News

Microsoft Releases Patch for ASP.NET Flaw

Microsoft released an "important" patch to address an information disclosure security vulnerability associated with ASP.NET systems.

The out-of-band patch is currently available for supported Windows systems from the Microsoft Download Center page (look for entries dated Sept. 27). Details about the patch are described in security bulletin MS10-070, which was released today. Microsoft explained in that security bulletin that the patch was released through its Download Center to help customers apply the fix as soon as possible.

Dave Forstrom, director of trustworthy computing at Microsoft, stated in a blog post today that Microsoft will provide the patch through its usual automatic distribution channels in a couple of days after first testing those distribution methods.

The patch is mostly aimed at IT pros who maintain servers using ASP.NET, which depends on the Internet Information Services component on Windows Server operating systems. To a lesser degree, some hobbyist users might run ASP.NET on Windows desktop operating systems, and those sorts of installations also are subject to the vulnerability.

According to a blog post by Scott Guthrie, corporate vice president of Microsoft's .NET developer platform, "the patch does not require any IIS or ASP.NET code or configuration changes." He said that once the patch is applied, the workarounds that Microsoft earlier recommended in its various blog posts will "no longer be required."

Commenting on the patch release, Wolfgang Kandek, CTO at software security firm Qualys, said that IT pros should keep the Microsoft workarounds in place if they have applied them and then test the new patch. He did not recommend undoing the workarounds.

"Those workarounds that Microsoft had initially specified, those are still valid. [People] should leave those in if they can," Kandek said, in phone interview. "If [users] had to change the error page, maybe they want different error pages for functional reasons, but those were good things that Microsoft provided. They are best practices anyway, where you don't want to give too much information about the errors that happen within the system."

Microsoft's workarounds are aimed at curtailing the details communicated by the server to the client when the server encounters errors. This vulnerability is associated with an "oracle" in the server that has been spilling too many security details, allowing hackers an opportunity to establish access rights after repeatedly sending malformed requests to the server.

"The problem is that applications that have been developed under ASP.NET can be 'convinced' to disclose information," Kandek explained. "I think that's why Microsoft considers this only an 'important' patch. Depending on the application, that information can be very important, even critical."

Microsoft's patch appears to add a digital signature, Kandek said, which may not be a bulletproof solution "but it seems to be the accepted structured way of taking care of that vulnerability." The exploit was recently demonstrated by two security researchers, Thai Duong and Juliano Rizzo. However, Kandek said that the technology to carry out the exploit "was first mentioned in 2002 in a research paper."

One way that IT pros can tell if their servers have been attacked is by reviewing their server logs, Kandek explained. The aim of the attacks is to get enough information to impersonate the administrator of the server.

"Many thousands of requests are necessary [for the attack]," he said, "and all of them end in an error. The demo that I saw took like 38,000 requests, or something like that."

The vulnerability was first discovered associated with the Java Server Faces Framework, so similar client-server setups could be vulnerable. Antimalware could not have helped ward off these kinds of attacks, but some Web application firewalls could help by supplying additional encryption, Kandek said.

Server administrators should apply Microsoft's patch right away, Kandek advised.

"If you run a server that serves Web pages, and the programs are ASP.NET, you should really take a close look at this and I would apply it as quickly as possible then," he said.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

comments powered by Disqus

Featured

  • Hands On: New VS Code Insiders Build Creates Web Page from Image in Seconds

    New Vision support with GitHub Copilot in the latest Visual Studio Code Insiders build takes a user-supplied mockup image and creates a web page from it in seconds, handling all the HTML and CSS.

  • Naive Bayes Regression Using C#

    Dr. James McCaffrey from Microsoft Research presents a complete end-to-end demonstration of the naive Bayes regression technique, where the goal is to predict a single numeric value. Compared to other machine learning regression techniques, naive Bayes regression is usually less accurate, but is simple, easy to implement and customize, works on both large and small datasets, is highly interpretable, and doesn't require tuning any hyperparameters.

  • VS Code Copilot Previews New GPT-4o AI Code Completion Model

    The 4o upgrade includes additional training on more than 275,000 high-quality public repositories in over 30 popular programming languages, said Microsoft-owned GitHub, which created the original "AI pair programmer" years ago.

  • Microsoft's Rust Embrace Continues with Azure SDK Beta

    "Rust's strong type system and ownership model help prevent common programming errors such as null pointer dereferencing and buffer overflows, leading to more secure and stable code."

  • Xcode IDE from Microsoft Archrival Apple Gets Copilot AI

    Just after expanding the reach of its Copilot AI coding assistant to the open-source Eclipse IDE, Microsoft showcased how it's going even further, providing details about a preview version for the Xcode IDE from archrival Apple.

Most   Popular

Subscribe on YouTube

Upcoming Training Events

0 AM