.\r\n\r\nKnown Issues. Microsoft Knowledge Base Article 2418042 documents the currently known issues that customers may experience when installing this security update. The article also documents recommended solutions for these issues.\r\n\r\nThe patch is available through Microsoft download centre\r\n\r\n

\r\n

ASP.NET Security Vulnerability Workaround

Update on ASP.NET Vulnerability

\r\n Earlier this week We posted about an ASP.NET Vulnerability.\r\nMicrosoft is actively working on releasing a security update that fix the issues ready for broad distribution across all Windows platforms via Windows Update. We’ll post details about this once it is available.\r\n \r\n\r\nRevised Workaround and Additional URLScan Step\r\nIn our first community post we covered a workaround you can apply immediately on your sites and applications to prevent attackers from exploiting it. Today, we are revising it to include an additional defensive measure.\r\nThis additional step can be done at a server-wide level, and should take less than 5 minutes to implement. Importantly, this step does not replace the other steps in the original workaround, rather it should be done in addition to the steps already in it. Below are instructions on how to enable it.\r\n \r\n\r\nInstall and Enable IIS URLScan with a Custom Rule\r\n\r\nIf you do not already have the IIS URLScan module installed on your IIS web server, please download and install it:\r\n\r\n \r\n

\r\nIt takes less than a minute to install on your server.\r\n \r\n\r\nAdd an Addition URL Scan Rule\r\nOnce URLScan is installed, please open and modify the UrlScan.ini file in this location:\r\n

%windir%\system32\inetsrv\urlscan\UrlScan.ini

\r\nNear the bottom of the UrlScan.ini file you’ll find a [DenyQueryStringSequences] section. Add an additional “aspxerrorpath=” entry immediately below it and then save the file:\r\n\r\n \r\n

[DenyQueryStringSequences]\r\naspxerrorpath=

\r\nThe above entry disallows URLs that have an “aspxerrorpath=” querystring attribute from making their way to ASP.NET applications, and will instead cause the web-server to return an HTTP error. Adding this rule prevents attackers from distinguishing between the different types of errors occurring on a server – which helps block attacks using this vulnerability.\r\nAfter saving this change:\r\n\r\n

run “iisreset”\r\nfrom a command prompt (elevated as admin\r\n

\r\nFor the above changes to take effect. To verify the change has been made, try accessing a URL on your site/application that has a querystring with an aspxerrorpath and verify that an HTTP error is sent back from IIS.\r\n URL Scan Summary\r\nIf you’ve already implemented the workaround we’ve previously published, please add the above step to help block attackers from exploiting the vulnerability.\r\nOur team is working around the clock to release an update via Windows Update that fixes the underlying product vulnerability. Until that update is available, you can use the above workaround to help prevent attackers from using the vulnerability against your applications.\r\nOnce we release the security update, you will no longer need to implement any workaround steps.\r\n\r\nThe alternative option: Using IIS request filtering:\r\nThese instructions are an alternative for the UrlScan instructions above for systems running IIS on Windows Vista Service Pack 2, Windows Server 2008 Service Pack 2, Windows 7, or Windows Server 2008 R2.\r\n1. Install the Request Filtering feature in IIS through either Add/Remove Programs or Role Manger by selecting the feature under Internet Information Services, World Wide Web Services, Security.\r\n2. Launch Internet Information Services (IIS) Manager.\r\n3. Select the server node in the left pane.\r\n4. Double-click Request Filtering.\r\n5. Select the Query Strings tab and click Deny Query String … in the Actions pane.\r\n6. Enter aspxerrorpath= in the dialog box and select OK.\r\n\r\nAlternatively, you can also use the following appcmd command to set this request querystring:\r\n

appcmd set config /section:requestfiltering /+denyQueryStringSequences.[sequence=’aspxerrorpath=’]

\r\nFor more information on using appcmd to configure IIS, see Getting Started with AppCmd.exe.\r\n\r\nConfigure ASP.Net applications to use uniform custom errors\r\nIn the root folder of each ASP.NET web application, determine if you already have a web.config file in this folder. You must have rights to create a file in the target directory to implement this workaround.\r\nIf the ASP.NET application does not have a web.config file:\r\n\r\nOn .NET Framework 3.5 and earlier\r\n1. Create a text file named web.config in the root folder of the ASP.NET application, and insert the following contents:\r\n

