"What is the story behind Microsoft's patches MS13-067 (SharePoint) and MS13-105 (Outlook Web Access)? What is really involved in a .NET ViewState and why will Microsoft soon disable the ability to turn off its integrity protection (KB2905247)? What is MS13-100 all about? What was the state of the art of exploiting unprotected ViewState fields before our research? Which new advances did we identify in our research? This talk is about several stories and discoveries which, once interconnected, triggered an important effort at Microsoft to patch and address some ground issues within the .NET framework and in some of the flagship products of the company. This talk is not just storytelling, but will also present a few demos featuring some of the exploits we crafted at this occasion. Finally, it will include guidance for system administrators, developers and pentesters on how to protect, detect and/or exploit such flaws. " Alexandre Herzog started his career in Information Technology in 1998 as an IT system administrator in the largest trading room in the Geneva region. Between 2004 and 2007 he attended the University of Applied Sciences Western Switzerland in Sierre. During his studies in computer science and business he co-founded the start-up BananaSecurity.com together with four other students. The company is still active today under the name of KeyLemon.com. In 2008 Alexandre moved to New Zealand and was hired as a Development Consultant. He essentially worked on a Microsoft based technology stack as a contractor for the fastest growing bank of the country. Aside from development tasks and second/third level support for the Internet Banking solution, he acted as an internal security expert. He was also heavily involved in the setup and deployment of a fully rewritten version of the Internet Banking solution based on the latest available Microsoft technologies. After two years down under Alexandre Herzog returned to Switzerland in 2010 and started working as an IT security analyst for Compass Security AG in Rapperswil-Jona. His predilections in terms of fields of expertise mainly include Microsoft based technologies, from the operating system up to the C# code of (ASP).NET solutions. Alexandre is also interested in Web Security in general and is the author of several security advisories concerning products from, e.g., Microsoft to SAP and AdNovum. Alexandre Herzog recently finished his MAS studies in Information Security at the University of Applied Sciences of Lucerne. His master thesis consisted of an analysis of cryptographic mechanisms in Windows and .NET.