Bulletin Released for ASP.NET Security Flaw -- Visual Studio Magazine

Bulletin Released for ASP.NET Security Flaw

The vulnerability in the .NET Framework could lead to elevation of privilege attack.

By Chris Paoli
01/04/2012

Microsoft recently took the unusual step of releasing an "out-of-band" security bulletin for a hole in its .NET Framework.

Out-of-band fixes are released when a flaw is deemed so severe that waiting until the normal "Patch Tuesday" security bulletins could be catastrophic for some organizations.

In this case, the flaw could lead to an elevation of privilege attack. The bulletin, released on December 29, consists of one publicly disclosed issue and three privately disclosed holes, all found in Microsoft's framework for ASP.NET.

According to Microsoft's security bulletin summary, one of the most critical of issues being addressed by the patch is the ability of an attacker to gain access to a user's account on an ASP.NET-based Web site if a specially crafted Web link were clicked. To successfully exploit this vulnerability, the hacker would also need to know the specific user name being targeted.

The versions of .NET software supported by the update (running on any supported version of Windows) include Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5 Service Pack 1, Microsoft .NET Framework 3.5.1 and Microsoft .NET Framework 4.

The bulletin fixes these flaws "by correcting how the .NET Framework handles specially crafted requests, and how the ASP.NET Framework authenticates users and handles cached content," wrote Microsoft.

Microsoft's Pete Voss, Sr., response communications manager with the Trustworthy Computing Group, discussed how the flaws in .NET Framework could potentially be found in other software.

"This is an industry-wide issue that could affect a broad spectrum of technologies," said Voss in a December 30 webinar. "Since ASP.NET was at the greatest risk because of the public disclosure, we have focused our efforts so far on making sure we secure ASP.NET. We are actively investigating other technologies where this could be vulnerable and so far we do not think that classic ASP is vulnerable. Information on other affected technologies will be revealed as the issue develops."

Voss also clarified that shops "that are internet-facing and accept input from unauthenticated or untrusted user provided content" are at risk more than internal servers. He suggests these shops should deploy as soon as proper testing is complete.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.

Printable Format

comments powered by Disqus

Featured

New Visual Studio Workload Highlights Microsoft's 'Renewed Focus' on WinUI

Developers doing Windows apps have a confusing arsenal of tools and frameworks to work with, but Microsoft is simplifying things a bit with a new Visual Studio workload that highlights the company's "renewed focus" on the Windows UI Library (WinUI).
Binary Classification Using LightGBM

Dr. James McCaffrey from Microsoft Research presents a full-code, step-by-step tutorial on using the LightGBM tree-based system to perform binary classification (predicting a discrete variable that has exactly two possible values).
Microsoft Making Big .NET Aspire Push, So What Is It?

Microsoft is making a big push to publicize its new .NET Aspire, a new tech stack to streamline development of .NET cloud-native services.
Open Source 'Eclipse Theia IDE' Exits Beta to Challenge Visual Studio Code

Some seven years in the making, the Eclipse Foundation's Theia IDE project is now generally available, emerging from beta to challenge Microsoft's similar Visual Studio Code editor, with which it shares much tech.
Visual Studio IntelliCode Still Among Top AI Code Assistants

In the age of GitHub Copilot, ChatGPT, Google Gemini and all the rest, one of the most-used AI coding assistants is still the venerable IntelliCode feature of Microsoft's Visual Studio IDE, whose six-year-old tech now seems positively ancient.