<configuration>\r\n<location allowOverride=”false”>\r\n<system.web>\r\n<customErrors mode=”On” defaultRedirect=”~/error.html” />\r\n</system.web>\r\n</location>\r\n</configuration>

\r\n2. Create a text file named error.html containing a generic error message and save it in the root folder of the ASP.NET application.3. Alternatively, you can rename error.html in the web.config file to point to an existing error page, but that page must display generic content, not context-specific content.\r\n\r\nOn .NET Framework 3.5 Service Pack 1 and later\r\n1. Create a text file named web.config in the root folder of the ASP.NET application, and insert the following contents:\r\n

<configuration>\r\n<location allowOverride=”false”>\r\n<system.web>\r\n<customErrors mode=”On” redirectMode=”ResponseRewrite” defaultRedirect=”~/ErrorPage.aspx” />\r\n</system.web>\r\n</location>\r\n</configuration>

\r\n2. If you are comfortable using C#, we recommend using the following ErrorPage.aspx\r\n\r\nfile:\r\n

<%@ Page Language=”C#” AutoEventWireup=”true” %>\r\n<%@ Import Namespace=”System.Security.Cryptography” %>\r\n<%@ Import Namespace=”System.Threading” %>\r\n<script runat=”server”>\r\nvoid Page_Load()\r\n{\r\nbyte[] delay = new byte[1];\r\nRandomNumberGenerator prng = new RNGCryptoServiceProvider();\r\nprng.GetBytes(delay);\r\nThread.Sleep((int)delay[0]);\r\nIDisposable disposable = prng as IDisposable;\r\nif (disposable != null)\r\n{\r\ndisposable.Dispose();\r\n}\r\n}</script>\r\n<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>\r\n<html xmlns=”http://www.w3.org/1999/xhtml”>\r\n<head runat=”server”>\r\n<title> </title>\r\n</head>\r\n<body>\r\n<div> An error occurred while processing your request.     </div>\r\n</body>\r\n</html>

\r\n3. If you are comfortable using Visual Basic .NET, we recommend using the following ErrorPage.aspx file:\r\n

<%@ Page Language=”VB” AutoEventWireup=”true” %>\r\n<%@ Import Namespace=”System.Security.Cryptography” %>\r\n<%@ Import Namespace=”System.Threading” %>\r\n<script runat=”server”>\r\nSub Page_Load()\r\nDim delay As Byte() = New Byte(0)\r\n{\r\n}\r\nDim prng As RandomNumberGenerator = New RNGCryptoServiceProvider()\r\nprng.GetBytes(delay)\r\nThread.Sleep(CType(delay(0), Integer))\r\nDim disposable As IDisposable = TryCast(prng, IDisposable)\r\nIf\r\nNot disposable Is Nothing\r\nThen\r\ndisposable.Dispose()\r\nEnd IfEnd Sub\r\n</script>\r\n<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>\r\n<html xmlns=”http://www.w3.org/1999/xhtml”>\r\n<head runat=”server”>\r\n<title></title>\r\n</head>\r\n<body>\r\n<div>  An error occurred while processing your request.  </div>\r\n</body>\r\n</html>

\r\nIf the ASP.NET application already has a web.config file:\r\n\r\nOn .NET Framework 3.5 RTM and earlier\r\n1. Insert the bracketed text in the sample below into your existing web.config file:\r\n

<?xml version=”1.0″?>\r\n<configuration>\r\n<configSections> …  </configSections>\r\n<appSettings> … </appSettings>\r\n<connectionStrings> … </connectionStrings>\r\n[\r\n<location allowOverride=”false”>\r\n<system.web>\r\n<customErrors mode=”On” defaultRedirect=”~/error.html” />\r\n</system.web>\r\n</location>\r\n]\r\n<system.web> … </system.web>\r\n<system.codedom> … </system.codedom>\r\n</configuration>

