Microsoft To Release Out-of-Band Patch for ASP.NET Security Flaw

Microsoft plans to release a patch on Tuesday for a security issue associated with ASP.NET systems.

On late Friday, the company published yet another revision to its security advisory on ASP.NET systems, which added another step for IT pros applying a workaround solution. However, by early this afternoon on Monday, Microsoft announced a forthcoming patch, which will come outside the company's monthly security update cycle. The patch, rated "important," can be expected to arrive by "Tuesday, September 28, 2010 at approximately 10:00 AM PDT," according to Dave Forstrom, director of trustworthy computing at Microsoft, in a blog post.

Forstrom noted that the patch, which is described in Microsoft's advance notice bulletin, released today, will be made available initially through the Microsoft Download Center. Later, Microsoft will distribute it through other patch channels, such as Windows Update and Windows Server Update Services. He advised testing the patch beforehand. Later, the fix will be released more broadly through Microsoft's Automatic Update service.

Currently, security advisory 2416728 bears a revision date of Sept. 24, 2010, although it was revised once before. Microsoft added an additional workaround step for IT pros to carry out, but many IT pros likely will hold off for the patch coming on Tuesday. This additional step involves running a free Microsoft program called "UrlScan" designed to verify HTTP server requests. The current version of this tool, UrlScan 3.1, works with Internet Information Services (IIS) 5.1, 6.0 and 7.0 on Windows systems.

Microsoft has described this problem associated with ASP.NET systems as an information disclosure vulnerability. Security info can be gleaned through a "padding oracle" exploit. Essentially, an attacker can gain information from the server's "oracle" by sending flawed requests and interpreting the returned error messages. The oracle (an encryption component not associated with Oracle products) essentially needs to stop talking so much about its security settings.

An attacker can get password information from "cookies, ViewState, URL strings [and] hidden fields" from systems using ASP.NET and change the encrypted information, according to Microsoft blogger Vlad Azarkhin. By changing that information and querying the server, the attacker may gain enough information to impersonate the administrator, gaining access to the server, Azarkhin explained.

The objective in running UrlScan is to block "requests that specify the applications error path on the querystring," according to the revised workaround steps in the security advisory. Microsoft's general workaround solution is to configure ASP.NET to send a single error page, rather than a series of specific messages from the oracle, according to Azarkhin's latest blog post. He described the workaround as "not enough" but "vital" to apply. He noted that this problem is not specific to Microsoft products but was first discovered with the Java Server Faces Framework.

The revised security advisory specifically states that IT pros who applied the workaround previously need to go through all of the steps again. Likely, many IT pros will want to wait for the patch to arrive instead.

The vulnerability is associated with other Microsoft products that rely on ASP.NET, including SharePoint and Exchange. All Exchange systems, starting from Exchange 2003, are potentially affected and require the workaround or patch, according to this Microsoft blog.

Another Microsoft blog states that the workaround needs to be applied for systems using "SharePoint 2010, SharePoint Foundation 2010, Microsoft Office SharePoint Server 2007, Windows SharePoint Services 3.0 [and] Windows SharePoint Services 2.0." It doesn't need to be applied for systems using "SharePoint Portal Server 2003." 

Microsoft opened a forum page on the ASP.NET vulnerability to address questions. It also plans to hold a Webinar on Tuesday, Sept. 28, 2010 at 1:00 p.m. Pacific Daylight Time to answer questions from customers. The sign-up page can be accessed here.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

comments powered by Disqus


  • Uno Platform Ports Windows Calculator to Linux

    Uno Platform has ported the famed Windows Calculator, open sourced last year, to Linux as part of a continuing "proof point" effort to demonstrate the reach of what it describes as the sole UI offering available to target Windows, WebAssembly, iOS, macOS, Android and Linux with single-codebase applications coded in C# and XAML.

  • ASP.NET Core OData 8 Preview Supports .NET 5, but with Breaking Changes

    ASP.NET Core OData, which debuted in July 2018, is out in a v8.0 preview that for the first time supports the upcoming .NET 5 milestone release.

  • VS Code Java Team Details 5 Best Dev Practices

    Microsoft's Visual Studio Code team for Java development added a new Coding Pack for Java installer and detailed best practices for setting up a development environment.

  • Binary Classification Using PyTorch: Defining a Network

    Dr. James McCaffrey of Microsoft Research tackles how to define a network in the second of a series of four articles that present a complete end-to-end production-quality example of binary classification using a PyTorch neural network, including a full Python code sample and data files.

  • Blazor Debugging Boosted in .NET 5 RC 2

    In highlighting updates to ASP.NET Core in the just-launched second and final Release Candidate of .NET 5, Microsoft pointed out better debugging for Blazor, the red-hot project that allows for C# coding of web projects.

Upcoming Events