\r\n2. Create a text file named error.html containing a generic error message and save it in the root folder of the ASP.NET application.\r\n3. Alternatively, you can rename error.html in the web.config file to point to an existing error page, but that page must display generic content, not context-specific content.\r\n\r\nOn .NET Framework 3.5 Service Pack 1 and later\r\n1. Insert the bracketed text in the sample below into your existing web.config file:\r\n

<?xml version=”1.0″?>\r\n<configuration>\r\n<configSections> … </configSections>\r\n<appSettings> … </appSettings>\r\n<connectionStrings> … </connectionStrings>\r\n[\r\n<location allowOverride=”false”>\r\n<system.web>\r\n<customErrors mode=”On” redirectMode=”ResponseRewrite” defaultRedirect=”~/ErrorPage.aspx” />\r\n</system.web>\r\n</location>]\r\n</configuration>\r\n<system.web> … </system.web>\r\n<system.codedom> … </system.codedom>\r\n</configuration>

\r\n2. If you are comfortable using C#, we recommend using the following ErrorPage.aspx file:\r\n

<%@ Page Language=”C#” AutoEventWireup=”true” %>\r\n<%@ Import Namespace=”System.Security.Cryptography” %>\r\n<%@ Import Namespace=”System.Threading” %>\r\n<script runat=”server”>\r\nvoid Page_Load()\r\n{\r\nbyte[] delay = new byte[1];\r\nRandomNumberGenerator prng = new RNGCryptoServiceProvider();\r\nprng.GetBytes(delay);\r\nThread.Sleep((int)delay[0]);\r\nIDisposable disposable = prng as IDisposable;\r\nif\r\n(disposable != null)\r\n{\r\ndisposable.Dispose();\r\n}\r\n}\r\n</script>\r\n<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>\r\n<html xmlns=”http://www.w3.org/1999/xhtml”>\r\n<head runat=”server”>\r\n<title></title>\r\n</head>\r\n<body>\r\n<div> An error occurred while processing your request. </div>\r\n</body>\r\n</html>

\r\n3. If you are comfortable using Visual Basic .NET, we recommend using the following ErrorPage.aspx file:\r\n

<%@ Page Language=”VB” AutoEventWireup=”true” %>\r\n<%@ Import Namespace=”System.Security.Cryptography” %>\r\n<%@ Import Namespace=”System.Threading” %>\r\n<script runat=”server”>\r\nSub Page_Load()\r\nDim delay As Byte() = New Byte(0)\r\n{\r\n}\r\nDim prng As RandomNumberGenerator = New  RNGCryptoServiceProvider()       prng.GetBytes(delay)\r\nThread.Sleep(CType(delay(0), Integer))\r\nDim disposable As IDisposable = TryCast(prng, IDisposable)\r\nIf\r\nNot disposable Is Nothing\r\nThen\r\ndisposable.Dispose()\r\nEnd If\r\nEnd Sub\r\n</script>\r\n<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>\r\n<html xmlns=”http://www.w3.org/1999/xhtml”>\r\n<head runat=”server”>\r\n<title></title>\r\n</head>\r\n<body>\r\n<div> An error occurred while processing your request. </div>\r\n</body>\r\n</html>

\r\nImpact of Workaround:\r\nIf an error occurs during a Web transaction, the Web clients will see the same generic error message on the server, regardless of what error actually occurs. Additionally, any requests for Web pages which contain the string aspxerrropath= in the querystring portion of the URL will be blocked, and an HTTP error message returned to the client.\r\n\r\nYou can learn more about this vulnerability and the workaround from:\r\n\r\n

Apple iPad: The Low-Price Leader?

Apple iPAD
Apple iPAD
\r\n\r\nNo one will ever accuse Apple of being a bargain brand, but the company’s iPad tablet may prove to be more affordable than the first generation of Android slates, particularly the Dell Streak and Samsung Galaxy Tab.Apple, a boon for bargain hunters? It’s true if your new Android tablet is tied to a 3G data contract, a time-honored tactic (at least in the United States) that lowers the up-front cost of the device, but tethers the buyer to a pricey two-year wireless data plan.\r\n\r\nTake the Streak, for instance. With a two-year AT&T contract, Dell’s 5-inch tablet starts at $300. To get that price, however, you’ll need to ink a voice and data plan. At Dell’s site, the cheapest option is a $55 per month deal: 450 voice minutes for $40; and 200MB data for $15. That comes to $1620 for two years of Dell Streak usage: $1320 for the 3G plan; and $300 for the tablet.\r\n\r\nDon’t want a 3G contract? In that case, the Streak costs $550. Shockingly, that’s $50 more than the 16GB (Wi-Fi-only) iPad.\r\n\r\nWhich would you rather buy? Of course, the Apple and Dell slates are very different beasts. Arguably, the Streak is more of a freakishly large smartphone than a tablet. It has two cameras. The iPad has none, although that’s likely to change soon. Given a choice, most people would opt for the iPad, with its elegant design and larger display, over the relatively clunky Streak–which happens to cost more.\r\n\r\nTo be fair, let’s price the iPad with 3G service. (It’s important to note that you’re not tethered to a long-term contract with the iPad. You can cancel AT&T’s 3G service at any time.) The 16GB iPad with Wi-Fi + 3G costs $629 up front–more than twice the Streak’s price. AT&T charges $15 per month for 250MB of data. So over two years, the least you’d pay for an iPad with 3G service is $989. (That’s $629 for the device, plus $360 for 24 months of AT&T.)\r\n\r\nThe Dell Streak cost $631 more to operate over two years than the iPad. Of course, you could cut costs by using the Streak as a cell phone too. But with its 5-inch display, the gargantuan Streak is awfully big for a phone.\r\n\r\nGalaxy Mystery\r\n\r\nThe first Samsung Galaxy Tab models will include both 3G and Wi-Fi. They’ll be offered by all four major U.S. wireless carriers, none of which has announced pricing details at this time. Industry watchers expect the subsidized units to sell for around $300, however.\r\n\r\nIf you want a Galaxy Tab with Wi-Fi only, there’s good and bad news. The good is that Samsung plans to release a Wi-Fi only model; the bad is that it won’t say when.\r\n\r\nWhile every business is different, it’s safe to say that many companies would choose a Wi-Fi-only tablet over a 3G/Wi-Fi model, particularly if the 3G option requires a long-term data contract. Some remote employees such as salespeople might benefit from 3G service, but tablet-toting workers in an office or industrial setting would function just as well with Wi-Fi.\r\n\r\nGiven the large number of Android tablets on the horizon, the Wi-Fi-only option will almost certainly become a standard option soon. But for now, Apple’s iPad pricing is impressively affordable relative to its Android competitors. Who would’ve known?

Clonezilla – Live & Enterprise

cloneZilla LogoClonezilla is a bootable CD-ROM designed for partition / disk backup and restoration. Unlike SystemRescueCD, Clonezilla Live doesn’t contain an array of utilities, instead, it is a single, focused tool. If you’re interested in simply backing up or restoring whole partitions to or from files, or copying one partition onto another, Clonezilla might be just what you’re looking for.\r\n\r\nThere are two primary uses for a tool such as this one: backup and subsequent restoration in the event of a mishap or creating a clone of an existing system. So, you could install Linux on one machine, backup the entire disk to a file and then copy the setup to other machines. On the other hand, the partition imaging allows you to do a system backup that can restore a complete system, unlike a traditional backup utility that can only restore your files.\r\n\r\nWhen imaging to a file, the resulting file should be smaller than the entire size of the partition because Clonezilla doesn’t back up the free space. It has support for most of the file systems that you are likely to encounter and it can backup those that it doesn’t recognise, although this results in larger files. When restoring a partition, the hard disk drive must be the same size or larger than the source hard drive, but you can copy a smaller hard drive onto a larger one.\r\n\r\nNote that another version of Clonezilla, Clonezilla SE (Server Edition) is designed for restoring partitions to multiple machines via a network for mass cloning. Clonezilla Live, the version that we are discussing here, can restore or backup a single partition over a network or a removable storage device such as a USB stick, or even another local hard drive. A partition image file can’t reside upon a partition that is going to be operated upon.\r\n\r\nNow that we’ve determined what Clonezilla is for, how easy is it to use? The answer is that the procedure is very simple. The start up menu is, as you might expect, mainly orientated towards starting the partition copying utility, although it does feature options for network booting, starting FreeDOS or running Memtest. This means that, if armed with only a Clonezilla Live disc, you might find yourself stuck if you needed to edit some files or even edit the partition table of a disk.\r\n\r\nOnce Clonezilla Live has booted, it presents the user with a text mode, menu driven interface that is used throughout the system. After choosing the keymap and language, one then answers a simple question to determine whether to clone to and from image files or to copy to and from partitions. You select the source and destination partitions from the menu and confirm that you are ready to proceed. After confirmation, Clonezilla churns away for a while, and hey presto, your cloning or imaging operation is complete. It’s as simple as that.\r\n\r\nNaturally, the usual warnings about being careful with a tool like this apply.\r\n\r\nClonezilla is designed for one task, and that orientation brings with it the advantage of simplicity of operation. For this reason, it could form the basis of a regular system backup or cloning set up, even though it doesn’t offer any maintenance features outside of the core functionality. The Clonezilla website.

VMware will buy Novell’s SUSE Linux OS business

Novell is No. 2 maker of open source Linux OS\r\n\r\nVirtualisation software maker VMware Inc (VMW.N) is in advanced talks to buy Novell Inc’s (NOVL.O) open source Suse Linux operating system business, the Wall Street Journal reported on Thursday, citing people familiar with the matter.\r\n\r\nNovell had partnered with VMware to make Suse the preferred Linux operating system for VMware’s virtualisation stack. The paper reported that private equity-backed software company Attachmate Corp [WIZARA.UL] could buy some or all of Novell’s remaining assets.\r\n\r\nThe report came after the New York Post reported Novell, the world’s No. 2 maker of the open source Linux operating system, will sell itself in two parts and that it is three to four weeks away from signing a deal. [ID:nSGE68E0JG].\r\n\r\nShares in Novell closed 2.5 percent higher at $6.05 on Nasdaq. They had risen more than 6 percent on Wednesday on the Post’s report. VMWare ended down 1.5 percent at $84.76 on the New York Stock Exchange.

PostgreSQL 9.0 Final Release Available Now!

PostGreSQL LogoPostGreSQL version 9.0 was released on Sept 20th 2010. The 9.0 version of PostgreSQL includes a number of important new features, more new features in fact than any previous release.\r\n\r\nSome of the new features found in 9.0 are:\r\n

    \r\n
  • Streaming Replication – This allows one or more databases to be replicated from a primary database. The replication is asychronous but the lag between replications is short. Note that other 3rd party solutions for this have existed for some time.
  • \r\n

  • Hot Standby – This allows a second (duplicate) database to be designated as a standby in case the primary database goes down for some reason. The standby can also be used for read-only queries when the primary database is active, thereby providing a bit of load balancing. HotStandby works well with the new Streaming Replication feature.
  • \r\n

  • In-Place Upgrade – Using the pg_upgrade module databases created with older versions of PostgreSQL can be upgraded in-place without the need to dump and reload the database.
  • \r\n

  • Support for 64-bit Windows – For those of you that are familiar with whatever this “Windows” thing is.
  • \r\n

\r\nBelow is answer to Questions by Robin Schumacher (EnterpriseDB) and Josh Berkus (PostgreSQL community):\r\n\r\nQ: How does PostgreSQL measure up against Oracle as an enterprise database?\r\n\r\nANS (Robin): From an EnterpriseDB perspective, we’re the leaders in providing an Oracle compatibility layer that people can use to run their Oracle applications on Postgres with little to no changes. Companies like IBM and Netezza use our Oracle compatibility layer inside their products to enable the same type of functionality.\r\n\r\nWith our Postgres Plus Advanced Server, we have everything from mirrored Oracle core features, support for Oracle’s PL/SQL language, built in Oracle SQL packages, Oracle data dictionary and performance diagnostic compatibility, and more that lets database professionals use Advanced Server instead of Oracle as their database. We also support replicating data from Oracle to Postgres Plus Advanced Server so users can offload Oracle transactional data for reporting or other purposes on a more cost effective platform.\r\n\r\nANS (Josh): The limited benchmark results we have available, such as the SpecJAppserver benchmark published in 2007, indicate that performance on the two database systems is very similar, and that differences in performance are not enough to prevent migration. Beyond that, each database system has its strengths. Certainly, hundreds of users have migrated applications from Oracle to PostgreSQL successfully, and hundreds more work in a hybrid PostgreSQL-Oracle environment.\r\n\r\nPostgreSQL 9.0 is superior for:\r\n

    \r\n
  • Integration with 3rd-party open source tools
  • \r\n

  • Ability to extend functionality for specialized needs (such as biotech, security, or marketing analytics)
  • \r\n

  • Virtualized (cloud) deployments
  • \r\n

\r\nOracle 11 is superior for:\r\n

    \r\n
  • Compatibility with existing proprietary vendor tools
  • \r\n

  • OLAP business intelligence
  • \r\n

  • Monitoring and administration tools
  • \r\n

\r\nThe last point is one which the PostgreSQL community is working actively on; each recent annual release has added several new or easier-to-use tools for monitoring and administration. Your primary reader audience will be particularly interested in the tools designed to integrate with Linux, such as pgTop (now available for Android as well) and pgFincore\r\n\r\nMore information on PostgreSQL 9.0:\r\n

\r\nDownload 9.0 now:\r\n

How to Get the most out of VLC Media Player for iPad

iPad Screenshot
\r\n\r\nVLC is a free and open source cross-platform multimedia player and framework, that plays most multimedias files and various streaming protocols. It is simple to use, yet very powerful and extendable.\r\nVLC has all codecs built-in. It comes with support for nearly all codec there is. And what is more it can even play back the file or media if it is damaged! Missing or broken pieces are no stop to VLC, it plays all the video and audio information that’s still intact.\r\n\r\nVLC has come to the iPad, adding playback support for media formats that were previously unplayable on Apple devices. Without hardware acceleration, however, you’re going to run into playback issues. Here are your best bets for optimal playback.\r\n\r\n\r\n\r\n
vlc-for-ipad-title-image
\r\n\r\nOut of the starting gates, VLC Media Player for iPad is a little buggy, doesn’t play back HD content too well, but is still very, very welcome. The interface is pretty slick, and copying your media files through iTunes is simple enough. While some formats aren’t supported (RealMedia, FLV, etc.), many new ones are (AVI, MPG, MKV, etc.). Let’s take a look at getting your media files into VLC and which files it’ll handle best.\r\n\r\n
FLV screen_shot 1
\r\n\r\n\r\n\r\nAdding files is pretty straightforward. Hook your iPad up to iTunes, choose it from the sidebar, click the “Apps” tab, and scroll down to the “File Sharing” section. From there you can choose VLC and add files through drag-and-drop or the “Add…” button. As soon as you do, iTunes will start copying the files over to VLC and you’ll be able to use them immediately after it finishes.\r\n

\r\n\r\n\r\nThe problems come when you start copying supported files and VLC crashes or simply can’t handle the work you’re throwing at it. This is a shortcoming of the iPad more than VLC, as the iPad is really only designed to play back MPEG4/H.264 encoded to Apple’s specifications. VLC doesn’t seem to take advantage of the iPad’s MPEG/H.264 hardware acceleration, and so HD files tend to be unwatchable and may cause crashes. VLC is, at least, kind enough to warn you when you’re trying to throw a file at it that your iPad can’t handle.\r\n

movie

\r\nDetermining what you can play back well is a little difficult, since it’s mostly trial and error. VLC will let you know when it thinks you’re pushing the limits, but often files that it thinks it can play don’t look so great. So what do you do?\r\n\r\nWe’ve played around with VLC for iPad a bit and have found that most standard definition files work alright. For the most part, your best bet is standard definition AVI files using DiVX. Even at higher bit rates (about 2500kbps), DiVX AVIs seemed to play back smoothly and scrubbing wasn’t an issue. This is great news for BitTorrenters, as most TV shows are already encoded as DiVX AVI and are already optimal for iPad playback in VLC.\r\n\r\n\r\n\r\nIf you want HD on your iPad, VLC will get you half-way there. While 720p DiVX AVI video stuttered quite a bit, the same video encoded at about 3000kbps at 960×540 worked just fine. Since 960×540 is the recommended resolution for your iPad’s video anyway, it’s a good target for your HD content.\r\n\r\nVLC is available now on iTunes, absolutely free. VLC Media Player